Reference: EDR Events
  • 05 Oct 2024
  • 23 Minutes to read
  • Contributors
  • Dark
    Light

Reference: EDR Events

  • Dark
    Light

Article summary

Overview

This page provides a detailed overview of all events generated by the LimaCharlie Endpoint Agent. Each event type represents a specific system activity, from process creation to network connections and file modifications. Events serve as key components in detection, response, and monitoring, enabling security teams to track, analyze, and take action on endpoint behavior. Use this guide to understand the purpose and structure of each event for effective threat detection and investigation.

Generally, event types ending with *_REP are emitted in response to a command being issued to the endpoint agent.

EDR Events by Supported OS

These are the events emitted by the endpoint agent for each supported operating system. Below the table, you can find descriptions of each event type.

EDR Event TypemacOSWindowsLinuxChromeEdge
AUTORUN_CHANGE☑️
CLOUD_NOTIFICATION☑️☑️☑️☑️☑️
CODE_IDENTITY☑️☑️☑️
CONNECTED☑️☑️☑️☑️☑️
DATA_DROPPED☑️☑️☑️
DEBUG_DATA_REP☑️
DELETED_SENSOR☑️☑️☑️
DIR_FINDHASH_REP☑️☑️☑️
DIR_LIST_REP☑️☑️☑️
DISCONNECTED☑️
DNS_REQUEST☑️☑️☑️☑️☑️
DRIVER_CHANGE☑️
EXEC_OOB☑️☑️
EXISTING_PROCESS☑️☑️☑️
EXPORT_COMPLETE☑️☑️☑️
FIM_ADD☑️☑️☑️
FIM_DEL☑️☑️☑️
FIM_HIT☑️☑️☑️
FILE_CREATE☑️☑️
FILE_DEL_REP☑️☑️☑️
FILE_DELETE☑️☑️
FILE_GET_REP☑️☑️☑️
FILE_HASH_REP☑️☑️☑️
FILE_INFO_REP☑️☑️☑️
FILE_MODIFIED☑️☑️
FILE_MOV_REP☑️☑️☑️
FILE_TYPE_ACCESSED☑️☑️
GET_DOCUMENT_REP☑️☑️
GET_EXFIL_EVENT_REP☑️☑️☑️
HIDDEN_MODULE_DETECTED☑️
HISTORY_DUMP_REP☑️☑️☑️
HTTP_REQUEST☑️☑️
HTTP_REQUEST_HEADERS☑️
HTTP_RESPONSE_HEADERS☑️
INGEST☑️☑️☑️
LOG_GET_REP
LOG_LIST_REP
MEM_FIND_HANDLES_REP☑️
MEM_FIND_STRING_REP☑️☑️☑️
MEM_HANDLES_REP☑️
MEM_MAP_REP☑️☑️☑️
MEM_READ_REP☑️☑️☑️
MEM_STRINGS_REP☑️☑️☑️
MODULE_LOAD☑️☑️
MODULE_MEM_DISK_MISMATCH☑️☑️☑️
NETSTAT_REP☑️☑️☑️
NETWORK_CONNECTIONS☑️☑️☑️
NETWORK_SUMMARY☑️☑️☑️
NEW_DOCUMENT☑️☑️
NEW_NAMED_PIPE☑️
NEW_PROCESS☑️☑️☑️
NEW_REMOTE_THREAD☑️
NEW_TCP4_CONNECTION☑️☑️☑️
NEW_TCP6_CONNECTION☑️☑️☑️
NEW_UDP4_CONNECTION☑️☑️☑️
NEW_UDP6_CONNECTION☑️☑️☑️
OPEN_NAMED_PIPE☑️
OS_AUTORUNS_REP☑️☑️
OS_DRIVERS_REP☑️
OS_KILL_PROCESS_REP☑️☑️☑️
OS_PACKAGES_REP☑️
OS_PROCESSES_REP☑️☑️☑️
OS_RESUME_REP☑️☑️☑️
OS_SERVICES_REP☑️☑️☑️
OS_SUSPEND_REP☑️☑️☑️
OS_USERS_REP☑️
OS_VERSION_REP☑️☑️☑️
PCAP_LIST_INTERFACES_REP☑️
PROCESS_ENVIRONMENT☑️☑️
RECEIPT☑️☑️☑️☑️
REGISTRY_CREATE☑️
REGISTRY_DELETE☑️
REGISTRY_LIST_REP☑️
REGISTRY_WRITE☑️
REJOIN_NETWORK☑️☑️☑️☑️
REMOTE_PROCESS_HANDLE☑️
SEGREGATE_NETWORK☑️☑️☑️☑️
SENSITIVE_PROCESS_ACCESS☑️
SERVICE_CHANGE☑️☑️☑️
SHUTTING_DOWN☑️☑️☑️
SSH_LOGIN☑️
SSH_LOGOUT☑️
STARTING_UP☑️☑️☑️
TERMINATE_PROCESS☑️☑️☑️
TERMINATE_TCP4_CONNECTION☑️☑️☑️
TERMINATE_TCP6_CONNECTION☑️☑️☑️
TERMINATE_UDP4_CONNECTION☑️☑️☑️
TERMINATE_UDP6_CONNECTION☑️☑️☑️
THREAD_INJECTION☑️
USER_LOGIN☑️
USER_LOGOUT☑️
USER_OBSERVED☑️☑️☑️
VOLUME_MOUNT☑️☑️
VOLUME_UNMOUNT☑️☑️
WEL☑️
YARA_DETECTION☑️☑️☑️


