accountid

accesstype

File access mask:

• (54) WMI_CREATEPROC: Local WMI.

For all other operations:

• https://docs.microsoft.com/en-us/windows/win32/secauthz/access-mask

• https://docs.microsoft.com/en-us/windows/win32/fileio/file-access-rights-constants

• https://docs.microsoft.com/en-us/windows/win32/fileio/file-security-and-access-rights

accnube

The agent installed on the client’s computer can access the Cytomic cloud.

action

Type of action taken by the Cytomic EDR or Cytomic EPDR agent, by the user, or by the affected process:

• 0 (Allow): The agent allowed the process to run.

• 1 (Block): The agent blocked the process from running.

• 2 (BlockTimeout): The agent displayed a pop-up message to the user but the user did not respond in time.

• 3 (AllowWL): The agent allowed the process to run because it is on the local goodware allowlist.

• 4 (BlockBL): The agent blocked the process from running because it is on the local malware blocklist.

• 5 (Disinfect): The agent disinfected the process.

• 6 (Delete): The agent classified the process as malware and deleted it because it could not be disinfected.

• 7 (Quarantine): The agent classified the process as malware and moved it to quarantine folder on the computer.

• 8 (AllowByUser): The agent displayed a pop-up message to the user and the user responded with ‘Allow execution’.

• 9 (Informed): The agent displayed a pop-up message to the user.

• 10 (Unquarantine): The agent removed the file from the quarantine folder.

• 11 (Rename): The agent renamed the file. This action is used only for testing.

• 12 (BlockURL): The agent blocked the URL.

• 13 (KillProcess): The agent closed the process.

• 14 (BlockExploit): The agent stopped an attempt to exploit a vulnerable process.

• 15 (ExploitAllowByUser): The user did not allow the exploited process to be closed.

• 16 (RebootNeeded): The agent requires that the computer be rebooted to block the exploit attempt.

• 17 (ExploitInformed): The agent displayed a pop-up message to the user, reporting an attempt to exploit a vulnerable process.

• 18 (AllowSonGWInstaller): The agent allowed the process to run because it belongs to an installation package classified as goodware.

• 19 (EmbebedInformed): The agent sent internal operation information to the cloud to improve detection routines.

• 21 (SuspendProcess): The monitored process tried to suspend the antivirus service.

• 22 (ModifyDiskResource): The monitored process tried to modify a resource protected by the agent shield.

• 23 (ModifyRegistry): The monitored process tried to modify a registry key protected by the agent shield.

• 24 (RenameRegistry): The monitored process tried to rename a registry key protected by the agent shield.

• 25 (ModifyMarkFile): The monitored process tried to modify a file protected by the agent shield.

• 26 (UncertainAction): Error monitoring the process operation.

• 28 (AllowFGW): The agent allowed the operation performed by the monitored process because it is on the local goodware allowlist.

• 29 (AllowSWAuthorized): The agent allowed the operation performed by the monitored process because the administrator marked the file as authorized software.

• 30 (InformNewPE): The agent reported the appearance of a new file on the computer because the Drag and Drop feature is turned on in Cytomic Data Watch.

• 31 (ExploitAllowByAdmin): The agent allowed the operation performed by the monitored process because the network administrator excluded the exploit.

• 32 (IPBlocked): The agent blocked IPs to mitigate an RDP (Remote Desktop Protocol) attack.

• 33 (AllowSonMsiGW): The file is allowed to run because it is from a signed installer.

• 34 (IsolateHost): Isolates a computer through a command from the management console.

• 35 (RDPOff): Ends the isolation that was in response to an RDP attack.

• 36 (UNisolateHost): Ends the isolation of a computer through a command from the management console.

• 37 (Allowed by Global Audit): The item is allowed because the security software is configured in Audit mode.

actiontype

Indicates the session type:

• 0 (Login): Login on the client’s computer.

• 1 (Logout): Logout on the client’s computer.

• -1 (Unknown): Unable to determine session type.

advancedrulesconf

Cytomic EDR or Cytomic EPDR advanced security policy settings.

age

Date the file was last modified.

UTC date when the event that triggered the indicator occurred on the client’s computer. Information regarding the time is included. To understand this field, see pandatimestatus.

alprotocoldetected

Application level protocol detected in the connection or one of these values:

• 0 (NNS_AL_PROTOCOL_UNKNOWN): Could not determine the protocol.

• 1 (NNS_AL_PROTOCOL_PENDING): Analyzing the application protocol to determine the type.

alprotocolexpected

Application level protocol expected according to the connection port or one of these values:

• 0 (NNS_AL_PROTOCOL_UNKNOWN): Could not determine the protocol.

• 1 (NNS_AL_PROTOCOL_PENDING): Analyzing the application protocol to determine the type.

analysistime

Time elapsed analyzing the file.

attackerDeviceId

Identifier of the device that connected to a computer protected by Endpoint Access Enforcement.

blockreason

Reason for the pop-up message displayed on the computer:

• 0: The file was blocked because it is unknown and the Cytomic EPDR or Cytomic EDR advanced protection mode is set to Hardening or Lock.

• 1: The file was blocked by local rules.

• 2: The file was blocked because the source is untrusted.

• 3: The file was blocked by a context rule.

• 4: The file was blocked because it is an exploit.

• 5: The file was blocked after asking the user to close the process.

• 6: Malware was blocked on Linux / macOS.

bytesreceived

Total bytes received by the monitored process.

bytessent

Total bytes sent by the monitored process.

callstack

See childfilesize.

childattributes

Attributes of the child process:

• 0x0000000000000001 (ISINSTALLER): Self-extracting (SFX) file.

