accountid

accesstype

File access mask:

• (54) WMI_CREATEPROC: Local WMI.

For all other operations:

• https://docs.microsoft.com/en-us/windows/win32/secauthz/access-mask

• https://docs.microsoft.com/en-us/windows/win32/fileio/file-access-rights-constants

• https://docs.microsoft.com/en-us/windows/win32/fileio/file-security-and-access-rights

accnube

The agent installed on the client’s computer can access the Cytomic cloud.

accountname

Nombre de la cuenta de usuario o del grupo involucrada en el evento en sistemas operativos Linux.

action

Type of action taken by the Cytomic EDR or Cytomic EPDR agent, by the user, or by the affected process:

• 0 (Allow): The agent allowed the process to run.

• 1 (Block): The agent blocked the process from running.

• 2 (BlockTimeout): The agent displayed a pop-up message to the user but the user did not respond in time.

• 3 (AllowWL): The agent allowed the process to run because it is on the local goodware allowlist.

• 4 (BlockBL): The agent blocked the process from running because it is on the local malware blocklist.

• 5 (Disinfect): The agent disinfected the process.

• 6 (Delete): The agent classified the process as malware and deleted it because it could not be disinfected.

• 7 (Quarantine): The agent classified the process as malware and moved it to quarantine folder on the computer.

• 8 (AllowByUser): The agent displayed a pop-up message to the user and the user responded with ‘Allow execution’.

• 9 (Informed): The agent displayed a pop-up message to the user.

• 10 (Unquarantine): The agent removed the file from the quarantine folder.

• 11 (Rename): The agent renamed the file. This action is used only for testing.

• 12 (BlockURL): The agent blocked the URL.

• 13 (KillProcess): The agent closed the process.

• 14 (BlockExploit): The agent stopped an attempt to exploit a vulnerable process.

• 15 (ExploitAllowByUser): The user did not allow the exploited process to be closed.

• 16 (RebootNeeded): The agent requires that the computer be rebooted to block the exploit attempt.

• 17 (ExploitInformed): The agent displayed a pop-up message to the user, reporting an attempt to exploit a vulnerable process.

• 18 (AllowSonGWInstaller): The agent allowed the process to run because it belongs to an installation package classified as goodware.

• 19 (EmbebedInformed): The agent sent internal operation information to the cloud to improve detection routines.

• 21 (SuspendProcess): The monitored process tried to suspend the antivirus service.

• 22 (ModifyDiskResource): The monitored process tried to modify a resource protected by the agent shield.

• 23 (ModifyRegistry): The monitored process tried to modify a registry key protected by the agent shield.

• 24 (RenameRegistry): The monitored process tried to rename a registry key protected by the agent shield.

• 25 (ModifyMarkFile): The monitored process tried to modify a file protected by the agent shield.

• 26 (UncertainAction): Error monitoring the process operation.

• 28 (AllowFGW): The agent allowed the operation performed by the monitored process because it is on the local goodware allowlist.

• 29 (AllowSWAuthorized): The agent allowed the operation performed by the monitored process because the administrator marked the file as authorized software.

• 30 (InformNewPE): The agent reported the appearance of a new file on the computer because the Drag and Drop feature is turned on in Cytomic Data Watch.

• 31 (ExploitAllowByAdmin): The agent allowed the operation performed by the monitored process because the network administrator excluded the exploit.

• 32 (IPBlocked): The agent blocked IPs to mitigate an RDP (Remote Desktop Protocol) attack.

• 33 (AllowSonMsiGW): The file was allowed to run because it is from a signed installer.

• 34 (IsolateHost): Isolated a computer through a command from the management console.

• 35 (RDPOff): Deisolated a computer that was isolated in response to an RDP attack.

• 36 (UNisolateHost): Deisolated a computer through a command from the management console.

• 37 (Allowed by Global Audit): The item was allowed because the security software is configured in Audit mode.

• 38 (AllowByConfig): se detectó un elemento pero no se bloqueó porque la tecnología asociada está en modo audit.

• 39 (AllowByZT): la tecnología local implementada en el software de seguridad que evita bloqueos innecesarios clasificó al elemento como goodware.

• 40 (UserLogOff): el usuario cerró la sesión.

actiontype

Indicates the session type:

• 0 (Login): Login on the client’s computer.

• 1 (Logout): Logout on the client’s computer.

• -1 (Unknown): Unable to determine session type.

administrators

Lista de usuarios que pueden gestionar el grupo sin necesidad de ser root. Disponible en sistemas operativos Linux.

advancedrulesconf

Cytomic EDR or Cytomic EPDR advanced security policy settings.

age

Date the file was last modified.

The computer date (in UTC format) at the time the event that triggered the indicator occurred on the client’s computer. Information regarding the time is included. To understand this field, see pandatimestatus.

allowedexecutor

Propietario del fichero en sistemas operativos Linux.

alprotocoldetected

Application level protocol detected in the connection or one of these values:

• 0 (NNS_AL_PROTOCOL_UNKNOWN): Could not determine the protocol.

• 1 (NNS_AL_PROTOCOL_PENDING): Analyzing the application protocol to determine the type.

alprotocolexpected

Application level protocol expected according to the connection port or one of these values:

• 0 (NNS_AL_PROTOCOL_UNKNOWN): Could not determine the protocol.

• 1 (NNS_AL_PROTOCOL_PENDING): Analyzing the application protocol to determine the type.

analysistime

Time spent analyzing the file.

analyzeerr

Code returned when the analysis of an item is complete.

• 0: The analysis completed successfully.

• 2147484170: The analysis ended with an error.

attackerDeviceId

Identifier of the device that connected to a computer protected by Endpoint Access Enforcement.

blockreason

Reason for the pop-up message displayed on the computer:

• 0: The file was blocked because it is unknown and the Cytomic EPDR or Cytomic EDR advanced protection mode is set to Hardening or Lock.

• 1: The file was blocked by local rules.

• 2: The file was blocked because the source is untrusted.

• 3: The file was blocked by a context rule.

• 4: The file was blocked because it is an exploit.

• 5: The file was blocked after asking the user to close the process.

• 6: Malware was blocked on a Linux/macOS computer.

bytesreceived

Total bytes received by the monitored process.

bytessent

Total bytes sent by the monitored process.

callstack

See childfilesize .

childattributes

Attributes of the child process:

• 0x0000000000000001 (ISINSTALLER): Self-extracting (SFX) file.

• 0x0000000000000002 (ISDRIVER): Driver-type file.

• 0x0000000000000008 (ISRESOURCESDLL): Resource DLL-type file.

• 0x0000000000000010 (EXTERNAL): File from outside the computer.

• 0x0000000000000020 (ISFRESHUNK): File recently added to the Cytomic knowledge base.

• 0x0000000000000040 (ISDISSINFECTABLE): File for which there is a recommended disinfection action.

• 0x0000000000000080 (DETEVENT_DISCARD): The event-based context detection technology did not detect anything suspicious.

• 0x0000000000000100 (WAITED_FOR_VINDEX): Execution of a file whose creation had not been registered.

• 0x0000000000000200 (ISACTIONSEND): The local technologies did not detect malware in the file and it was sent to Cytomic for classification.

• 0x0000000000000400 (ISLANSHARED): File stored on a network drive.

• 0x0000000000000800 (USERALLOWUNK): File with permission to import unknown DLLs.

• 0x0000000000001000 (ISSESIONREMOTE): Event that originated from a remote session.

• 0x0000000000002000 (LOADLIB_TIMEOUT): The time elapsed between when the protection intercepted the loading of the library and when it was scanned exceeded 1 second. As a result, the scan changed from synchronous to asynchronous to avoid impacting performance.

• 0x0000000000004000 (ISPE): Executable file.

• 0x0000000000008000 (ISNOPE): Non-executable file.

• 0x0000000000020000 (NOSHELL): The agent did not detect the execution of a shell command on the system.

• 0x0000000000080000 (ISNETNATIVE): NET Native file.

• 0x0000000000100000 (ISSERIALIZER): Serializer file.

