Exported Excel files

Advanced EPDR enables you to export the contextual telemetry associated with a process at the time an attack is detected by one of the security software advanced technologies. This telemetry is exported to an Excel file. For more information about this file, see section Details of blocked programs. To download it, click the icon in the upper-right corner of the Blocks by advanced security policies list page. Select the Export list and details option to download an Excel file with extended details of all threats on the list.

Field Description Values

Date

Action date.

Date

MD5

MD5 hash of the blocked file.

Character string
SHA-256

SHA-256 hash of the blocked file.

Character string

Policy

Name of the policy that blocked the file. Available in the Detections by advanced security policies list.

Character string

Threat

Threat name. Available in these lists:

  • Malware activity

  • PUP activity

  • Currently blocked programs being classified

  • History of blocked programs

Character string

User

User account under which the threat was run.

Character string

Computer

Name of the computer where the threat was detected.

Character string

Path

Threat name, device, and folder where the file is located on the user computer.

Character string

Accessed data

The threat accessed files located on the user computer. Available in these lists:

  • Malware activity

  • PUP activity

  • Currently blocked programs being classified

  • History of blocked programs

Binary value

Action

Action logged on the system.

  • Downloaded from

  • Communicates with

  • Accesses data

  • Accesses

  • Is accessed by

  • LSASS.EXE opens

  • LSASS.EXE is opened by

  • Is run by

  • Runs

  • Is created by

  • Creates

  • Is modified by

  • Modifies

  • Is loaded by

  • Loads

  • Is deleted by

  • Deletes

  • Is renamed by

  • Renames

  • Is killed by

  • Kills process

  • Process suspended

  • Creates remote thread

  • Thread injected by

  • Is opened by

  • Opens

  • Creates

  • Is created by

  • Creates key pointing to EXE file

  • Modifies key to point to EXE file

  • Tries to stop

  • Ended by

Command Line

Command-line parameters associated with the action.

Character string

Event date

Date and time when the event was logged on the customer computer.

Character string

Times

Number of times the action was executed. A single action executed several times consecutively appears only once in the list.

Numeric value

Path/URL/Registry Key/IP:Port

Action entity. It can have different values depending on the action type.

  • Registry Key: For actions that involve modifying the Windows registry.

  • IP:Port: For actions that involve communicating with a local or remote computer.

  • Path: For actions that involve accessing the computer hard disk.

  • URL: For actions that involve accessing a URL.

File Hash/Registry Value/Protocol-Direction/Description

This field complements the entity.

  • File Hash: For actions that involve accessing a file.

  • Registry Value: For actions that involve accessing the Windows registry.

  • Protocol-Direction: For actions that involve communicating with a local or remote computer. Possible values are:

    • TCP

    • UDP

    • Bidirectional

    • Unknown

    • Description

Trusted

Indicates whether the blocked file is digitally signed.

Binary value

Fields in the Detections by Advanced Security Policies_Details exported file