• 0x0000000000000002 (ISDRIVER): Driver-type file.

• 0x0000000000000008 (ISRESOURCESDLL): Resource DLL-type file.

• 0x0000000000000010 (EXTERNAL): File from outside the computer.

• 0x0000000000000020 (ISFRESHUNK): File recently added to the Cytomic knowledge base.

• 0x0000000000000040 (ISDISSINFECTABLE): File for which there is a recommended disinfection action.

• 0x0000000000000080 (DETEVENT_DISCARD): The event-based context detection technology did not detect anything suspicious.

• 0x0000000000000100 (WAITED_FOR_VINDEX): Execution of a file whose creation had not been registered.

• 0x0000000000000200 (ISACTIONSEND): The local technologies did not detect malware in the file and it was sent to Cytomic for classification.

• 0x0000000000000400 (ISLANSHARED): File stored on a network drive.

• 0x0000000000000800 (USERALLOWUNK): File with permission to import unknown DLLs.

• 0x0000000000001000 (ISSESIONREMOTE): Event originating from a remote session.

• 0x0000000000002000 (LOADLIB_TIMEOUT): The time elapsed between when the protection intercepted the loading of the library and when it was scanned exceeded 1 second. As a result, the scan changed from synchronous to asynchronous to avoid impacting performance.

• 0x0000000000004000 (ISPE): Executable file.

• 0x0000000000008000 (ISNOPE): Non-executable file.

• 0x0000000000020000 (NOSHELL): The agent did not detect the execution of a shell command on the system.

• 0x0000000000080000 (ISNETNATIVE): NET Native file.

• 0x0000000000100000 (ISSERIALIZER): Serializer file.

• 0x0000000000200000 (PANDEX): File included in the list of processes created by Cytomic Patch.

• 0x0000000000400000 (SONOFGWINSTALLER): File created by an installer classified as goodware.

• 0x0000000000800000 (PROCESS_EXCLUDED): File not scanned because of the Cytomic Orion exclusions.

• 0x0000000001000000 (INTERCEPTION_TXF): The intercepted operation was originated by an executable whose image on the disk is being modified.

• 0x0000000002000000 (HASMACROS): Microsoft Office document with macros.

• 0x0000000008000000 (ISPEARM): Executable file for ARM microprocessors.

• 0x0000000010000000 (ISDYNFILTERED): The file was allowed on the computer because there are no technologies to classify it.

• 0x0000000020000000 (ISDISINFECTED): The file was disinfected.

• 0x0000000040000000 (PROCESSLOST): The operation was not logged.

• 0x0000000080000000 (OPERATION_LOST): Operation with a pre-scan report for which the post-scan report has not been received yet.

• 0x0000002000000000 (SAFE_BOOT_MODE): The computer started in Safe Mode.

• 0x0000004000000000 (PANDA_SIGNED): File signed by Panda Security.

childattmask

childblake

Blake2 signature of the child file.

childclassification

Classification of the child process that performed the logged action.

• 0 (Unknown): File in the process of classification.

• 1 (Goodware): File classified as goodware.

• 2 (Malware): File classified as malware.

• 3 (Suspect): The file is in the process of classification and it is highly likely to be malware.

• 4 (Compromised): Process compromised by an exploit attack.

• 5 (GWNotConfirmed): The file is in the process of classification and it is highly likely to be malware.

• 6 (Pup): File classified as an unwanted program.

• 7 (GwUnwanted): Equivalent to PUP.

• 8 (GwRanked): Process classified as goodware.

• -1 (Unknown)

childdrive

childfilename

childfilesize

Size of the child file logged by the agent.

childfiletime

Date of the child file logged by the agent.

childfirstseen

Date the file was first seen.

childmd5

Child file hash.

childpath

Path of the child file that performed the logged operation.

ChildPID

Child process ID.

childsha256

SHA256 signature of the child process that performed the operation.

childstatus

Child process status.

• 0 (StatusOk): Status OK.

• 1 (NotFound): Item not found.

• 2 (UnexpectedError): Unknown error.

• 3 (StaticFiltered): File identified as malware using static information contained in the Cytomic EDR or Cytomic EPDR protection.

• 4 (DynamicFiltered): File identified as malware using local technology implemented in Cytomic EDR or Cytomic EPDR.

• 5 (FileIsTooBig): File too big.

• 6 (PEUploadNotAllowed): File send was disabled.

• 11 (FileWasUploaded): File sent to the cloud for analysis.

• 12 (FiletypeFiltered): Resource DLL, NET Native, or Serializer-type file.

• 13 (NotUploadGWLocal): Goodware file not saved to the cloud.

• 14 (NotUploadMWdisinfect): Disinfected malware file not saved to the cloud.

childurl

File download URL.

See url.

ciphertype

Scan of the SSL/TLS protocol and its HTTPS characteristics (for example TLS_RSA_WITH_AES_128_GCM_SHA256).

classname

Type of device where the process resides. It corresponds to the class specified in the .INF file associated with the device.

commandline

Command line configured as a task to be run through WMI.

confadvancedrules

See advancedrulesconf.

configservicelevel

Agent execution mode configuration. This can be temporarily different from the execution mode in progress.

See servicelevel

configstring

See extendedinfo.

connectionstate

Connection status notified.

• 0 (E_NNS_CONNECTION_STATE_UNKNOWN): Unknown connection status.

• 1 (E_NNS_CONNECTION_STATE_ESTABLISHED): Connection established.

• 2 (E_NNS_CONNECTION_STATE_FAILED): Failed connection attempt.

• 3 (E_NNS_CONNECTION_STATE_DENIED_BY_FW): Connection denied by the firewall or other security software technology.

contentencoding

Encoding used in the content of the HTTP connection.