• 0x0000000000200000 (PANDEX): File included in the list of processes created by Cytomic Patch.

• 0x0000000000400000 (SONOFGWINSTALLER): File created by an installer classified as goodware.

• 0x0000000000800000 (PROCESS_EXCLUDED): File not scanned because of the Cytomic Orion exclusions.

• 0x0000000001000000 (INTERCEPTION_TXF): The intercepted operation was originated by an executable whose image on the disk is being modified.

• 0x0000000002000000 (HASMACROS): Microsoft Office document with macros.

• 0x0000000008000000 (ISPEARM): Executable file for ARM microprocessors.

• 0x0000000010000000 (ISDYNFILTERED): The file was allowed on the computer because there are no technologies to classify it.

• 0x0000000020000000 (ISDISINFECTED): The file was disinfected.

• 0x0000000040000000 (PROCESSLOST): The operation was not logged.

• 0x0000000080000000 (OPERATION_LOST): Operation with a pre-scan report for which the post-scan report has not been received yet.

• 0x0000000100000000 - (ISINTERACTIVE): determina si el fichero se ejecuto de forma interactiva.

0x0000002000000000 (SAFE_BOOT_MODE): The computer started in Safe Mode.

• 0x0000004000000000 (PANDA_SIGNED): File signed by Panda Security.

childattmask

childblake

Blake2 signature of the child file.

childclassification

Classification of the child process that performed the logged action.

• 0 (Unknown): File in the process of classification.

• 1 (Goodware): File classified as goodware.

• 2 (Malware): File classified as malware.

• 3 (Suspect): The file is in the process of classification and it is highly likely to be malware.

• 4 (Compromised): Process compromised by an exploit attack.

• 5 (GWNotConfirmed): The file is in the process of classification and it is highly likely to be malware.

• 6 (Pup): File classified as an unwanted program.

• 7 (GwUnwanted): Equivalent to PUP.

• 8 (GwRanked): Process classified as goodware.

• -1 (Unknown)

childdrive

Tipo de unidad donde se registró la operación:

• 0: unidad desconocida

• 1: unidad que existe, pero cuya ruta raíz no es válida. Ocurre al intentar acceder a una unidad que no está montada o con problemas de formato.

• 2: unidad que se puede extraer del equipo (memoria USB, tarjeta SD o disquete).

• 3: unidad que no se puede quitar fácilmente (disco duro interno HDD o SSD).

• 4: unidad de red conectada a través de la red (recurso compartido, carpeta de red o un servidor de archivos).

• 5: unidad de CD-ROM, DVD o Blu-ray.

• 6: unidad virtual creada en la memoria RAM del sistema.

childfilename

childfileowner

Owner of the run file.

childfilesize

Size of the child file logged by the agent.

childfiletime

Date of the child file logged by the agent.

childfirstseen

Date the file was first seen.

childmd5

Child file hash.

childpath

Path of the child file that performed the logged operation.

ChildPID

Child process ID.

childsha256

SHA256 signature of the child process that performed the operation.

childstatus

Child process status.

• 0 (StatusOk): Status OK.

• 1 (NotFound): Item not found.

• 2 (UnexpectedError): Unknown error.

• 3 (StaticFiltered): File identified as malware using static information contained in the Cytomic EDR or Cytomic EPDR protection.

• 4 (DynamicFiltered): File identified as malware using local technology implemented in Cytomic EDR or Cytomic EPDR.

• 5 (FileIsTooBig): File too big.

• 6 (PEUploadNotAllowed): File send was disabled.

• 11 (FileWasUploaded): File sent to the cloud for analysis.

• 12 (FiletypeFiltered): Resource DLL, NET Native, or Serializer-type file.

• 13 (NotUploadGWLocal): Goodware file not saved to the cloud.

• 14 (NotUploadMWdisinfect): Disinfected malware file not saved to the cloud.

childfileowner

Cuenta de usuario propietaria del fichero ejecutado.

childurl

File download URL.

ciphertype

Scan of the SSL/TLS protocol and its HTTPS characteristics (for example TLS_RSA_WITH_AES_128_GCM_SHA256).

classname

Type of device where the process resides. It corresponds to the class specified in the .INF file associated with the device.

commandline

eventtype 65 (Users)

Programa que se ejecuta al iniciar sesión, generalmente un intérprete de comandos (por ejemplo, /bin/bash) en sistemas operativos Linux.

eventtype 66(SysOps)

Linea de comandos que ejecuta la tarea en sistemas operativos Linux.

eventtype 68 (XDG)

Linea de comandos que se ejecuta cuando el fichero .desktop es interpretado en sistemas operativos Linux.

eventtype 69 (Udev)

Comando o script que se ejecuta cuando se activa la regla udev al conectar / desconectar un dispositivo.

eventtype 1 (ProcessOps)

eventtype 31 (ScriptOps)

eventtype 45 (SystemOps)

eventtype 99 (Action)

eventtype 199 (HiddenAction)

Línea de comandos configurada como tarea para ser ejecutada a través de WMI en sistemas operativos Windows.

confadvancedrules

See advancedrulesconf.

configservicelevel

Agent execution mode configuration. This can be temporarily different from the execution mode in progress.

See servicelevel

configstring

See extendedinfo.

connectionstate

Connection status notified.

• 0 (E_NNS_CONNECTION_STATE_UNKNOWN): Unknown connection status.

• 1 (E_NNS_CONNECTION_STATE_ESTABLISHED): Connection established.

• 2 (E_NNS_CONNECTION_STATE_FAILED): Failed connection attempt.

• 3 (E_NNS_CONNECTION_STATE_DENIED_BY_FW): Connection denied by the firewall or other security software technology.

contentencoding

Encoding used in the content of the HTTP connection.

See https://www.iana.org/assignments/http-parameters/http-parameters.xml.

copy

Name of the service that triggered the event.

datacontanier

Unique name of the object within the WMI hierarchy.

The computer date (in UTC format) at the time the logged event occurred on the client’s computer. No information regarding the time is included. To understand this field, see pandatimestatus.

The computer date (in UTC format) at the time the logged event occurred on the client’s computer. Information regarding the time is included. To understand this field, see pandatimestatus.

description

See extendedinfo.

destinationip

IP address of the target computer in a network connection scanned by Network Attack Protection.

destinationport

Port of the target computer in a network connection scanned by Network Attack Protection.

details

Summary in the form of a group of relevant fields from the event.

eventtype 1 (ProcessOps)

Contains the commandline field.

eventtype 14 (Download)

Contains the url field.

eventtype 22 (NetworkOps)

Contains the direction, ipv4status, protocol, and remoteport fields.

eventtype 27 (RegistryOps)

Contains the valuedata field.

eventtype 31 (ScriptLaunch)

Contains the commandline field.

eventtype 46 (DnsOps)

Contains the domainlist field.

eventtype 47 (DeviceOps)

Contains the devicetype field.

eventtype 50 (UserNotification)

Contains the parentfilename field.

eventtype 52 (LoginOutOp)

Contains the eventtype, sessiontype, loggeduser, remotemachinename, and remoteip fields.

eventtype 99 (RemediationOps)

Contains the remoteip, remotemachinename, commandline, and detectionid fields.

eventtype 555 (IOA)

Contains the extendedinfo field.

detectionid

eventtype 1(ProcessOps) y operation=43 (Heuhooks) y winningtech=14(AntiExploit) y detectionid<=65

Nombre de la API o del grupo de APIs de Windows ejecutada por el proceso.