Event Descriptions

AUTORUN_CHANGE

Generated when an Autorun is changed.

Platforms:

{
  "REGISTRY_KEY": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
  "TIMESTAMP": 1627497894000
}

CLOUD_NOTIFICATION

This event is a receipt from the agent that it has received the task sent to it, and includes high-level errors (if any).

Platforms:

{
  "NOTIFICATION_ID": "ADD_EXFIL_EVENT_REQ",
  "NOTIFICATION": {
    "INVESTIGATION_ID": "digger-4afdeb2b-a0d8-4a37-83b5-48996117998e"
  },
  "HCP_IDENT": {
    "HCP_ORG_ID": "c82e5c17d5194ef5a4acc454a95d31db",
    "HCP_SENSOR_ID": "8fc370e6699a49858e75c1316b725570",
    "HCP_INSTALLER_ID": "00000000000000000000000000000000",
    "HCP_ARCHITECTURE": 0,
    "HCP_PLATFORM": 0
  },
  "EXPIRY": 0
}

CODE_IDENTITY

Unique combinations of file hash and file path. This event is emitted the first time the combination is seen, typically when the binary is executed or loaded. Therefore it's a great event to look for hashes without being overwhelmed by process execution or module loads.

ONGOING_IDENTITY

The ONGOING_IDENTITY event emits code signature information even if not newly seen, however this data can become duplicative and verbose.

Platforms:

{
  "MEMORY_SIZE": 0,
  "FILE_PATH": "C:\\Users\\dev\\AppData\\Local\\Temp\\B1B207E5-300E-434F-B4FE-A4816E6551BE\\dismhost.exe",
  "TIMESTAMP": 1456285265,
  "SIGNATURE": {
    "CERT_ISSUER": "C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Code Signing PCA",
    "CERT_CHAIN_STATUS": 124,
    "FILE_PATH": "C:\\Users\\dev\\AppData\\Local\\Temp\\B1B207E5-300E-434F-B4FE-A4816E6551BE\\dismhost.exe",
    "CERT_SUBJECT": "C=US, S=Washington, L=Redmond, O=Microsoft Corporation, OU=MOPR, CN=Microsoft Corporation"
  },
  "HASH": "4ab4024eb555b2e4c54d378a846a847bd02f66ac54849bbce5a1c8b787f1d26c"
}

CONNECTED

This event is generated when a Sensor connects to the cloud.

Platforms:

{
    "HOST_NAME" : "demo-win-2016",
    "IS_SEGREGATED" : 0,
    "KERNEL_ACQ_AVAILABLE" : 1,
    "MAC_ADDRESS" : "42-01-0A-80-00-02"
}

DEBUG_DATA_REP

Response from a get_debug_data request.

DIR_FINDHASH_REP

Response event for the dir_find_hash sensor command.

Platforms:

Sample Event:

{
    "DIRECTORY_LIST": [
        {
            "HASH": "f11dda931637a1a1bc614fc2f320326b24336c5155679aa062acae7c79f33d67",
            "ACCESS_TIME": 1535994794247,
            "FILE_SIZE": 113664,
            "CREATION_TIME": 1467173189067,
            "MODIFICATION_TIME": 1467173190171,
            "FILE_NAME": "MALWARE_DEMO_WINDOWS_1.exe",
            "ATTRIBUTES": 32,
            "FILE_PATH": "c:\\users\\dev\\desktop\\MALWARE_DEMO_WINDOWS_1.exe"
        },
        {
            "HASH": "e37726feee8e72f3ab006e023cb9d6fa1a4087274b47217d2462325fa8008515",
            "ACCESS_TIME": 1535989041078,
            "FILE_SIZE": 1016320,
            "CREATION_TIME": 1522507344821,
            "MODIFICATION_TIME": 1522507355732,
            "FILE_NAME": "lc_win_64.exe",
            "ATTRIBUTES": 32,
            "FILE_PATH": "c:\\users\\dev\\desktop\\lc_win_64.exe"
        }
    ],
    "HASH": [
        "f11dda931637a1a1bc614fc2f320326b24336c5155679aa062acae7c79f33d67",
        "e37726feee8e72f3ab006e023cb9d6fa1a4087274b47217d2462325fa8008515"
    ],
    "FILE_PATH": "*.exe",
    "DIRECTORY_LIST_DEPTH": 0,
    "DIRECTORY_PATH": "c:\\users\\dev\\desktop\\"
}

DIR_LIST_REP

Response event for the dir_list sensor command. Includes Alternate Data Streams on Windows.