See https://www.iana.org/assignments/http-parameters/http-parameters.xml

copy

Name of the service that triggered the event.

datacontanier

Unique name of the object within the WMI hierarchy.

UTC date when the event occurred on the client’s computer. No information regarding the time is included. To understand this field, see pandatimestatus.

UTC date when the event occurred on the client’s computer. Information regarding the time is included. To understand this field, see pandatimestatus.

description

See extendedinfo.

destinationip

IP address of the target computer in a network connection scanned by Network Attack Protection.

destinationport

Port of the target computer in a network connection scanned by Network Attack Protection.

details

Summary in the form of a group of relevant fields from the event.

eventtype 1 (ProcessOps)

Contains the commandline field.

eventtype 14 (Download)

Contains the url field.

eventtype 22 (NetworkOps)

Contains the direction, ipv4status, protocol, and remoteport fields.

eventtype 27 (RegistryOps)

Contains the valuedata field.

eventtype 31 (ScriptLaunch)

Contains the commandline field.

eventtype 46 (DnsOps)

Contains the domainlist field.

eventtype 47 (DeviceOps)

Contains the devicetype field.

eventtype 50 (UserNotification)

Contains the parentfilename field.

eventtype 52 (LoginOutOp)

Contains the eventtype, sessiontype, loggeduser, remotemachinename, and remoteip fields.

eventtype 99 (RemediationOps)

Contains the remoteip, remotemachinename, commandline, and detectionid fields.

eventtype 555 (IOA)

Contains the extendedinfo field.

detectionid

Unique identifier of the detection.

deviceid

See attackerDeviceId.

devicetype

Type of drive where the process or file that triggered the operation resides.

• 0 (UNKNOWN): Unknown.

• 1 (CD_DVD): CD or DVD drive.

• 2 (USB_STORAGE): USB storage device.

• 3 (IMAGE): Image file.

• 4 (BLUETOOTH): Bluetooth device.

• 5 (MODEM): Modem.

• 6 (USB_PRINTER): USB printer.

• 7 (PHONE): Mobile phone.

• 8 (KEYBOARD): Keyboard.

• 9 (HID): Mouse.

direction

eventtype 22 (NetworkOps):

Network connection direction.

• 0 (UnKnown): Unknown.

• 1 (Incoming): Connection established from outside the network to a computer on the client’s network.

• 2 (Outgoing): Connection established from a computer on the client’s network to a computer outside the network.

• 3 (Bidirectional): Bidirectional.

eventtype 99 (RemediationOps) - napdirection

Network connection direction.

• 0 (UnKnown): Unknown.

• 1 (Incoming): Connection established from outside the network to a computer on the client’s network.

• 2 (Outgoing): Connection established from a computer on the client’s network to a computer outside the network.

• 3 (Bidirectional): Bidirectional.

domainlist

See list.

entropy

Entropy of the POST message content to classify the likelihood of data theft and extraction.

entropia

See entropy.

errorcode

Error code returned by the operating system when there is a failed login attempt.

• 1073741724 (Invalid username): The user name does not exist.

• 1073741730 (Login server is unavailable): The server required to validate the login is not available.

• 1073741718 (Invalid password): The user name is correct but the password is incorrect.

• 1073741715 (Invalid username or authentication info): The user name or the authentication information is wrong.

• 1073741714 (Invalid username or password): Unknown user name or wrong password.

• 1073741260 (Account blocked): Access blocked.

• 1073741710 (Account disabled): Account disabled.

• 1073741713 (User account day restriction): An attempt was made to log in at a restricted time.

• 1073741712 (Invalid workstation for login): An attempt was made to log in from an unauthorized computer.

• 1073741604 (Sam server is invalid): The validation server has failed. Cannot perform operation.

• 1073741421 (Account expired): The account has expired.

• 1073741711 (Password expired): The password has expired.

• 1073741517 (Clock difference is too big): The connected computers’ clocks are too far out of sync.

• 1073741276 (Password change required on reboot): The user password must be changed on next boot.

• 1073741275 (Windows error (no risk)): A bug in Windows and not a risk.

• 1073741428 (Domains trust failed): The login request failed because the trust relationship between the primary domain and the trusted domain failed.

• 1073741422 (Netlogon not initialized): An attempt was made to log in, but the Netlogon service was not started.

• 1073741074 (Session start error): An error occurred during login.

• 1073740781 (Firewall protected): The computer you are logging in to is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.

• 1073741477 (Invalid permission): The user has requested a type of login that has not been granted.

errorevent

See extendedinfo.

errorstring

See extendedinfo.

eventtype

Event type logged by the agent.

• 1 (ProcessOps): The process performed operations on the computer hard disk.

• 14 (Download): The process downloaded data.

• 15 HostsFileModification: The process modified the Hosts file on Windows systems.

• 22 (NetworkOps): The process performed network operations.

• 25 EventNotBlocked: The item was not blocked because the computer was starting up.

• 26 (DataAccess): The process accessed data files hosted on internal mass-storage devices.

• 27 (RegistryOps): The process accessed the Windows Registry.

• 30 (ScriptOps): Operation performed by a script-type process.

• 31 (ScriptOps): Operation performed by a script-type process.

• 40 (Detection): Detection made by Cytomic EDR active protections.

• 42 (BandwidthUsage): Volume of information handled in each data transfer operation performed by the process.

• 45 (SystemOps): Operation performed by the Windows operating system WMI engine.

• 46 (DnsOps): The process accessed the DNS name server.

• 47 (DeviceOps): The process accessed an external device.

• 50 (UserNotification): Notification displayed to the user and response (if any).