• 0: Unknown

• 1: GetNativeSystemInfo

• 2: GetTcpTable2

• 3: CredEnumerate

• 4: ConvertSidToStringSid

• 5: RtlGetNtProductType

• 6: RtlGetVersion

• 7: GetKeyState

• 9: SetWindowsHookEx

• 10: SystemNetworkConfigurationDiscovery

• 11: FindNextFile

• 12: GetLogicalDriveStrings

• 13: GetComputerNameEx

• 14: GetDriveType

• 15: NetUserGetGroups

• 16: NetUserGetLocalGroups

• 17: GetUserNameEx

• 18: AdjustTokenPrivileges

• 19: GetAsyncKeyState

• 20: CreateProcessWithToken

• 21: CreateToolhelp32Snapshot

• 22: CryptUnprotectData

• 23: GetKeyboardLayout

• 24: WindowDiscovery

• 25: RpcStringBindingCompose

• 26: Icmp6CreateFile

• 27: Icmp6ParseReplies

• 28: Icmp6SendEcho2

• 29: IcmpCloseHandle

• 30: IcmpCreateFile

• 31: IcmpParseReplies

• 32: IcmpSendEcho

• 33: IcmpSendEcho2

• 34: IcmpSendEcho2Ex

• 35: ProcessInjection

• 36: RpcServerListen

• 37: TokenImpersonationTheft

• 38: CreateProcessWithPolicy

• 39: OpenProcessLsass

• 40: LoadResource

• 41: ThreadHijacking

• 42: NetUserEnum

• 43: OperationNamedPipe

• 44: StartService

• 45: InternalDefacement

• 46: CreateFile_Drive

• 47: GetLocaleInfo

• 48: TimeBasedEvasion

• 49: ServiceStop

• 50: SystemServiceDiscovery

• 51: WindowsService

• 52: RemoteSystemDiscovery

• 53: SystemLanguageDiscovery

• 54: NetworkShareDiscovery

• 55: ShowWindow

• 56: DebuggerEvasion

Resto de casos

Name of the malware or attack detected.

deviceid

See attackerDeviceId.

devicetype

Type of drive where the process or file that triggered the operation resides.

• 0 (UNKNOWN): Unknown.

• 1 (CD_DVD): CD or DVD drive.

• 2 (USB_STORAGE): USB storage device.

• 3 (IMAGE): Image file.

• 4 (BLUETOOTH): Bluetooth device.

• 5 (MODEM): Modem.

• 6 (USB_PRINTER): USB printer.

• 7 (PHONE): Mobile phone.

• 8 (KEYBOARD): Keyboard.

• 9 (HID): Mouse.

direction

eventtype 22 (NetworkOps):

Network connection direction.

• 0 (UnKnown): Unknown.

• 1 (Incoming): Connection established from outside the network to a computer on the client’s network.

• 2 (Outgoing): Connection established from a computer on the client’s network to a computer outside the network.

• 3 (Bidirectional): Bidirectional.

eventtype 99 (RemediationOps) - napdirection

Network connection direction.

• 0 (UnKnown): Unknown.

• 1 (Incoming): Connection established from outside the network to a computer on the client’s network.

• 2 (Outgoing): Connection established from a computer on the client’s network to a computer outside the network.

• 3 (Bidirectional): Bidirectional.

domainlist

See list.

entropy

Entropy of the POST message content to classify the likelihood of data theft and extraction.

entropia

See entropy.

environment

Muestra los pares clave / valor de las variables de entorno establecidas en la regla udev. Disponible en sistemas operativos Linux.

errorcode

Error code returned by the operating system when there is a failed login attempt.

• 3221225572 (Invalid username): el nombre de usuario no existe.

• 3221225566 (Login server is unavailable): el servidor necesario para validar el inicio de sesión no está disponible.

• 3221225578 (Invalid password): el usuario es correcto pero la contraseña es incorrecta.

• 3221225581 (Invalid username or authentication info): el usuario o la información de autenticación es errónea.

• 3221225582 (Invalid username or password): nombre desconocido o contraseña errónea.

• 3221226036 (Account blocked): acceso bloqueado.

• 3221225586 (Account disabled):cuenta deshabilitada.

• 3221225583 (User account day restriction): intento de inicio de sesión en horario restringido.

• 3221225584 (Invalid workstation for login): intento de inicio de sesión desde un equipo no autorizado.

• 3221225692 (Sam server is invalid): error en el servidor de validación. No se puede realizar la operación.

• 3221225875 (Account expired): cuenta caducada.

• 3221225585 (Password expired): contraseña caducada.

• 3221225679 (Clock difference is too big): los relojes de los equipos conectados tienen un desfase demasiado grande.

• 3221225920 (Password change required on reboot): requiere que el usuario cambie la contraseña en el siguiente reinicio.

• 3221225921 (Windows error (no risk)): error de Windows que no implica riesgo.

• 3221225868 (Domains trust failed): la solicitud de inicio de sesión falló porque la relación de confianza entre el dominio primario y el dominio confiable falló.

• 3221225874 (Netlogon not initialized): intento de inicio de sesión, pero el servicio Netlogon no inicia.

• 3221226222 (Session start error): error durante el inicio de sesión.

• 3221226515 (Firewall protected): el equipo en el que se está iniciando sesión está protegido por un firewall de autenticación. La cuenta especificada no puede autenticarse en el equipo.

• 3221225919 (Invalid permission): el usuario no tiene permisos para ese tipo de inicio de sesión.

• 2148074277 (Invalid certificate): el certificado fue emitido por una entidad en la que no se confía.

errorevent

See extendedinfo.

errorstring

See extendedinfo.

eventtype

Event type logged by the agent.

• 0 (SvcStatus): el software de protección envía un evento cada vez que el equipo de usuario cambia su estado (machinestartmode y machinestate), y de forma automática cada 6 horas.

• 1 (ProcessOps): The process performed operations on the computer hard disk.

• 14 (Download): The process downloaded data.

• 15 HostsFileModification: The process modified the Hosts file on Windows systems.

• 22 (NetworkOps): The process performed network operations.

• 25 EventNotBlocked: The item was not blocked because the computer was starting up.

• 26 (DataAccess): The process accessed data files hosted on internal mass-storage devices.

• 27 (RegistryOps): The process accessed the Windows Registry.

• 30 (ScriptOps): Operation performed by a script-type process.

• 31 (ScriptOps): Operation performed by a script-type process.

• 40 (Detection): Detection made by Cytomic EDR active protections.

• 42 (BandwidthUsage): Volume of information handled in each data transfer operation performed by the process.

• 45 (SystemOps): Operation performed by the Windows operating system WMI engine.

• 46 (DnsOps): The process accessed the DNS name server.

• 47 (DeviceOps): The process accessed an external device.

• 50 (UserNotification): Notification displayed to the user and response (if any).

• 52 (LoginOutOps): Login or logout operation performed by the user.

• 65 (Users): operación que crea, modifica o borra cuentas de usuario en sistemas operativos Linux.

• 66 (SysOps): operación que modifica la configuración del sistema operativo Linux.

• 67 (SVC): operación que crea o modifica servicios en equipos con sistema operativo Linux.

• 68 (XDG): operación que modifica el sistema de inicio de aplicaciones cuando se lanza un entorno gráfico en equipos con sistema operativo Linux (XDG Autostart).

• 69 (Udev): operación que modifica la configuración que los sistemas operativos Linux utilizan para crear dispositivos lógicos cuando se conecta un hardware nuevo al equipo (udev rules).

• 99 (RemediationOps): Detection, blocking, and disinfection events from the Cytomic EDR or Cytomic EPDR agent.

• 100 (HeaderEvent): Administrative event with information about the protection software settings and version, as well as computer and client information.

• 199 (HiddenAction): Detection event that did not trigger an alert.

Comando que reinicia el servicio en sistemas operativos Linux.

execstart

Comando que inicia el servicio en sistemas operativos Linux.

Comando que se ejecuta antes de iniciar el servicio en sistemas operativos Linux.

Comando que se ejecuta después de iniciar el servicio en sistemas operativos Linux.

Comando que detiene el servicio en sistemas operativos Linux.

Comando que detiene el servicio en sistemas operativos Linux.

executinggroup

Especifica el grupo que se utilizará para ejecutar el proceso registrado en el evento. disponible en sistemas operativos Linux.

executinguser

Especifica el usuario que se utilizará para ejecutar el proceso registrado en el evento. Disponible en sistemas operativos Linux.

exploitorigin

Origin of the process exploit attempt.

• 1 (URL): URL address.