Platforms:

Sample Event:

{
    "DIRECTORY_LIST": [
        {
            "FILE_NAME": "vssdk_full.exe",
            "CREATION_TIME": 1553437930012,
            "MODIFICATION_TIME": 1553437937000,
            "STREAMS": [
                {
                    "FILE_NAME": "::$DATA",
                    "SIZE": 13782032
                }
            ],
            "ACCESS_TIME": 1567868284440,
            "FILE_SIZE": 13782032,
            "ATTRIBUTES": 32,
            "FILE_PATH": "c:\\users\\dev\\desktop\\vssdk_full.exe"
        },
        {
            "FILE_NAME": "UniversalLog.txt",
            "CREATION_TIME": 1553028205525,
            "MODIFICATION_TIME": 1553028206289,
            "STREAMS": [
                {
                    "FILE_NAME": "::$DATA",
                    "SIZE": 125
                },
                {
                    "FILE_NAME": ":Zone.Identifier:$DATA",
                    "SIZE": 377
                }
            ],
            "ACCESS_TIME": 1567868284158,
            "FILE_SIZE": 125,
            "ATTRIBUTES": 32,
            "FILE_PATH": "c:\\users\\dev\\desktop\\UniversalLog.txt"
        }
    ]
}

DISCONNECTED

This event is generated when a Sensor disconnects from the cloud.

Platforms:

{
  "DISCONNECTED": {},
  "ts": 1455674775
}

DNS_REQUEST

Generated from DNS responses and therefore includes both the requested domain and the response from the server. If the server responds with multiple responses (as allowed by the DNS protocol) the N answers will become N DNS_REQUEST events, so you can always assume one DNS_REQUEST event means one answer.

Platforms:

{
  "DNS_TYPE": 1,
  "TIMESTAMP": 1456285240,
  "DNS_FLAGS": 0,
  "DOMAIN_NAME": "time.windows.com"
}

DRIVER_CHANGE

Generated when a driver is changed.

Platforms:

{
  "PROCESS_ID": 0,
  "SVC_DISPLAY_NAME": "HbsAcq",
  "SVC_NAME": "HbsAcq",
  "SVC_STATE": 1,
  "SVC_TYPE": 1,
  "TIMESTAMP": 1517377895873
}

EXISTING_PROCESS

This event is similar to the NEW_PROCESS event.  It gets emitted when a process existed prior to the LimaCharlie sensor loading.

Platforms:


FILE_CREATE

Generated when a file is created.

Platforms:

{
  "FILE_PATH": "C:\\Users\\dev\\AppData\\Local\\Microsoft\\Windows\\WebCache\\V01tmp.log",
  "TIMESTAMP": 1468335271948
}

FILE_DEL_REP

Response event for the file_del sensor command.

Platforms:

Sample Event:

{
  "FILE_PATH": "C:\\test\\test.txt"
}

FILE_DELETE

Generated when a file is deleted.

Platforms:

{
  "FILE_PATH": "C:\\Users\\dev\\AppData\\Local\\Temp\\EBA4E4F0-3020-459E-9E34-D5336E244F05\\api-ms-win-core-processthreads-l1-1-2.dll",
  "TIMESTAMP": 1468335611906
}

FILE_GET_REP

Response event for the file_get sensor command.

Platforms:

Sample Event:

{
  "FILE_CONTENT": "$BASE64_ENCODED_FILE_CONTENTS",
  "FILE_PATH": "C:\\windows\\system32\\svchost.exe",
  "FILE_SIZE": 78880
}

FILE_HASH_REP

Response event for the file_hash sensor command.

Platforms:

Sample Event:

{
  "FILE_IS_SIGNED": 1,
  "FILE_PATH": "C:\\Windows\\System32\\svchost.exe",
  "HASH": "31780ff2aaf7bc71f755ba0e4fef1d61b060d1d2741eafb33cbab44d889595a0",
  "SIGNATURE": {
    "CERT_ISSUER": "C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011",
    "CERT_SUBJECT": "C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Publisher",
    "FILE_CERT_IS_VERIFIED_LOCAL": 1,
    "FILE_IS_SIGNED": 1,
    "FILE_PATH": "C:\\Windows\\System32\\svchost.exe"
  }
}

FILE_INFO_REP

Response event for the file_info sensor command.