• 52 (LoginOutOps): Login or logout operation performed by the user.

• 99 (RemediationOps): Detection, blocking, and disinfection events from the Cytomic EDR or Cytomic EPDR agent.

• 100 (HeaderEvent): Administrative event with information about the protection software settings and version, as well as computer and client information.

• 199 (HiddenAction): Detection event that did not trigger an alert.

• 555 IOA: IOA generation event.

evidencedatetime

exploitorigin

Origin of the process exploit attempt.

• 1 (URL): URL address.

• 2 (FILE): File.

extendedinfo

eventtype 1 (ProcessOps) - errorstrings:

Character string with debug information on the security product settings.

When the operation field of an event is set to DirCreate, CMOpened, or CMPCreat, the errorstring field acts as an event grouping counter:

In any one-hour period, the first 50 events are logged individually. After the limit of 50 events in one hour is reached, additional events of the same type are grouped together and not sent until the first event of the same type is logged in a new hour period. At this point, the grouped event is sent with the errorstring field including both the grouped events and the first 50 events, and the counter is reset.

eventtype 26 (DataAccess):

• Version of the MVMF.xml file in use (M0, M1, M2, etc.)

eventtype 27 (RegistryOps):

• Version of the PSNMVMF.dat file in use (M0, M1, M2, etc.)

eventtype 40 (Detection) - infodiscard:

Quarantine file internal information.

eventtype 45 (SystemOps):

Additional information about Type events:

• 1 (Active script event creation): Name and path of the executed script.

• 6 (Add user group): Group SID.

• 7 (Delete user group): Group SID.

• 8 (User group admin): Group SID.

• 9 (User group rdp): Group SID.

• 14 (Login attemp): Logon Process field of the Windows event viewer.

• 15 (Scheduler tasks): String with details of the task created (LogonProcess, LogonType, LogonAuthType, TaskOperationType).

• 16 (Special privileges): LogonType field of the Windows event viewer.

• 18 (WFP filter operation): Filter name.

eventtype 47 (DeviceOps) - description

• Description of the USB device type that performed the operation.

eventtype 61 (ErrorEvents):

• Raw content of the malformed event when it cannot be parsed.

eventtype 99 (RemediationOps) - remediationdata:

String of characters with these fields separated by *:

• Path: Path and name of the process ended by the security software or sent to quarantine.

• InfoDiscard: Quarantine file internal information.

eventtype 555 (IOA):

Details of the processes that generated the IOA.

failedqueries

Number of failed DNS resolution requests sent by the process in the last hour.

firstseen

See childfirstseen

friendlyname

An easily readable device name.

guidrule

See ruleid.

headerhttp

HTTP header dump when the security software detects communications that use HTTP tunnels.

This field shows information only if the security software Audit mode is enabled.

hostname

See remotemachinename

huntingruleid

See ruleid.

huntingrulemitre

TTPs associated with the hunting rule.

huntingrulemode

Indicates whether the rule is enabled in the Threat Engine to generate indicators.

huntingrulename

Name of the cyberattack radar rule that detected the indicator.

huntingruleseverity

Severity of the impact of the indicator generated by the hunting rule:

• 0: Not set.

• 1: Critical.

• 2: High.

• 3: Medium.

• 4: Low.

• 1000: Unknown.

huntingruletype

Type of hunting rule.

• 1: Rule run in the threat engine.

• 2: RDP attack detection rule.

• 3: IOC applied retrospectively to the stored telemetry.

• 4: IOC applied to the telemetry flow in real time.

• 5: Rule run on the user computer.

idname

Device name.

indicatortimestamp

See ioatimestamp.

infodiscard

See extendedinfo.

initialdomain

See url.

insertiondatetime

Date in UTC format at the time the Cytomic Orion servers logged the event sent by the computer. This date is always later than the other dates because the events are queued to be processed.

interactive

Indicates whether the login is an interactive login.

IOAId

IOAIds

When a sequence of events follows a pattern described in the MITRE matrix, Cytomic Orion creates an indicator (IOA) and adds the indicator ID to all the events related to it.

ioatimestamp

UTC date in epoch format (number of seconds elapsed since 1 January 1970) at the time the last event that triggered the indicator occurred.

ipv4status

IP address type:

• 0 (Private)

• 1 (Public)

isdestinationipv6

isdenied

Indicates whether the reported action was denied.

islocal

Indicates whether the task was created on the local computer or on a remote computer.

islocalipv6

Indicates whether the IP address is IPv6 or IPv4.

isremoteipv6

Indicates whether the IP address is IPv6 or IPv4.

issessioninteractive

See interactive.

key

Affected registry branch or key.

lastquery

Last query sent to the cloud by the Cytomic EDR or Cytomic EPDR agent.

list

eventtype 46 (DnsOps) - DomainList:

• List of domains sent by the process to the DNS server for resolution and number of resolutions per domain, with the format {domain_name,number#domain_name,number}.

eventtype 99 (RemediationOps) - url:

• List of 10 URLs obtained from the process monitor in the event of the detection of an exploit.

localdatetime

The computer date (in UTC format) at the time the logged event occurred. This date depends on the computer settings. As a result, it can be incorrect.

localip

eventtype 22 (NetworkOps) - localip

Contains the IP address of the computer on which the event was logged, regardless of the connection direction (direction field). See remoteip and direction.

eventtype 99 (RemediationOps) - naporiginip:

IP address of the source computer in a network connection scanned by Network Attack Protection.

localport

eventtype 22 (NetworkOps) - localport

Contains the port of the computer on which the event was logged or of the other end of the connection depending on the direction field:

• direction = 1 (inbound connection). This contains the port of the other end of the connection.