• 2 (FILE): File.

extendedinfo

eventtype 0 (SvcStatus):

Estado en el que se encuentra el agente del producto de seguridad:

• Running: el agente se está ejecutando.

• Starting Agent: el agente del software de seguridad se está iniciando.

• Stopping Agent: el agente del software de seguridad se está deteniendo.

eventtype 1 (ProcessOps) - errorstrings:

Character string with debug information on the security product settings.

When the operation field of an event is set to DirCreate, CMOpened, or CMPCreat, the errorstring field acts as an event grouping counter:

In any one-hour period, the first 50 events are logged individually. After the limit of 50 events in one hour is reached, additional events of the same type are grouped together and not sent until the first event of the same type is logged in a new hour period. At this point, the grouped event is sent with the errorstring field including both the grouped events and the first 50 events, and the counter is reset.

eventtype 26 (DataAccess):

• Version of the MVMF.xml file in use (M0, M1, M2, etc.)

eventtype 27 (RegistryOps):

• Version of the PSNMVMF.dat file in use (M0, M1, M2, etc.)

eventtype 40 (Detection) - infodiscard:

Quarantine file internal information.

eventtype 45 (SystemOps):

Additional information about Type events:

• 1 (Active script event creation): Name and path of the run script.

• 6 (Add user group): Group SID.

• 7 (Delete user group): Group SID.

• 8 (User group admin): Group SID.

• 9 (User group rdp): Group SID.

• 14 (Login attemp): Logon Process field of the Windows event viewer.

• 15 (Scheduler tasks): String with details of the task created (LogonProcess, LogonType, LogonAuthType, TaskOperationType).

• 16 (Special privileges): LogonType field of the Windows event viewer.

• 18 (WFP filter operation): Filter name.

eventtype 47 (DeviceOps) - description

• Description of the USB device type that performed the operation.

eventtype 61 (ErrorEvents):

• Raw content of the malformed event when it cannot be parsed.

eventtype 99 (RemediationOps) - remediationdata:

Cadena de caracteres con los siguientes campos separados por *:

• Path: Path and name of the process ended by the security software or sent to quarantine.

• InfoDiscard: Quarantine file internal information.

eventtype 555 (IOA):

Details of the processes that generated the IOA.

failedqueries

Number of failed DNS resolution requests sent by the process in the last hour.

fingerprint

JSON en base64 con los fingerprints detectados en la conexión TLS:

• FingerprintsCount: número de secuencia del fingerprint.

• signatureType: tipo de fingerprint:

• 0 - JA4 (cliente)

• 1 - JA4S (servidor)

• fingerprint: huella digital que identifica al cliente o servidor que participa en la conexión TLS.

firstseen

See childfirstseen

friendlyname

An easily readable device name.

guidrule

See ruleid.

groupid

Identificador de grupo al que pertenece la cuenta de usuario involucrada en el evento en sistemas operativos Linux. Si es 0, el grupo es root.

groupmembers

Lista de usuarios separados por coma que pertenecen al grupo en sistemas operativos Linux.

headerhttp

HTTP header dump when the security software detects communications that use HTTP tunnels.

This field shows information only if the security software Audit mode is enabled.

hostname

See remotemachinename

huntingruleid

See ruleid.

huntingrulemitre

TTPs associated with the hunting rule.

huntingrulemode

Indicates whether the rule is enabled in the Threat Engine to generate indicators.

huntingrulename

Nombre de la regla del Radar de ciberataques que detectó el indicio.

huntingruleseverity

Severity of the impact of the indicator generated by the hunting rule:

• 0: Not set.

• 1: Critical.

• 2: High.

• 3: Medium.

• 4: Low.

• 1000: Unknown.

huntingruletype

Type of hunting rule.

• 1: Rule run in the Threat Engine.

• 2: RDP attack detection rule.

• 3: IOC applied retrospectively to the stored telemetry.

• 4: IOC applied to the telemetry flow in real time.

• 5: Rule run on the user computer.

idname

Device name.

importprogram

Contenido de las variables que importa la regla udev desde un fichero externo en sistemas operativos Linux.

indicatortimestamp

See ioatimestamp.

infodiscard

See extendedinfo.

initialdomain

See url.

insertiondatetime

Date in UTC format at the time the Cytomic Orion servers logged the event sent by the computer. This date is always later than the other dates because the events are queued to be processed.

interactive

Indicates whether the login is an interactive login.

IOAId

IOAIds

When a sequence of events follows a pattern described in the MITRE matrix, Cytomic Orion creates an indicator (IOA) and adds the indicator ID to all the events related to it.

ioatimestamp

Date UTC en formato epoch (número de segundos transcurridos desde el 1 de enero de 1970) del momento en que se produjo el último evento que desencadenó la creación del indicio.

ipv4status

IP address type:

• 0 (Private)

• 1 (Public)

isdenied

Indicates whether the reported action was denied.

islocal

Indicates whether the task was created on the local computer or on a remote computer.

islocalipv6

Indicates whether the IP address is IPv6 or IPv4.

isremoteipv6

Indicates whether the IP address is IPv6 or IPv4.

issessioninteractive

See interactive.

key

Affected registry branch or key.

lastquery

Last query sent to the cloud by the Cytomic EDR or Cytomic EPDR agent.

list

eventtype 46 (DnsOps) - DomainList:

• List of domains sent by the process to the DNS server for resolution and number of resolutions per domain, with the format {domain_name,number#domain_name,number}.

eventtype 99 (RemediationOps) - url:

• List of 10 URLs obtained from the process monitor in the event of the detection of an exploit.

localdatetime

The computer date (in UTC format) at the time the logged event occurred. This date depends on the computer settings. As a result, it can be incorrect.

localip

eventtype 22 (NetworkOps) - localip

Contains the IP address of the computer on which the event was logged, regardless of the connection direction (direction field). See remoteip and direction.

eventtype 99 (RemediationOps) - naporiginip:

IP address of the source computer in a network connection scanned by Network Attack Protection.

localport

eventtype 22 (NetworkOps) - localport

Contains the port of the computer on which the event was logged or of the other end of the connection depending on the direction field:

• direction = 1 (inbound connection). This contains the port of the other end of the connection.

• direction = 2 (outbound connection). This contains the port of the computer on which the event is logged.

See direction.

eventtype 99 (RemediationOps) - naporiginport:

Port of the source computer in a network connection scanned by Network Attack Protection.

loggeduser

The user that was logged in to the computer at the time the event was generated.

machinename

Name of the computer that ran the process.

machinestartmode

Modo de inicio del equipo:

• 0 (Normal): el equipo se inició de forma normal.

• 1 (FailSafe): el equipo se inició en modo seguro.

• 2 (FailSafeWithNetwork): el equipo se inició en modo seguro con funciones de red.

machinestate

Estado del equipo:

• 0 (None): el equipo se ejecuta de forma normal.

• 1 (SystemShutdown): el equipo se esta apagando.

• 2 (SystemBoot): el equipo se está iniciando.

• 3 (Sleep): el equipo entró en modo suspendido.

• 4 (ResumeFromSleep): el equipo salió del modo suspendido.

• 5 (Hibernate): el equipo entró en modo hibernación.

• 6 (ResumeFromHibernate): el equipo salió del modo hibernación.

manufacturer

Device manufacturer.

method

HTTP connection method when the security software detects communications that use HTTP tunnels.

• 1 - GET

• 2 - POST

This field shows information only if the security software Audit mode is enabled.

MUID

Internal ID of the client’s computer.

napattack

Network attack direction.

• 1: The naporiginip and naporiginport fields contain the IP address and port of the attacking computer.

• 2: The napdestinationip and napdestinationport fields contain the IP address and port of the attacking computer.

napdestinationip

See destinationip.

napdestinationport

See destinationport.

napdirection

See direction.

napoccurrences

naporiginip

See localip.

naporiginport

See localport

nodisplay

Indica si el archivo .desktop está oculto o visible en el sistema XDG Autostart (no afecta a su ejecución).

notificationtype

Internal use.

numcacheclassifiedelements

Number of items whose classification is cached in the security software.

objectname

See datacontanier.

occurrences

Number of grouped indicators. See Indicator Grouping

opstatus

• 0: Send to the Advanced Reporting Tool.