Platforms:

Sample Event:

{
  "ACCESS_TIME": 1686685723546,
  "ATTRIBUTES": 0,
  "CREATION_TIME": 1686685723546,
  "FILE_IS_SIGNED": 1,
  "FILE_PATH": "C:\\Windows\\System32\\svchost.exe",
  "FILE_SIZE": 78880,
  "MODIFICATION_TIME": 1686685723546
}

FILE_MODIFIED

Generated when a file is modified.

Platforms:

{
  "FILE_PATH": "C:\\Users\\dev\\AppData\\Local\\Microsoft\\Windows\\WebCache\\V01.log",
  "TIMESTAMP": 1468335272949
}

FILE_MOV_REP

Response event for the file_mov sensor command.

Platforms:

Sample Event:

{
  "DESTINATION": "C:\\test\\test.txt.bak",
  "SOURCE": "C:\\test\\test.txt"
}

FILE_TYPE_ACCESSED

Generated when a new process is observed interacting with certain file types.

The RULE_NAME component is the class of file extension involved:

  • Rule 1: .doc, .docm, .docx

  • Rule 2: .xlt, .xlsm, .xlsx

  • Rule 3: .ppt, .pptm, .pptx, .ppts

  • Rule 4: .pdf

  • Rule 5: .rtf

  • Rule 50: .zip

  • Rule 51: .rar

  • Rule 64: .locky, .aesir

Platforms:

{
  "PROCESS_ID": 2048,
  "RULE_NAME": 50,
  "FILE_PATH": "C:\\Program Files\\7-Zip\\7zG.exe"
}

FIM_ADD

Response event for the fim_add sensor command. An ERROR: 0 implies the path was successfully added.

Platforms:

Output:

"event": {
  "ERROR":0
}

FIM_DEL

Response event for the fim_del sensor command. An ERROR: 0 implies the path was successfully removed.

An ERROR: 3 response implies the provided path was not found in the list of FIM patterns.

Platforms:

Output:

"event": {
  "ERROR":0
}

FIM_HIT

A file, directory, or registry key being monitored by File & Registry Integrity Monitoring has been modified.

Platforms:

{
  "PROCESS": {
    "MEMORY_USAGE": 25808896,
    "TIMESTAMP": 1541348299886,
    "COMMAND_LINE": "\"C:\\WINDOWS\\regedit.exe\" ",
    "PROCESS_ID": 4340,
    "THREADS": 3,
    "USER_NAME": "BUILTIN\\Administrators",
    "FILE_PATH": "C:\\WINDOWS\\regedit.exe",
    "PARENT_PROCESS_ID": 6260
  },
  "REGISTRY_KEY": "\\REGISTRY\\MACHINE\\SOFTWARE\\ActiveState\\New Value #1",
  "PROCESS_ID": 4340
}

FIM_LIST_REP

Response event for the fim_get sensor command. The response will be a JSON list of FIM patterns.

Platforms:

Output:

{
  "PATTERNS": [
    0: "/home/*",
    1: "/home/*/.ssh/*",
    2: "/root/.ssh/authorized_keys"
  ]
}

GET_DOCUMENT_REP

Generated when a doc_cache_get task requests a cached document.

Platforms:

GET_EXFIL_EVENT_REP

Response from an exfil_get sensor command.

Platforms:

HIDDEN_MODULE_DETECTED

Generated when a hidden_module_scan command is issued.

Note that the name of the event does not confirm the presence of a hidden module. Please check the output to

confirm whether a hidden module was detected.

Platforms:

Sample Event:

{
  "ERROR": 0,
  "ERROR_MESSAGE": "done"
}

HISTORY_DUMP_REP

Response from history_dump sensor command. Does not itself contain the historic events but will be generated along them.

Platforms:


HTTP_REQUEST

This event is emitted whenever an HTTP request is made.

Platforms:

Sample Event:

{
  "URL": "https://play.google.com/log?authuser=0",
  "IP_ADDRESS": "172.217.2.142",
  "RESULT": 200,
  "PARENT": {
    "URL": "https://console.cloud.google.com"
  }
}

HTTP_REQUEST_HEADERS

Provides HTTP Request headers.

Platforms:

Sample Event:

{
  "HEADERS": [
    {
      "NAME": "User-Agent",
      "VALUE": "Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
    },
    {
      "NAME": "Accept",
      "VALUE": "*/*"
    }
  ]
}

HTTP_RESPONSE_HEADERS

Provides HTTP Response headers.