• direction = 2 (outbound connection). This contains the port of the computer on which the event is logged.

See direction.

eventtype 99 (RemediationOps) - naporiginport:

Port of the source computer in a network connection scanned by Network Attack Protection.

loggeduser

The user that was logged in to the computer at the time the event was generated.

machinename

Name of the computer that ran the process.

manufacturer

Device manufacturer.

method

HTTP connection method when the security software detects communications that use HTTP tunnels.

• 1 - GET

• 2 - POST

This field shows information only if the security software Audit mode is enabled.

MUID

Internal ID of the client’s computer.

napattack

Network attack direction.

• 1: The naporiginip and naporiginport fields contain the IP address and port of the attacking computer.

• 2: The napdestinationip and napdestinationport fields contain the IP address and port of the attacking computer.

See destinationip.

See destinationport.

See direction.

See localip.

See localport

notificationtype

Internal use.

numcacheclassifiedelements

Number of items whose classification is cached in the security software.

objectname

See datacontanier.

occurrences

Number of grouped indicators. See Indicator Grouping

opstatus

• 0: Send to the Advanced Reporting Tool.

• 2: Do not send to the Advanced Reporting Tool.

opentstamp

Date of the WMI notification for WMI_CREATEPROC (54) events.

opentimestamp

operation

eventtype 1 (ProcessOps)

Type of operation performed by the process.

• 0 (CreateProc): Process created.

• 1 (PECreat): Executable program created.

• 2 (PEModif): Executable program modified.

• 3 (LibraryLoad): Library loaded.

• 4 (SvcInst): Service installed.

• 5 (PEMapWrite): Executable program mapped for write access.

• 6 (PEDelet): Executable program deleted.

• 7 (PERenam): Executable program renamed.

• 8 (DirCreate): Folder created.

• 9 (CMPCreat): Compressed file created.

• 10 (CMOpened): Compressed file opened.

• 11 (RegKExeCreat): A registry branch that points to an executable file was created.

• 12 (RegKExeModif): A registry branch was modified, which now points to an executable file.

• 15 (PENeverSeen): Executable program never seen before by Cytomic Orion.

• 17 (RemoteThreadCreated): Remote thread created.

• 18 (ProcessKilled): Process killed.

• 25 (SamAccess): Access to the computer SAM.

• 30 (ExploitSniffer): Sniffing exploit technique detected.

• 31 (ExploitWSAStartup): WSAStartup exploit technique detected.

• 32 (ExploitInternetReadFile): InternetReadFile exploit technique detected.

• 34 (ExploitCMD): CMD exploit technique detected.

• 39 (Load16bitsFilesByNtvm.exe): 16-bit file loaded by ntvdm.exe.

• 43 (Heuhooks): Anti-exploit technology detected.

• 54 (Create process by WMI): Process created by a modified WMI.

• 55 (AttackProduct): Attack detected on the agent service, a file, or registry key.

• 61 (OpenProcess LSASS): LSASS process opened.

• 89 (LoadDrvVulnerable): A process loaded a vulnerable driver after the operating system started up.

• 200 (MitreReadComplete): MITRE event that indicates a file was read.

• 201 (MitreCreateFile): MITRE event that indicates a file was created.

• 202 (MitreModifyFile): MITRE event that indicates a file was modified.

• 207 (LoadDriver): MITRE event that indicates a driver was loaded.

• 208 (NopeDelete): MITRE event that indicates a non-executable file was deleted.

eventtype 45 (SystemOps) - type

Type of WMI operation performed by the process.

• 0 (Command line event creation): WMI launched a command line in response to a change in the database.

• 1 (Active script event creation): A script was run in response to receiving an event.

• 2 (Event consumer to filter consumer): This event is generated whenever a process subscribes to receive notifications. The name of the created filter is received.

• 3 (Event consumer to filter query): This event is generated whenever a process subscribes to receive notifications. The query run by the process to subscribe is received.

• 4 (Create User): A user account was added to the operating system.

• 5 (Delete User): A user account was deleted from the operating system.

• 6 (Add user group): A group was added to the operating system.

• 7 (Delete user group): A group was deleted from the operating system.

• 8 (User group admin): A user was added to the admin group.

• 9 (User group rdp): A user was added to the RDP group.

• 13 (WMI query): WMI query on the computer.

• 14 (Login attemp): Attempt to login on another computer.

• 15 (Scheduler tasks): Operation is logged in the task scheduler.

• 16 (Special privileges): Escalation of privileges on login.
  

• 17 (AMSI buffer scan request): AMSI scan request for a buffer containing a script.

• 18 (WFP filter operation): A WFP (Windows Filtering Platform) filter was created or deleted.

Operationflags/ integrityLevel

eventtype 1 (ProcessOps) - operationflags

Indicates the integrity level assigned by Windows to the item. See https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control.

• 0X0000 Untrusted level

• 0x1000 Low integrity level

• 0x2000 Medium integrity level

• 0x3000 High integrity level

• 0x4000 System integrity level

• 0x5000 Protected

eventtype 22 (NetworkOps) - SocketOpFlags

Specifies the grouping algorithm used to minimize the logging of network connections with identical source and destination IP addresses and ports. Grouping occurs over time periods. Only one connection from the group is logged when the period ends. The time period varies depending on the number of connections logged:

• 0x00000001 (Flag realtime): This indicates that the event was logged in real time. This applies only to events that are not grouped.