• 2: Do not send to the Advanced Reporting Tool.

opentstamp

Date of the WMI notification for WMI_CREATEPROC (54) events.

opentstamp

operation

Type of operation performed by the process.

eventtype 1 (ProcessOps)

Operación genérica con elementos del sistema operativo.

• 0 (CreateProc): Process created.

• 1 (PECreat): Executable program created.

• 2 (PEModif): Executable program modified.

• 3 (LibraryLoad): Library loaded.

• 4 (SvcInst): Service installed.

• 5 (PEMapWrite): Executable program mapped for write access.

• 6 (PEDelet): Executable program deleted.

• 7 (PERenam): Executable program renamed.

• 8 (DirCreate): Folder created.

• 9 (CMPCreat): Compressed file created.

• 10 (CMOpened): Compressed file opened.

• 11 (RegKExeCreat): A registry branch that points to an executable file was created.

• 12 (RegKExeModif): A registry branch was modified, which now points to an executable file.

• 15 (PENeverSeen): Executable program never seen before by Cytomic Orion.

• 17 (RemoteThreadCreated): Remote thread created.

• 18 (ProcessKilled): Process killed.

• 25 (SamAccess): Access to the computer SAM.

• 30 (ExploitSniffer): Sniffing exploit technique detected.

• 31 (ExploitWSAStartup): WSAStartup exploit technique detected.

• 32 (ExploitInternetReadFile): InternetReadFile exploit technique detected.

• 34 (ExploitCMD): CMD exploit technique detected.

• 38 (EndProcess): A process that was not classified as goodware ended its execution.

• 39 (Load16bitsFilesByNtvm.exe): 16-bit file loaded by ntvdm.exe.

• 43 (Heuhooks): Anti-exploit technology detected.

• 54 (Create process by WMI): Process created by a modified WMI.

• 55 (AttackProduct): Attack detected on the agent service, a file, or registry key.

• 61 (OpenProcess LSASS): LSASS process opened.

• 89 (LoadDrvVulnerable): A process loaded a vulnerable driver after the operating system started up.

• 200 (MitreReadComplete): MITRE event that indicates a file was read.

• 201 (MitreCreateFile): MITRE event that indicates a file was created.

• 202 (MitreModifyFile): MITRE event that indicates a file was modified.

• 207 (LoadDriver): MITRE event that indicates a driver was loaded.

• 208 (NopeDelete): MITRE event that indicates a non-executable file was deleted.

• 210 (DirDelete): MITRE event that indicates a folder was deleted.

eventtype 26 (DataAccess)

Tipo de operación ejecutada sobre el fichero

• 0 (OpenFile): abre un fichero de datos.

• 1(CreateFile): crea un nuevo fichero de datos.

• 2 (ModifyFile): modifica un fichero de datos.

• 3 (DeleteFile): borra un fichero de datos.

• 255 (EventTypeLast):

eventtype 45 (SystemOps)

Type of WMI operation performed by the process.

• 0 (Command line event creation): WMI launched a command line in response to a change in the database.

• 1 (Active script event creation): A script was run in response to receiving an event.

• 2 (Event consumer to filter consumer): This event is generated whenever a process subscribes to receive notifications. The name of the created filter is received.

• 3 (Event consumer to filter query): This event is generated whenever a process subscribes to receive notifications. The query run by the process to subscribe is received.

• 4 (Create User): A user account was added to the operating system.

• 5 (Delete User): A user account was deleted from the operating system.

• 6 (Add user group): A group was added to the operating system.

• 7 (Delete user group): se borra un grupo del sistema operativo.

• 8 (User group admin): A user was added to the admin group.

• 9 (User group rdp): A user was added to the RDP group.

• 13 (WMI query): WMI query on the computer.

• 14 (Login attemp): Attempt to login on another computer.

• 15 (Scheduler tasks): Operation is logged in the task scheduler.

• 16 (Special privileges): Escalation of privileges on login.
  

• 17 (AMSI buffer scan request): AMSI scan request for a buffer containing a script.

• 18 (WFP filter operation): A WFP (Windows Filtering Platform) filter was created or deleted.

• 19 CMD: A command was run from the cmd.exe command line interpreter.

eventtype 65 (Users)

Tipo de operación con las cuentas de usuario en sistemas operativos Linux.

• 0 (User creation): crea un usuario.

• 1 (User modification): modifica un usuario.

• 2 (User deletion): borra un usuario.

eventtype 66 (SysOps)

Tipo de modificación en la configuración de sistemas operativos Linux.

• 0 (Deleting Command History): borra el histórico de la linea de comandos.

• 1 (Deleting System Logs): borra los logs del sistema.

• 2 (Creating an ssh key): crea una clave ssh.

• 3 (Modifying the ssh key): modifica una clave ssh.

• 4 (Deleting the ssh key): borra una clave ssh.

• 5 (Creating User Password Policy): crea una política para definir las contraseñas de las cuentas de usuario.

• 6 (Modifying User Password Policy): modifica una política para definir las contraseñas de las cuentas de usuario.

• 7 (Deleting User Password Policy): borra una política para definir las contraseñas de las cuentas de usuario.

• 8 (Creating a timer): crea un temporizador.

• 9 (Timer Modification): modifica un temporizador.

• 10 (Timer Removal): borra un temporizador.

• 11 (Creating a Generator (Timer)): crea un script en /etc/systemd/system-generators/ que crea una unidad .timer.

• 12 (Modifying Generator (Timer)): modifica un script en /etc/systemd/system-generators/ que crea una unidad .timer.

• 13 (Deleting Generator (Timer)): borra un script en /etc/systemd/system-generators/ que crea una unidad .timer.

• 14 (Creating a cron task): crea una tarea que se lanza desde el cron.

• 15 (Modifying cron task): modifica una tarea que se lanza desde el cron.

• 16 (Deleting cron task): borra una tarea que se lanza desde el cron.

• 17 (At task Creation): crea una tarea que se lanza con At.

• 18 (At task Modification): modifica una tarea que se lanza con At.

• 19 (At task Deletion): borra una tarea que se lanza con At.

• 20 (Group Creation): crea un grupo.

• 21 (Group Modification): modifica un grupo.

• 22 (Group Deletion): borra un grupo.

• 23 (Creating User Permissions): asigna permisos de usuario a un fichero o carpeta.

• 24 (Modifying permissions in the user): modifica permisos de usuario de un fichero o carpeta.

• 25 (Deleting Permissions on User): borra permisos de usuario de un fichero o carpeta.

• 26 (Creating Permissions in a Group): asigna permisos de grupo a un fichero o carpeta.

• 27 (Modifying Permissions in a Group): modifica permisos de grupo a un fichero o carpeta.

• 28 (Deleting Permissions in a Group): borra permisos de grupo a un fichero o carpeta.

• 29 (Creating Group Password Policy): crea una política de grupo para definir las contraseñas de las cuentas de usuario.

• 30 (Modifying Group Password Policy): modifica una política de grupo para definir las contraseñas de las cuentas de usuario.

• 31 (Deleting Group Password Policy): borra una política de grupo para definir las contraseñas de las cuentas de usuario.

eventtype 67 (SVC)

Tipo de operación que crea, modifica o borra un servicio en sistemas operativos Linux.

• 0 (Service Creation): crea un servicio.

• 1 (Service Modification): modifica un servicio.

• 2 (Generator Creation): crea un script en /etc/systemd/system-generators/ que crea una unidad .service.

• 3 (Generator Modification): modifica un script en /etc/systemd/system-generators/ que crea una unidad .service.

• 4 (Generator Removal): borra un script en /etc/systemd/system-generators/ que crea una unidad .service.

eventtype 68 (XDG)

Tipo de operación que modifica el inicio automático de aplicaciones al arrancar el sistema de ventanas en sistemas operativos Linux.