Platforms:

Sample Event:

{
  "HEADERS": [
    {
      "NAME": "content-length",
      "VALUE": "859"
    },
    {
      "NAME": "cache-control",
      "VALUE": "max-age=3600"
    },
    {
      "NAME": "content-encoding",
      "VALUE": "br"
    },
    {
      "NAME": "content-type",
      "VALUE": "text/html; charset=utf-8"
    },
    {
      "NAME": "etag",
      "VALUE": "\"1540d7725dd15680377d45886baba56f620f7692faa530bc3597226ffadd77d1-br\""
    },
    {
      "NAME": "last-modified",
      "VALUE": "Thu, 21 Dec 2023 23:59:32 GMT"
    },
    {
      "NAME": "referrer-policy",
      "VALUE": "sameorigin"
    },
    {
      "NAME": "strict-transport-security",
      "VALUE": "max-age=3600 ; includeSubDomains"
    },
    {
      "NAME": "x-content-type-options",
      "VALUE": "nosniff"
    },
    {
      "NAME": "x-frame-options",
      "VALUE": "sameorigin"
    },
    {
      "NAME": "accept-ranges",
      "VALUE": "bytes"
    },
    {
      "NAME": "date",
      "VALUE": "Fri, 22 Dec 2023 19:10:58 GMT"
    },
    {
      "NAME": "x-served-by",
      "VALUE": "cache-dub4332-DUB"
    },
    {
      "NAME": "x-cache",
      "VALUE": "HIT"
    },
    {
      "NAME": "x-cache-hits",
      "VALUE": "1"
    },
    {
      "NAME": "x-timer",
      "VALUE": "S1703272259.579745,VS0,VE1"
    },
    {
      "NAME": "vary",
      "VALUE": "x-fh-requested-host, accept-encoding"
    },
    {
      "NAME": "alt-svc",
      "VALUE": "h3=\":443\";ma=86400,h3-29=\":443\";ma=86400,h3-27=\":443\";ma=86400"
    }
  ]
}

LOG_GET_REP

Response from a log_get request.

LOG_LIST_REP

Response from a log_list request.

MEM_FIND_HANDLES_REP

Response event for the mem_find_handle sensor command.

Platforms:

MEM_FIND_STRING_REP

Response event for the mem_find_string sensor command.

Platforms:

MEM_HANDLES_REP

Response event for the mem_handles sensor command. This event will contain an array of handles identified in memory.

Platforms:

Sample Event:

{
    "HANDLES": [
      {
        "HANDLE_NAME": "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options",
        "HANDLE_TYPE": "Key",
        "HANDLE_VALUE": 4,
        "PROCESS_ID": 908
      },
      {
        "HANDLE_NAME": "\\KnownDlls",
        "HANDLE_TYPE": "Directory",
        "HANDLE_VALUE": 48,
        "PROCESS_ID": 908
      },
      "..."]
}

MEM_MAP_REP

Response event for the mem_map sensor command. This event will contain an array of arrays, representing processes and their associated memory data.

Platforms:

Sample Event:

{
    "MEMORY_MAP": [
      {
        "BASE_ADDRESS": 94100802174976,
        "MEMORY_ACCESS": 6,
        "MEMORY_SIZE": 4096,
        "MEMORY_TYPE": 3
      }
    ]
}

MEM_READ_REP

Response event for the mem_read sensor command.

Platforms:

Sample Event:

{
  "MEMORY_DUMP": "TGltYU...",
  "PROCESS_ID": 745
}

MEM_STRINGS_REP

Response event for the mem_strings sensor command. The response will contain two arrays of arrays, STRINGSA and STRINGSW.

Platforms:

Sample Event:

{
    "PROCESS_ID" : 745,
    "STRINGSA" : [
        [
            0 : "/lib64/ld-linux-x86-64.so.2",
            1 : "__gmon_start__"
        ]
    ]
}

MODULE_LOAD

Generated when a module (like DLL on Windows) is loaded in a process.

Platforms:

{
  "MEMORY_SIZE": 241664,
  "PROCESS_ID": 2904,
  "FILE_PATH": "C:\\Windows\\System32\\imm32.dll",
  "MODULE_NAME": "imm32.dll",
  "TIMESTAMP": 1468335264989,
  "BASE_ADDRESS": 140715814092800
}

NETSTAT_REP

Response from a  netstat command to list active network sockets.

Platforms:

Sample Event:

{
  "FRIENDLY": 0,
  "NETWORK_ACTIVITY": [
    {
      "DESTINATION": {
        "IP_ADDRESS": "0.0.0.0",
        "PORT": 0
      },
      "PROCESS_ID": 856,
      "PROTOCOL": "tcp4",
      "SOURCE": {
        "IP_ADDRESS": "0.0.0.0",
        "PORT": 135
      }
    }
  ]
}

NETWORK_CONNECTIONS

List of recent network connections performed by a process.