• 0x00000002 (Standard grouping): 15 minutes

• 0x00000004 (L1 grouping): 500 connections 2 hours

• 0x00000008 (L2 grouping): 1000 connections 6 hours

• 0x000000010 (L3 grouping): 5000 connections 12 hours

• 0x000000020 (L4 grouping): 10000 connections 24 hours

When the specified number of connections is logged at the current grouping level, the grouping level increases. Every hour the number of logged connections is re-evaluated to lower the grouping level, if required.

operationstatus

See opstatus.

opstatus

Indicates whether the event must be sent to the Cytomic Insights:

• 0: Send.

• 1: Filtered by the agent.

• 2: Do not send.

origusername

User of the computer which performed the operation.

pandaalertid

Internal ID of the indicator.

pandaid

See accountid.

pandatimestatus

Indicates the algorithm used to calculate the dates in the Date, DateTime, and TimeStamp fields:

• 0 (Version not supported): The computer does not support synchronization of its time settings to Cytomic settings.

• 1: (Recalculated Panda Time): The computer has fixed and synced the computer’s time settings to Cytomic settings.

• 2: (Panda Time OK): The computer time settings are correct.

• 3: (Panda Time calculation error): Error fixing the computer time settings.

parentattributes

Attributes of the parent process.

• 0x0000000000000001 (ISINSTALLER): Self-extracting (SFX) file.

• 0x0000000000000002 (ISDRIVER): Driver-type file.

• 0x0000000000000008 (ISRESOURCESDLL): Resource DLL-type file.

• 0x0000000000000010 (EXTERNAL): File from outside the computer.

• 0x0000000000000020 (ISFRESHUNK): File recently added to the Cytomic knowledge base.

• 0x0000000000000040 (ISDISSINFECTABLE): File for which there is a recommended disinfection action.

• 0x0000000000000080 (DETEVENT_DISCARD): The event-based context detection technology did not detect anything suspicious.

• 0x0000000000000100 (WAITED_FOR_VINDEX): Execution of a file whose creation had not been registered.

• 0x0000000000000200 (ISACTIONSEND): The local technologies did not detect malware in the file and it was sent to Cytomic for classification.

• 0x0000000000000400 (ISLANSHARED): File stored on a network drive.

• 0x0000000000000800 (USERALLOWUNK): File with permission to import unknown DLLs.

• 0x0000000000001000 (ISSESIONREMOTE): Event originating from a remote session.

• 0x0000000000002000 (LOADLIB_TIMEOUT): The time elapsed between when the protection intercepted the loading of the library and when it was scanned exceeded 1 second. As a result, the scan changed from synchronous to asynchronous to avoid impacting performance.

• 0x0000000000004000 (ISPE): Executable file.

• 0x0000000000008000 (ISNOPE): Non-executable file.

• 0x0000000000020000 (NOSHELL): The agent did not detect the execution of a shell command on the system.

• 0x0000000000080000 (ISNETNATIVE): NET Native file.

• 0x0000000000100000 (ISSERIALIZER): Serializer file.

• 0x0000000000200000 (PANDEX): File included in the list of processes created by Cytomic Patch.

• 0x0000000000400000 (SONOFGWINSTALLER): File created by an installer classified as goodware.

• 0x0000000000800000 (PROCESS_EXCLUDED): File not scanned because of the Cytomic Orion exclusions.

• 0x0000000001000000 (INTERCEPTION_TXF): The intercepted operation was originated by an executable whose image on the disk is being modified.

• 0x0000000002000000 (HASMACROS): Microsoft Office document with macros.

• 0x0000000008000000 (ISPEARM): Executable file for ARM microprocessors.

• 0x0000000010000000 (ISDYNFILTERED): The file was allowed on the computer because there are no technologies to classify it.

• 0x0000000020000000 (ISDISINFECTED): The file was disinfected.

• 0x0000000040000000 (PROCESSLOST): The operation was not logged.

• 0x0000000080000000 (OPERATION_LOST): Operation with a pre-scan report for which the post-scan report has not been received yet.

• 0x0000002000000000 (SAFE_BOOT_MODE): The computer started in Safe Mode.

• 0x0000004000000000 (PANDA_SIGNED): File signed by Panda Security.

parentattmask

parentblake

Blake2 signature of the parent file that performed the operation.

parentcount

Number of processes with DNS failures.

parentdrive

parentfilename

parentmd5

Parent file hash.

parentpath

Path of the parent file that performed the logged operation.

parentpid

Parent process ID.

parentstatus

• 0 (StatusOk): Status OK.

• 1 (NotFound): Item not found.

• 2 (UnexpectedError): Unknown error.

• 3 (StaticFiltered): File identified as malware using static information contained in the Cytomic EDR or Cytomic EPDR protection.

• 4 (DynamicFiltered): File identified as malware using local technology implemented in Cytomic EDR or Cytomic EPDR.

• 5 (FileIsTooBig): File too big.

• 6 (PEUploadNotAllowed): File send was disabled.

• 11 (FileWasUploaded): File sent to the cloud for analysis.

• 12 (FiletypeFiltered): Resource DLL, NET Native, or Serializer-type file.

• 13 (NotUploadGWLocal): Goodware file not saved to the cloud.

• 14 (NotUploadMWdisinfect): Disinfected malware file not saved to the cloud.

pecreationsource

Type of drive where the process was created:

• (0) : The device type cannot be determined.

• (1) : The device path is invalid. For example, the external storage media was extracted.

• (2) : Removable storage media.

• (3) : Internal storage media.

• (4) : Remote storage media (for example, a network drive).

• (5): CD-ROM.

• (6): RAM disk.

phonedescription

Phone description if the operation involved a device of this type.

pid

Identifier of the process that started the session.

protocol

Communications protocol used by the process.

• 6 (TCP)

• 12 (RDP)

• 17 (UDP)

proxyconnection

The connection is through a proxy.

querieddomaincount

See times.

realservicelevel

Current agent mode (this can be temporarily different from the mode assigned in the settings).