• 0 (Creation XDG Autostart): crea un inicio automático de una aplicación mediante XDG Autostart.

• 1 (Modification XDG Autostart): modifica el inicio automático de una aplicación mediante XDG Autostart.

• 2 (Deletion XDG Autostart): borra el inicio automático de una aplicación mediante XDG Autostart.

eventtype 69 (Udev)

Tipo de operación que crea una regla udev para modificar el comportamiento del sistema operativo cuando se conecta un dispositivo hardware nuevo al equipo.

• 0 (Creation Udev Rule): crea una regla Udev.

• 1 (Modification Udev Rule): modifica una regla Udev.

• 2 (Deletion Udev Rule): borra una regla Udev.

Operationflags/ integrityLevel

eventtype 1 (ProcessOps) - operationflags

Indicates the integrity level assigned by Windows to the item. Go to https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control.

• 0X0000 Untrusted level

• 0x1000 Low integrity level

• 0x2000 Medium integrity level

• 0x3000 High integrity level

• 0x4000 System integrity level

• 0x5000 Protected

eventtype 22 (NetworkOps) - SocketOpFlags

Specifies the grouping algorithm used to minimize the logging of network connections with identical source and destination IP addresses and ports. Grouping occurs over time periods. Only one connection from the group is logged when the period ends. The time period varies depending on the number of connections logged:

• 0x00000001 (Flag realtime): This indicates that the event was logged in real time. This applies only to events that are not grouped.

• 0x00000002 (Standard grouping): 15 minutes

• 0x00000004 (L1 grouping): 500 connections 2 hours

• 0x00000008 (L2 grouping): 1000 connections 6 hours

• 0x000000010 (L3 grouping): 5000 connections 12 hours

• 0x000000020 (L4 grouping): 10000 connections 24 hours

When the specified number of connections is logged at the current grouping level, the grouping level increases. Every hour the number of logged connections is re-evaluated to lower the grouping level, if required.

operationmonitoredopen

See operation.

operationstatus

See opstatus.

operationsvc

See operation.

operationsysops

See operation.

operationudev

See operation.

operationusers

See operation.

operationxdg

See operation.

opstatus

Indicates whether the event must be sent to the Cytomic Insights:

• 0: Send.

• 1: Filtered by the agent.

• 2: Do not send.

origusername

User of the computer which performed the operation.

pandaalertid

Internal ID of the indicator.

pandaid

See accountid.

pandatimestatus

Indicates the algorithm used to calculate the dates in the Date, DateTime, and TimeStamp fields:

• 0 (Version not supported): The computer does not support synchronization of its time settings to Cytomic settings.

• 1: (Recalculated Panda Time): The computer has fixed and synced the computer’s time settings to Cytomic settings.

• 2: (Panda Time OK): The computer time settings are correct.

• 3: (Panda Time calculation error): Error fixing the computer time settings.

parentattributes

Attributes of the parent process.

• 0x0000000000000001 (ISINSTALLER): Self-extracting (SFX) file.

• 0x0000000000000002 (ISDRIVER): Driver-type file.

• 0x0000000000000008 (ISRESOURCESDLL): Resource DLL-type file.

• 0x0000000000000010 (EXTERNAL): File from outside the computer.

• 0x0000000000000020 (ISFRESHUNK): File recently added to the Cytomic knowledge base.

• 0x0000000000000040 (ISDISSINFECTABLE): File for which there is a recommended disinfection action.

• 0x0000000000000080 (DETEVENT_DISCARD): The event-based context detection technology did not detect anything suspicious.

• 0x0000000000000100 (WAITED_FOR_VINDEX): Execution of a file whose creation had not been registered.

• 0x0000000000000200 (ISACTIONSEND): The local technologies did not detect malware in the file and it was sent to Cytomic for classification.

• 0x0000000000000400 (ISLANSHARED): File stored on a network drive.

• 0x0000000000000800 (USERALLOWUNK): File with permission to import unknown DLLs.

• 0x0000000000001000 (ISSESIONREMOTE): Event that originated from a remote session.

• 0x0000000000002000 (LOADLIB_TIMEOUT): The time elapsed between when the protection intercepted the loading of the library and when it was scanned exceeded 1 second. As a result, the scan changed from synchronous to asynchronous to avoid impacting performance.

• 0x0000000000004000 (ISPE): Executable file.

• 0x0000000000008000 (ISNOPE): Non-executable file.

• 0x0000000000020000 (NOSHELL): The agent did not detect the execution of a shell command on the system.

• 0x0000000000080000 (ISNETNATIVE): NET Native file.

• 0x0000000000100000 (ISSERIALIZER): Serializer file.

• 0x0000000000200000 (PANDEX): File included in the list of processes created by Cytomic Patch.

• 0x0000000000400000 (SONOFGWINSTALLER): File created by an installer classified as goodware.

• 0x0000000000800000 (PROCESS_EXCLUDED): File not scanned because of the Cytomic Orion exclusions.

• 0x0000000001000000 (INTERCEPTION_TXF): The intercepted operation was originated by an executable whose image on the disk is being modified.

• 0x0000000002000000 (HASMACROS): Microsoft Office document with macros.

• 0x0000000008000000 (ISPEARM): Executable file for ARM microprocessors.

• 0x0000000010000000 (ISDYNFILTERED): The file was allowed on the computer because there are no technologies to classify it.

• 0x0000000020000000 (ISDISINFECTED): The file was disinfected.

• 0x0000000040000000 (PROCESSLOST): The operation was not logged.

• 0x0000000080000000 (OPERATION_LOST): Operation with a pre-scan report for which the post-scan report has not been received yet.

• 0x0000000100000000 - (ISINTERACTIVE): determina si el fichero se ejecuto de forma interactiva.

• 0x0000002000000000 (SAFE_BOOT_MODE): The computer started in Safe Mode.

• 0x0000004000000000 (PANDA_SIGNED): File signed by Panda Security.

parentattmask

parentblake

Blake2 signature of the parent file that performed the operation.

parentcount

Number of processes with DNS failures.

parentdrive

Tipo de unidad donde se registró la operación:

• 0: unidad desconocida

• 1: unidad que existe, pero cuya ruta raíz no es válida. Ocurre al intentar acceder a una unidad que no está montada o con problemas de formato.

• 2: unidad que se puede extraer del equipo (memoria USB, tarjeta SD o disquete).

• 3: unidad que no se puede quitar fácilmente (disco duro interno HDD o SSD).

• 4: unidad de red conectada a través de la red (recurso compartido, carpeta de red o un servidor de archivos).

• 5: unidad de CD-ROM, DVD o Blu-ray.

• 6: unidad virtual creada en la memoria RAM del sistema.

parentfilename

parentmd5

Parent file hash.

parentpath

Path of the parent file that performed the logged operation.

parentpid

Parent process ID.

parentstatus

• 0 (StatusOk): Status OK.

• 1 (NotFound): Item not found.

• 2 (UnexpectedError): Unknown error.

• 3 (StaticFiltered): File identified as malware using static information contained in the Cytomic EDR or Cytomic EPDR protection.

• 4 (DynamicFiltered): File identified as malware using local technology implemented in Cytomic EDR or Cytomic EPDR.

• 5 (FileIsTooBig): File too big.

• 6 (PEUploadNotAllowed): File send was disabled.

• 11 (FileWasUploaded): File sent to the cloud for analysis.

• 12 (FiletypeFiltered): Resource DLL, NET Native, or Serializer-type file.

• 13 (NotUploadGWLocal): Goodware file not saved to the cloud.

• 14 (NotUploadMWdisinfect): Disinfected malware file not saved to the cloud.

passwordstatus

Estado de la contraseña en sistemas operativos Linux.

• 0 (x): la contraseña está almacenada en /etc/shadow.

• 1(*): cuenta deshabilitada permanentemente.

• 2 (!): contraseña bloqueada temporalmente.

• 3 (vacío): sin contraseña, inicio de sesión sin autenticación. Solo en sistemas antiguos.

pecreationsource

Type of drive where the process was created:

• (0) : The device type cannot be determined.

