- Print
- DarkLight
Endpoint Agent Events Overview
Overview
This category describes and provides samples for the various events emitted by the LimaCharlie Endpoint Agent Sensor. These events can be leveraged in D&R rules and queried with LCQL.
Important note about Event Collection
Only events enabled in the Exfil configuration will be shipped by the endpoint agent. If you're not seeing a specific event you expect, make sure that the desired event type is enabled in the Exfil extension configuration. Ensure your Exfil settings are properly configured to capture all required event types for your use case.
Atoms
Atoms are Globally Unique Identifiers (GUIDs). An example might be: 1e9e242a512d9a9b16d326ac30229e7b
. You can treat them as opaque values. These unique values are used to relate events together rather than using Process IDs, which are themselves unreliable.
Relationships
Atoms can be found in up to 3 spots in an event:
routing/this
: current eventrouting/parent
: parent of the current eventrouting/target
: target of the current event
Using atom references from a single event, the chain of ancestor events can be constructed. Here's a simplified example of an event and its parent event:
Child event:
{
"event": {...},
"routing": {
"this": "abcdef",
"parent": "zxcv"
...
}
}
Parent event:
{
"event": {...},
"routing": {
"this": "zxcv",
"parent": "poiuy"
...
}
}
API users may construct a tree from a single atom using these 2 endpoints:
/insight/{oid}/{sid}/{atom}
- get event by atom/insight/{oid}/{sid}/{atom}/children
- get children of an atom
These can be called recursively on each event's routing/parent
and/or child events to complete a full tree if required - this is how the tree view works in the Timeline of a sensor in the web application.
The parent-child relationship serves to describe parent and child processes via the NEW_PROCESS
or EXISTING_PROCESS
events, but other types of events may also have parents. For example, on NETWORK_SUMMARY
events, the parent
will be the process that generated the network connections.
Tip: when using custom storage and/or searching solutions it's helpful to index the values of routing/this
and routing/parent
for each event. Doing so will speed up searching during threat hunting and investigations.
Finally, the routing/target
is only sometimes found in an event, and it represents an event that interacts with another event without having a parent-child relationship. For example, in the NEW_REMOTE_THREAD
event, this target
represents a process where a remote thread was created.