See servicelevel

redirection

HTTP redirection detected.

This field shows information only if the security software Audit mode is enabled.

registryaction

Type of operation performed on the Windows registry of the computer.

• 0 (CreateKey): A new registry branch was created.

• 1 (CreateValue): A value was assigned to a registry branch.

• 2 (ModifyValue): A registry branch value was modified.

remediationresult

User’s response to the pop-up message shown by Cytomic EPDR or Cytomic EDR.

• 0 OK: The client accepted the message.

• 1 (Timeout): The pop-up message disappeared due to lack of action by the user.

• 2 (Angry): The user chose the option to not block the item from the pop-up message displayed.

• 3 (Block): The item was blocked because the user did not reply to the pop-up message.

• 4 (Allow): The user accepted the solution.

• -1 (Unknown)

remoteip

eventtype 1 (ProcessOps)

IP address of the remote computer that executed the action on the monitored computer.

eventtype 22 (Networkops)

Contains the IP address of the other end of the connection, regardless of the connection direction (direction field). See localip and direction.

eventtype 45 (SystemOps)

IP address of the computer connected to the monitored computer to execute a WMI request.

remotemachinename

eventtype 1 (ProcessOps)

Name of the remote computer that executed the action on the monitored computer.

eventtype 22 (Networkops) - hostname

Name of the remote computer.

eventtype 45 (SystemOps)

Name of the computer connected to the monitored computer to execute a WMI request.

remoteport

Contains the port of the computer on which the event was logged or of the other end of the connection depending on the direction field:

• direction = 1 (inbound connection). This contains the port of the computer on which the event was logged.

• direction = 2 (outbound connection). This contains the port of the other end of the connection.

See localport and direction.

remoteusername

Name of the remote user that performed the operation on the monitored computer.

responseclassification

Process classification.

• 0 (Unknown): File in the process of classification.

• 1 (Goodware): File classified as goodware.

• 2 (Malware): File classified as malware.

• 3 (Suspect): The file is in the process of classification and it is highly likely to be malware.

• 4 (Compromised): Process compromised by an exploit attack.

• 5 (GWNotConfirmed): The file is in the process of classification and it is highly likely to be malware.

• 6 (Pup): File classified as an unwanted program.

• 7 (GwUnwanted): Equivalent to PUP.

• 8 (GwRanked): Process classified as goodware.

• -1 (Unknown)

risk

Status of the device that initiated the connection to the protected computer. This status caused the blocking or monitoring of the connection by the Endpoint Access Enforcement technology.

• 0 (E_NNS_MACHINE_PROTECTION_STATUS_UNKNOWN): The status of the protection on the connecting computer is unknown.

• 1 (E_NNS_MACHINE_PROTECTION_STATUS_PROTECTION_ENABLED): The status of the protection on the connecting computer is enabled.

• 2 (E_NNS_MACHINE_PROTECTION_STATUS_NON_MANAGED): The connecting computer does not have security software installed or the software is from another vendor.

• 3 (E_NNS_MACHINE_PROTECTION_STATUS_DIFFERENT_ACCOUNT): The connecting computer has compatible security software installed but it is managed by another account.

• 4 (E_NNS_MACHINE_PROTECTION_STATUS_PROTECTION_DISABLED): The connecting computer has compatible security software installed but it is disabled.

• 5 (E_NNS_MACHINE_PROTECTION_STATUS_RISK_MEDIUM): The risk level of the connecting computer is medium.

• 6 (E_NNS_MACHINE_PROTECTION_STATUS_RISK_HIGH): The risk level of the connecting computer is high.

• 7 (E_NNS_MACHINE_PROTECTION_STATUS_RISK_CRITICAL): The risk level of the connecting computer is critical.

riskdetected

See risk.

ruleid

eventtype 555 (IOA) - huntingruleid:

Identifier of the cyberattack radar rule that detected the indicator.

eventtype 22 (IOA) - ruleid:

Snort rule that detected communications that use HTTP tunnels. This field shows information only if the security software Audit mode is enabled.

servicelevel

Agent execution mode.

• 0 (Learning): The agent does not block any items but monitors all running processes.

• 1 (Hardening): The agent blocks all unclassified programs coming from an untrusted source, and items classified as malware.

• 2 (Block): The agent blocks all unclassified executables and items classified as malware.

• -1 (N/A)

sessiondate

Date the antivirus service was last started or last time it was started since the last update.

sessiontype

Login type:

• 0 (System Only): Session started with a system account.

• 2 (Local): Session created physically through a keyboard or through KVM over IP.

• 3 (Remote): Session created remotely in shared folders or printers. This login type uses secure authentication.

• 4 (Scheduled): Session created by the Windows task scheduler.

• 5 (Service): Session created when a service that needs to run in the user session is launched. The session is deleted when the service stops.

• 7 (Blocked): Session created when a user tries to join a previously blocked session.

• 8 (Remote Unsecure): Same as type 3 but the password is sent in plain text.

• 9 (RunAs): Session created when the “RunAs” command is used under an account other than the account used to log in, and the “/netonly” parameter is specified. If the “/netonly” parameter is not specified, a type 2 session is created.

• 10 (TsClient): Session created when accessing through “Terminal Service”, “Remote Desktop” or “Remote Assistance”. It identifies a remote user connection.

• 11 (Domain Cached): User session created with domain credentials cached on the machine, but with no connection to the domain controller.

• -1 (Unknown)

sha256

See childsha256.

shash

Alphanumeric character pattern followed by the hash of the child process.

socketopflags

TelemetryType

• 0: Normal telemetry. The event does not belong to an indicator that follows a pattern described in the MITRE matrix.