Platforms:

{
  "NETWORK_ACTIVITY": [
    {
      "SOURCE": {
        "IP_ADDRESS": "172.16.223.138",
        "PORT": 50396
      },
      "IS_OUTGOING": 1,
      "DESTINATION": {
        "IP_ADDRESS": "23.214.49.56",
        "PORT": 80
      }
    },
    {
      "SOURCE": {
        "IP_ADDRESS": "172.16.223.138",
        "PORT": 50397
      },
      "IS_OUTGOING": 1,
      "DESTINATION": {
        "IP_ADDRESS": "189.247.166.18",
        "PORT": 80
      }
    },
    {
      "SOURCE": {
        "IP_ADDRESS": "172.16.223.138",
        "PORT": 50398
      },
      "IS_OUTGOING": 1,
      "DESTINATION": {
        "IP_ADDRESS": "23.217.70.67",
        "PORT": 80
      }
    },
    {
      "SOURCE": {
        "IP_ADDRESS": "172.16.223.138",
        "PORT": 50399
      },
      "IS_OUTGOING": 1,
      "DESTINATION": {
        "IP_ADDRESS": "104.110.238.53",
        "PORT": 80
      }
    },
    {
      "SOURCE": {
        "IP_ADDRESS": "172.16.223.138",
        "PORT": 50400
      },
      "IS_OUTGOING": 1,
      "DESTINATION": {
        "IP_ADDRESS": "23.214.49.56",
        "PORT": 80
      }
    },
    {
      "SOURCE": {
        "IP_ADDRESS": "172.16.223.138",
        "PORT": 50401
      },
      "IS_OUTGOING": 1,
      "DESTINATION": {
        "IP_ADDRESS": "204.79.197.203",
        "PORT": 80
      }
    }
  ],
  "HASH": "2de228cad2e542b2af2554d61fab5463ecbba3ff8349ba88c3e48637ed8086e9",
  "COMMAND_LINE": "C:\\WINDOWS\\system32\\msfeedssync.exe sync",
  "PROCESS_ID": 6968,
  "FILE_IS_SIGNED": 1,
  "USER_NAME": "WIN-5KC7E0NG1OD\\dev",
  "FILE_PATH": "C:\\WINDOWS\\system32\\msfeedssync.exe",
  "PARENT_PROCESS_ID": 1892
}

NEW_DOCUMENT

Generated when a file is created that matches a set list of locations and extensions. It indicates the file has been cached in memory and can be retrieved using the doc_cache_get task.

The following file patterns are considered "documents":

  • .bat

  • .js

  • .ps1

  • .sh

  • .py

  • .exe

  • .scr

  • .pdf

  • .doc

  • .docm

  • .docx

  • .ppt

  • .pptm

  • .pptx

  • .xlt

  • .xlsm

  • .xlsx

  • .vbs

  • .rtf

  • .hta

  • .lnk

  • .xsl

  • .com

  • .png

  • .jpg

  • .asp

  • .aspx

  • .php

  • \windows\system32\

Platforms:

{
  "FILE_PATH": "C:\\Users\\dev\\Desktop\\evil.exe",
  "TIMESTAMP": 1468335816308,
  "HASH": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
}

NEW_NAMED_PIPE

This event is emitted when a new Named Pipe is created by a process.

Platforms:

{
  "FILE_PATH": "\\Device\\NamedPipe\\LOCAL\\mojo.6380.1072.2134013463507075011",
  "PROCESS_ID": 6380
}

NEW_PROCESS

Generated when a new process starts.

Platforms:

{
  "PARENT": {
    "PARENT_PROCESS_ID": 7076,
    "COMMAND_LINE": "\"C:\\Program Files (x86)\\Microsoft Visual Studio 12.0\\Common7\\IDE\\devenv.exe\"  ",
    "MEMORY_USAGE": 438730752,
    "PROCESS_ID": 5820,
    "THREADS": 39,
    "FILE_PATH": "C:\\Program Files (x86)\\Microsoft Visual Studio 12.0\\Common7\\IDE\\devenv.exe",
    "BASE_ADDRESS": 798949376
  },
  "PARENT_PROCESS_ID": 5820,
  "COMMAND_LINE": "-q  -s {0257E42D-7F05-42C4-B402-34C1CC2F2EAD} -p 5820",
  "FILE_PATH": "C:\\Program Files (x86)\\Microsoft Visual Studio 12.0\\VC\\vcpackages\\VCPkgSrv.exe",
  "PROCESS_ID": 1080,
  "THREADS": 9,
  "MEMORY_USAGE": 8282112,
  "TIMESTAMP": 1456285660,
  "BASE_ADDRESS": 4194304
}

NEW_REMOTE_THREAD

Generated when a thread is created by a process in another process. This is often used by malware during various forms of code injection.

In this case, the process id 492 created a thread (with id 9012) in the process id 7944. The parent process is also globally uniquely identified by the routing/parent and the process where the thread was started is globally uniquely identified by the routing/target (not visible here).

Platforms:

{
  "THREAD_ID": 9012,
  "PROCESS_ID": 7944,
  "PARENT_PROCESS_ID": 492
}

NEW_TCP4_CONNECTION

Generated when a new TCPv4 connection is established, either inbound or outbound.