• (1) : The device path is invalid. For example, the external storage media was extracted.

• (2) : Removable storage media.

• (3) : Internal storage media.

• (4) : Remote storage media (for example, a network drive).

• (5): CD-ROM drive.

• (6): RAM disk.

phonedescription

Phone description if the operation involved a device of this type.

pid

Identifier of the process that started the session.

processtreeid

Process tree ID.

protocol

Communications protocol used by the process.

• 6 (TCP)

• 12 (RDP)

• 17 (UDP)

proxyconnection

The connection is through a proxy.

querieddomaincount

See times.

realservicelevel

Current agent mode (this can be temporarily different from the mode assigned in the settings).

See servicelevel

redirection

HTTP redirection detected.

This field shows information only if the security software Audit mode is enabled.

registryaction

Type of operation performed on the Windows registry of the computer.

• 0 (CreateKey): A new registry branch was created.

• 1 (CreateValue): A value was assigned to a registry branch.

• 2 (ModifyValue): A registry branch value was modified.

• 3 (Query): lee a la vez una clave y un valor del registro.

• 4 (DeleteKey): borra una rama del registro.

• 5 (DeleteValue): borra un valor del registro.

remediationresult

User’s response to the pop-up message shown by Cytomic EPDR or Cytomic EDR.

• 0OK: The client accepted the message.

• 1 (Timeout): The pop-up message disappeared due to lack of action by the user.

• 2 (Angry): The user chose the option to not block the item from the pop-up message displayed.

• 3 (Block): The item was blocked because the user did not reply to the pop-up message.

• 4 (Allow): The user accepted the solution.

• -1 (Unknown)

remoteip

eventtype 1 (ProcessOps)

IP address of the remote computer that executed the action on the monitored computer.

eventtype 22 (Networkops)

Contains the IP address of the other end of the connection, regardless of the connection direction (direction field). See localip and direction.

eventtype 42 (BandwidthUsage)

IP address of the device the monitored computer connected to to download data.

eventtype 45 (SystemOps)

IP address of the device the monitored computer connected to execute a WMI request.

remotemachinename

eventtype 1 (ProcessOps)

Name of the remote computer that executed the action on the monitored computer.

eventtype 22 (Networkops) - hostname

Name of the remote computer.

eventtype 42 (BandwidthUsage)

Name of the device the monitored computer connected to to download data.

eventtype 45 (SystemOps)

Name of the device the monitored computer connected to execute a WMI request.

eventtype 99 (RemediationOps)

Nombre del equipo remoto que inicia la conexión monitorizada por Endpoint Access Enforcement.

remoteport

eventtype 22 (Networkops)

Contains the port of the computer on which the event was logged or of the other end of the connection depending on the direction field:

• direction = 1 (inbound connection). This contains the port of the computer on which the event was logged.

• direction = 2 (outbound connection). This contains the port of the other end of the connection.

See localport and direction.

eventtype 42 (BandwidthUsage)

Port of the device the monitored computer connected to to download data.

remoteusername

Name of the remote user that performed the operation on the monitored computer.

responseclassification

Process classification.

• 0 (Unknown): File in the process of classification.

• 1 (Goodware): File classified as goodware.

• 2 (Malware): File classified as malware.

• 3 (Suspect): The file is in the process of classification and it is highly likely to be malware.

• 4 (Compromised): Process compromised by an exploit attack.

• 5 (GWNotConfirmed): The file is in the process of classification and it is highly likely to be malware.

• 6 (Pup): File classified as an unwanted program.

• 7 (GwUnwanted): Equivalent to PUP.

• 8 (GwRanked): Process classified as goodware.

• -1 (Unknown)

risk

Status of the device that initiated the connection to the protected computer. This status caused the blocking or monitoring of the connection by the Endpoint Access Enforcement technology.

• 0 (E_NNS_MACHINE_PROTECTION_STATUS_UNKNOWN): The status of the protection on the connecting computer is unknown.

• 1 (E_NNS_MACHINE_PROTECTION_STATUS_PROTECTION_ENABLED): The status of the protection on the connecting computer is enabled.

• 2 (E_NNS_MACHINE_PROTECTION_STATUS_NON_MANAGED): The connecting computer does not have security software installed or the software is from another vendor.

• 3 (E_NNS_MACHINE_PROTECTION_STATUS_DIFFERENT_ACCOUNT): The connecting computer has compatible security software installed but it is managed by another account.

• 4 (E_NNS_MACHINE_PROTECTION_STATUS_PROTECTION_DISABLED): The connecting computer has compatible security software installed but it is disabled.

• 5 (E_NNS_MACHINE_PROTECTION_STATUS_RISK_MEDIUM): The risk level for the connecting computer is medium.

• 6 (E_NNS_MACHINE_PROTECTION_STATUS_RISK_HIGH): The risk level for the connecting computer is high.

• 7 (E_NNS_MACHINE_PROTECTION_STATUS_RISK_CRITICAL): The risk level for the connecting computer is critical.

riskdetected

See risk.

ruleid

eventtype 555 (IOA) - huntingruleid:

Nombre de la regla del Radar de ciberataques que detectó el indicio.

eventtype 22 (IOA) - ruleid:

Snort rule that detected communications that use HTTP tunnels. This field shows information only if the security software Audit mode is enabled.

runcommand

Indica el comando o script que se ejecuta cuando se activa la regla udev al conectar / desconectar un dispositivo. Disponible en sistemas operativos Linux.

servicelevel

Agent execution mode.

• 0 (Learning): The agent does not block any items but monitors all running processes.

• 1 (Hardening): The agent blocks all unclassified programs coming from an untrusted source, and items classified as malware.

• 2 (Block): The agent blocks all unclassified executables and items classified as malware.

• -1 (N/A)

serviceuser

Nombre de la cuenta de usuario utilizada para ejecutar el servicio en sistemas operativos Linux.

sessiondate

Date the antivirus service was last started or last time it was started since the last update.

sessionid

Session ID.

sessiontype

Login type:

• 0 (System Only): Session started with a system account.

• 2 (Local): Session created physically through a keyboard or through KVM over IP.

• 3 (Remote): Session created remotely in shared folders or printers. This login type uses secure authentication.

• 4 (Scheduled): Session created by the Windows task scheduler.

• 5 (Service): Session created when a service that needs to run in the user session is launched. The session is deleted when the service stops.

• 7 (Blocked): Session created when a user tries to join a previously blocked session.

• 8 (Remote Unsecure): Same as type 3 but the password is sent in plain text.

• 9 (RunAs): Session created when the “RunAs” command is used under an account other than the account used to log in, and the “/netonly” parameter is specified. If the “/netonly” parameter is not specified, a type 2 session is created.

• 10 (TsClient): Session created when accessing through “Terminal Service”, “Remote Desktop” or “Remote Assistance”. It identifies a remote user connection.

• 11 (Domain Cached): User session created with domain credentials cached on the machine, but with no connection to the domain controller.

• -1 (Unknown)

sha256

See childsha256.

shash

Alphanumeric character pattern followed by the hash of the child process.

socketopflags

telemetrytype

• 0: Normal telemetry. The event does not belong to an indicator that follows a pattern described in the MITRE matrix.

• 1: Resent event. The event was originally sent as a type 0 event (normal telemetry), but later it was detected that it belongs to an attack pattern described in the MITRE matrix. The event was resent with the TTPs and IOAIds fields completed.