• 1: Resent event. The event was originally sent as a type 0 event (normal telemetry), but later it was detected that it belongs to an attack pattern described in the MITRE matrix. The event was resent with the TTPs and IOAIds fields completed.

• 2: Accumulated events: To save resources, part of the telemetry generated for the client is retained until the security software detects a MITRE attack pattern. Then, all accumulated events are sent.

timeout

The local scan took too long to complete and the process was delegated to other mechanisms that do not impact performance.

times

eventtype 22 (NetworkOps)

Number of repetitions of a connection created by the same process on the same path, with the same localIP, RemoteIP, and RemotePort.

eventtype 45 (SystemOps)

Number of WMI requests per table and process grouped in a one-hour period.

eventtype 46 (DnsOps) - querieddomaincount

Number of different domains sent by the process for which there was a DNS resolution failure in the last hour.

eventtype 99 (RemediationOps) - napocurrences

Number of times the same type of network attack targeting the same IP address has been logged in a one-hour period.

timestamp

UTC date in epoch format (number of seconds elapsed since 1 January 1970) at the time the event occurred on the client’s computer. To understand this field, see pandatimestatus.

totalresolutiontime

Indicates the time it took the cloud to respond, and whether the error code query failed.

• 0: The cloud was not queried.

• >0: Time in milliseconds it took the cloud to respond to the query.

• <0: Cloud query error code.

TTPs

List of the MITRE tactics, techniques, and sub-techniques associated with the event.

type

See operation.

uniqueid

Unique ID of the device.

url

eventtype 14 (Download) - childurl

Download URL launched by the process that generated the logged event.

eventtype 22 (NetworkOps) - inicitaldomain

Source domain when the security software detects an HTTP redirection.

This field shows information only if the security software Audit mode is enabled.

username

value

Type of operation performed on the Windows registry of the computer.

• 0 (CreateKey): A new registry branch was created.

• 1 (CreateValue): A value was assigned to a registry branch.

• 2 (ModifyValue): A registry branch value was modified.

valuedata

Data type of the value contained in the registry branch.

• 00 (REG_NONE)

• 01 (REG_SZ)

• 02 (REG_EXPAND_SZ)

• 03 (REG_BINARY)

• 04 (REG_DWORD)

• 05 (REG_DWORD_BIG_ENDIAN)

• 06 (REG_LINK)

• 07 (REG_MULTI_SZ)

• 08 (REG_RESOURCE_LIST)

• 09 (REG_FULL_RESOURCE_DESCRIPTOR)

• 0A (REG_RESOURCE_REQUIREMENTS_LIST)

• 0B (REG_QWORD)

• 0C (REG_QWORD_LITTLE_ENDIAN)

valuedatalength

Size of the data stored in the Windows registry.

verbosemode

The computer is configured in Verbose mode.

version

Operating system version of the computer that ran the vulnerable software.

versionagent

Installed agent version.

versionantiexploit

See vantiexploit.

versionbloomfilter

See vbloomfilter.

versioncontroller

Psnmvctrl.dll DLL version.

versiondetectevent

Deteven.dll DLL version.

versiondetection

versiondetevenfilter

See vdeteventfilter.

versionfilterantiexploit

See vtfilterantiexploit.

versionioaplg

versionproduct

Installed protection product version.

versionramsomevent

See vramsomevent.

versionsherlockplg

versiontabledetection

See vtabledetevent.

versiontableramsom

See vtableramsomevent.

versionttpplg

vantiexploit

Version of the PSNMVHookPlg32 and PSNAntiExploitPLG.dll DLLs.

vbloomfilter

Version of the Bloom filter file that contains the local goodware cache.

vdeteventfilter

Version of the filter file for the contextual detection technology (deteventfilter).

vioaplg

PSNIOAPlg.dll DLL version.

vtabledetevent

TblEven.dll DLL version.

vtableramsomevent

TblRansomEven.dll DLL version.

vramsomevent

RansomEvent.dll DLL version.

vsherlockplg

PSNEVMGRAG.dll DLL version.

vtfilterantiexploit

PSNAEHookPlg32.dll DLL version.

vttpplg

PSNMitrePlg.dll DLL version.

winningtech

Cytomic EPDR or Cytomic EDR agent technology that raised the event:

• 0 (Unknown)

• 1 (Cache): Locally cached classification.

• 2 (Cloud): Classification downloaded from the cloud.

• 3 (Context): Local context rule.

• 4 (Serializer): Binary type.

• 5 (User): The user was asked about the action to take.

• 6 (LegacyUser): The user was asked about the action to take.

• 7 (NetNative): Binary type.

• 8 (CertifUA): Detection by digital certificates.

• 9 (LocalSignature): Local signature.

• 10 (ContextMinerva): Cloud-hosted context rule.

• 11 (Blockmode): The agent was in Hardening or Lock mode when the process was blocked from running.

• 12 (Metasploit): Attack created with the Metasploit Framework.

• 13 (DLP): Data Leak Prevention technology.

• 14 (AntiExploit): Technology that identifies attempts to exploit vulnerable processes.

• 15 (GWFilter): Technology that identifies goodware processes.

• 16 (Policy): Cytomic EPDR advanced security policies.

• 17 (SecAppControl): Security app control technologies.

• 18 (ProdAppControl): Productivity app control technologies.

• 19 (EVTContext): Linux contextual technology.

• 20 (RDP): Technology to detect/block RDP (Remote Desktop Protocol) intrusions and attacks.

• 21 (AMSI): Technology to detect malware in AMSI notifications.

• -1 (Unknown)