Platforms:

{
  "PROCESS_ID": 6788,
  "DESTINATION": {
    "IP_ADDRESS": "172.16.223.219",
    "PORT": 80
  },
  "STATE": 5,
  "TIMESTAMP": 1468335512047,
  "SOURCE": {
    "IP_ADDRESS": "172.16.223.163",
    "PORT": 63581
  }
}

NEW_TCP6_CONNECTION

Generated when a new TCPv6 connection is established, either inbound or outbound.

Platforms:


NEW_UDP4_CONNECTION

Generated when a new UDPv4 socket "connection" is established, either inbound or outbound.

Platforms:

{
  "TIMESTAMP": 1468335452828,
  "PROCESS_ID": 924,
  "IP_ADDRESS": "172.16.223.163",
  "PORT": 63057
}

NEW_UDP6_CONNECTION

Generated when a new UDPv6 socket "connection" is established, either inbound or outbound.

Platforms:


OPEN_NAMED_PIPE

This event is emitted when an existing Named Pipe is opened by a process.

Platforms:

{
  "FILE_PATH": "\\Device\\NamedPipe\\lsass",
  "PROCESS_ID": 2232
}

OS_AUTORUNS_REP

Response from an os_autoruns request.

Platforms:

Sample Event:

{
  "TIMESTAMP": 1456194620,
  "AUTORUNS": [
    {
      "REGISTRY_KEY": "Software\\Microsoft\\Windows\\CurrentVersion\\Run\\VMware User Process",
      "FILE_PATH": "\"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\" -n vmusr",
      "HASH": "036608644e3c282efaac49792a2bb2534df95e859e2ddc727cd5d2e764133d14"
    }
  ]
}

OS_DRIVERS_REP

Response from an os_drivers request.

Platforms:

Sample Event:

{
  "SVCS": [
    {
      "PROCESS_ID": 0,
      "SVC_TYPE": 1,
      "SVC_NAME": "1394ohci",
      "SVC_STATE": 1,
      "HASH": "9ecf6211ccd30273a23247e87c31b3a2acda623133cef6e9b3243463c0609c5f",
      "SVC_DISPLAY_NAME": "1394 OHCI Compliant Host Controller",
      "EXECUTABLE": "\\SystemRoot\\System32\\drivers\\1394ohci.sys"
    }
  ]
}

OS_KILL_PROCESS_REP

Response from an os_kill_process request.

Platforms:

Sample Event:

{
  "ERROR": 0,
  "PROCESS_ID": 579
}

OS_PACKAGES_REP

List of packages installed on the system. This is currently Windows only but will be expanded to MacOS and Linux in the future.

Platforms:

Sample Event:

"PACKAGES": [
  {
    "PACKAGE_NAME": "Microsoft Windows Driver Development Kit Uninstall"
  }
]

OS_PROCESSES_REP

Response from an os_process request.

Platforms:

Sample Event:

{
  "PROCESSES": [
    {
      "COMMAND_LINE": "/sbin/init",
      "FILE_PATH": "/usr/lib/systemd/systemd",
      "HASH": "477209848fabcaf52c060d98287f880845cb07fc9696216dbcfe9b6ea8e72bcd"
    }
  ]
}

OS_RESUME_REP

Response from an os_resume request.

Platforms:

OS_SERVICES_REP

Response from an os_services request.

Platforms:

Sample Event:

{
  "SVCS": [
    {
      "PROCESS_ID": 0,
      "SVC_TYPE": 32,
      "DLL": "%SystemRoot%\\System32\\AJRouter.dll",
      "SVC_NAME": "AJRouter"
    }
  ]
}

OS_SUSPEND_REP

Response from an os_suspend request.

Platforms:

OS_USERS_REP

Response from an os_users request.

Platforms:

Sample Event:

{
  "USERS": [
    {
      "USER_NAME": "Administrator"
    }
  ]
}

OS_VERSION_REP

Response from an os_version request.

Platforms:

Sample Event:

{
  "BUILD_NUMBER": 20348
}

PCAP_LIST

_INTERFACES_REP
Response from a pcap_ifaces request.

Platforms:

Sample Event:

{
  "INTERFACE": [
    {
      "NAME": "ens4",
      "IPV4": ["10.128.15.198"]
    }
  ]
}

PROCESS_ENVIRONMENT

Generated when a process starts. It lists all environment variables associated with that new process.

Platforms:

{
  "ENVIRONMENT_VARIABLES": [
    "LANG=en_US.UTF-8",
    "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
    "NOTIFY_SOCKET=/run/systemd/notify",
    "LISTEN_PID=18950",
    "LISTEN_FDS=2"
  ],
  "PROCESS_ID": 13463
}

RECEIPT

This event is used as a generic response to some commands. The contents of a RECEIPT event usually contain an ERROR code that you can use to determine if the command was successful (ERROR codes can be explored here). It's often a good idea to issue the original command with an investigation_id which will get echoed in the RECEIPT related to that command to make it easier to track.