• 2: Accumulated events: To save resources, part of the telemetry generated for the client is retained until the security software detects a MITRE attack pattern. Then, all accumulated events are sent.

threadid

Process thread ID.

timeout

The local scan took too long to complete and the process was delegated to other mechanisms that do not impact performance.

times

eventtype 22 (NetworkOps)

Number of repetitions of a connection created by the same process on the same path, with the same localIP, RemoteIP, and RemotePort.

eventtype 45 (SystemOps)

Number of WMI requests per table and process grouped in a one-hour period.

eventtype 46 (DnsOps) - querieddomaincount

Number of different domains sent by the process for which there was a DNS resolution failure in the last hour.

eventtype 99 (RemediationOps) - napocurrences

Number of times the same type of network attack targeting the same IP address has been logged in a one-hour period.

eventtype 99 (RemediationOps) - napocurrences, winningtech = 16, 17 o 18

Número de veces que se ha detectado el mismo tipo de política de seguridad en el intervalo de una hora. La primera detección se registra con el campo a 1.

timestamp

Date UTC en formato epoch (número de nanosegundos transcurridos desde el 1 de enero de 1970) del momento en que se produjo el evento en el equipo del cliente. Consulta pandatimestatus para interpretar correctamente este campo.

totalresolutiontime

Indicates the time it took the cloud to respond, and whether the error code query failed.

• 0: The cloud was not queried.

• >0: Time in milliseconds it took the cloud to respond to the query.

• <0: Cloud query error code.

• -1 (ERROR)

• -2 (ERROR_INVALID_PARAMETER)

• -3 (ERROR_INVALID_STATE)

• -4 NOT_ENOUGH_MEMORY)

• -5 (ERROR_LOADING_COMPONENT)

• -6 (ERROR_READONLY_PROPERTY)

• -7 (ERROR_UNKNOWN_PROPERTY)

• -8 (ERROR_WRONG_CONFIGURATION)

• -9 (ERROR_EXCEPTION)

• -10 (ERROR_NOT_IMPLEMENTED)

• -11 (ERROR_CLOUD_DEVELOPMENT)

• -12 (ERROR_CLOUD_INVALID_PROPERTY)

• -13 (ERROR_CLOUD_LOADING_COMPONENT)

• -14 (ERROR_CLOUD_TIMEOUT)

• -15 (ERROR_CLOUD_CANCELLED)

• -16 (ERROR_CLOUD_OVERRIDE)

• -17 (ERROR_CLOUD_CLOSED)

• -18 (ERROR_CLOUD_OFFLINE)

• -19 (ERROR_CLOUD_NO_SESSION)

• -20 (ERROR_CLOUD_COM_GENERIC)

• -21 (ERROR_CLOUD_COM_NET)

• -22 (ERROR_CLOUD_COM_TIMEOUT)

• -23 (ERROR_CLOUD_COM_PROXY_AUTHENTICATION)

• -24 (ERROR_CLOUD_COM_PROXY_REQUIRED_AUTHENTICATION)

• -25 (ERROR_CLOUD_COM_SERVER_RESET)

• -26 (ERROR_CLOUD_COM_INTERNAL_SERVER)

• -27 (ERROR_CLOUD_COM_INVALID_TOKEN

triggertarget

Nombre de la unidad de systemd (fichero .service, .socket o .path) que se activará cuando el temporizador programado expire. Disponible en sistemas operativos Linux.

TTPs

List of the MITRE tactics, techniques, and sub-techniques associated with the event.

type

See operation.

uniqueid

Unique ID of the device.

url

eventtype 14 (Download) - childurl

Download URL launched by the process that generated the logged event.

eventtype 22 (NetworkOps) - inicitaldomain

Source domain when the security software detects an HTTP redirection.

This field shows information only if the security software Audit mode is enabled.

eventtype 99 (RemediationOps)

List of 10 URLs sent by the process monitor, separated by *, in the event of the detection of an exploit.

userid

Identificador de la cuenta de usuario involucrada en el evento en sistemas operativos Linux.

username

value

Registry branch and key.

valuedata

Data type of the value contained in the registry key, and value:

• 00 (REG_NONE)

• 01 (REG_SZ)

• 02 (REG_EXPAND_SZ)

• 03 (REG_BINARY)

• 04 (REG_DWORD)

• 05 (REG_DWORD_BIG_ENDIAN)

• 06 (REG_LINK)

• 07 (REG_MULTI_SZ)

• 08 (REG_RESOURCE_LIST)

• 09 (REG_FULL_RESOURCE_DESCRIPTOR)

• 0A (REG_RESOURCE_REQUIREMENTS_LIST)

• 0B (REG_QWORD)

• 0C (REG_QWORD_LITTLE_ENDIAN)

valuedatalength

Size of the data stored in the Windows registry.

vantiexploit

Version of the PSNMVHookPlg32 and PSNAntiExploitPLG.dll DLLs.

vbloomfilter

Version of the Bloom filter file that contains the local goodware cache.

vcontroller

vdeteventfilter

Version of the filter file for the contextual detection technology (deteventfilter).

verbosemode

The computer is configured in Verbose mode.

version

Operating system version of the computer that ran the vulnerable software.

versionagent

Installed agent version.

versionantiexploit

See vantiexploit.

versionbloomfilter

See vbloomfilter.

versioncontroller

Psnmvctrl.dll DLL version.

versiondetectevent

Deteven.dll DLL version.

versiondetection

versiondetevenfilter

See vdeteventfilter.

versionfilterantiexploit

See vtfilterantiexploit.

versionhelper

Versión de la dll HELPER_XX.exe

versioninjectionplg

Versión de la dll PSNInyectorPLG.dll

versionioaplg

versionnopeanalysisfilter

Versión del filtro del modelo en el fichero nn.sig para analizar scripts.

versionproduct

Installed protection product version.

versionramsomevent

See vramsomevent.

versionsherlockplg

versiontabledetection

See vtabledetevent.

versiontableramsom

See vtableramsomevent.

versionttpplg

vioaplg

PSNIOAPlg.dll DLL version.

vtabledetevent

TblEven.dll DLL version.

vtableramsomevent

TblRansomEven.dll DLL version.

vramsomevent

RansomEvent.dll DLL version.

vsherlockplg

Versión de la dll PSNEVMGRAG.dll.

vtfilterantiexploit

Versión de la dll PSINJHOOKPLG32.dll.

vttpplg

PSNMitrePlg.dll DLL version.

winningtech

Cytomic EPDR or Cytomic EDR agent technology that raised the event:

• 0 (Unknown)

• 1 (Cache): Locally cached classification.

• 2 (Cloud): Classification downloaded from the cloud.

• 3 (Context): Local context rule.

• 4 (Serializer): Binary type.

• 5 (User): The user was asked about the action to take.

• 6 (LegacyUser): The user was asked about the action to take.

• 7 (NetNative): Binary type.

• 8 (CertifUA): Detection by digital certificates.

• 9 (LocalSignature): Local signature.

• 10 (ContextMinerva): Cloud-hosted context rule.

• 11 (Blockmode): The agent was in Hardening or Lock mode when the process was blocked from running.

• 12 (Metasploit): Attack created with the Metasploit Framework.

• 13 (DLP): Data Leak Prevention technology.

• 14 (AntiExploit): Technology that identifies attempts to exploit vulnerable processes.

• 15 (GWFilter): Technology that identifies goodware processes.

• 16 (Policy): Cytomic EPDR advanced security policies.

• 17 (SecAppControl): Security app control technologies.

• 18 (ProdAppControl): Productivity app control technologies.

• 19 (EVTContext): Linux contextual technology.

• 20 (RDP): Technology to detect/block RDP (Remote Desktop Protocol) intrusions and attacks.

• 21 (AMSITech): tecnología para detectar malware en notificaciones AMSI.

• 22 (DecoyTech): tecnología de detección por archivos señuelo (decoy files).

• 23 (Deeplearning): tecnología deeplearning de detección de malware.

• 24 (ShadowCopy): el administrador activó la funcionalidad de shadow copies como método de resolución frente a modificaciones de ficheros no autorizadas.

• 25 (RemediationTech): tecnología de resolución de XDR.

• 26 (DeepInspection): tecnología de detección de ataques de red.

• 27 (EAC): tecnología de Endpoint Access Enforcement.

• 28 (BYOVD): tecnología de detección de drivers vulnerables (Bring Your Own Vulnerable Driver).

• 29 (ZeroTrust): tecnología local para la clasificación de goodware que evita bloqueos innecesarios.

• 30 (Scripting): tecnología para detectar / bloquear scripts.

• -1 (Unknown)