Platforms:


REGISTRY_CREATE

This event is generated whenever a registry key / value is created on a Windows OS.

Platforms:

{
  "PROCESS_ID":  764,
  "REGISTRY_KEY":   "\\REGISTRY\\A\\{fddf4643-a007-4086-903e-be998801d0f7}\\Events\\{8fb5d848-23dc-498f-ac61-84b93aac1c33}"
}

REGISTRY_DELETE

This event is generated whenever a registry key / value is deleted on a Windows OS.

Platforms:

{
  "PROCESS_ID":  764,
  "REGISTRY_KEY":   "\\REGISTRY\\A\\{fddf4643-a007-4086-903e-be998801d0f7}\\Events\\{8fb5d848-23dc-498f-ac61-84b93aac1c33}"
}

REGISTRY_LIST_REP

This event is generated in response to the reg_list command to list keys and values in a registry key.

Platforms:

Sample Event:

{
    "REGISTRY_KEY": [
      "ActiveState"
    ],
    "ROOT": "hklm\\software",
    "REGISTRY_VALUE": [
      {
        "TYPE": 4,
        "NAME": "Order"
      }
    ],
    "ERROR": 0
}

REGISTRY_WRITE

This event is generated whenever a registry value is written to on a Windows OS.

The REGISTRY_VALUE contains the first 16 bytes of the value written to the registry. If this value is a valid ASCII or Unicode string, the value will be as-is. On the other hand if the value is binary data, it will be a base64 encoded string, see examples below.

The SIZE is the size value used in the original registry write call. The TYPE is the Windows data type of the entry written as per Microsoft's definition.

Platforms:

Valid string payload:

{
  "PROCESS_ID":1820,
  "REGISTRY_KEY":"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Diagnostics\\LastKnownGoodPlatformLocation",
  "REGISTRY_VALUE":"C:\\Progr",
  "SIZE":1,
  "TYPE":1,
}

Binary payload:

{
  "PROCESS_ID": 1700,
  "REGISTRY_KEY": "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Diagnostics\\DiagTrack\\HeartBeats\\Default\\LastHeartBeatTime",
  "REGISTRY_VALUE": "bMPGjjDM1wE=",
"SIZE": 11,
  "TYPE": 11
}

REJOIN_NETWORK

Emitted after a sensor is allowed network connectivity again (after it was previously segregated). An error code of 0 indicates success.

Platforms:

Sample Event:

{
  "ERROR": 0
}

REMOTE_PROCESS_HANDLE

Generated whenever a process opens a handle to another process with access flags like VM_READ, VM_WRITE, or PROCESS_CREATE_THREAD.

The ACCESS_FLAGS is the access mask as defined here.

Platforms:

{
  "ACCESS_FLAGS": 136208,
  "PARENT_PROCESS_ID": 6492,
  "PROCESS_ID": 2516
}

SEGREGATE_NETWORK

Emitted when a sensor is segregated (isolated) from the network using the segregate_network command. An error code of 0 indicates success.

Platforms:

Sample Event:

{
  "ERROR": 0
}

SENSITIVE_PROCESS_ACCESS

Generated when a process gains sensitive access to operating system processes like lsass.exe on Windows.

Note

SENSITIVE_PROCESS_ACCESS currently is only emitted for processes accessing lsass.exe on Windows.

Platforms:

{
  "EVENTS": [
    {
      "event": {
        "COMMAND_LINE": "C:\\WINDOWS\\system32\\lsass.exe",
        "FILE_PATH": "C:\\WINDOWS\\system32\\lsass.exe",
        "PARENT_PROCESS_ID": 484,
        "PROCESS_ID": 636,
        "THREADS": 12,
        "USER_NAME": "BUILTIN\\Administrators"
      }
    }
  ]
}

SERVICE_CHANGE

Generated when a Service is changed.

Platforms:

{
  "PROCESS_ID": 0,
  "SVC_TYPE": 32,
  "DLL": "%SystemRoot%\\system32\\wlidsvc.dll",
  "SVC_NAME": "wlidsvc",
  "SVC_STATE": 1,
  "HASH": "b37199495115ed423ba99b7317377ce865bb482d4e847861e871480ac49d4a84",
  "SVC_DISPLAY_NAME": "Microsoft Account Sign-in Assistant",
  "TIMESTAMP": 1467942600540,
  "EXECUTABLE": "%SystemRoot%\\system32\\svchost.exe -k netsvcs"
}

SEGREGATE_NETWORK

Emitted when a sensor is segregated (isolated) from the network using the segregate_network command.

Platforms:


SSH_LOGIN

Generated when a user logs in via SSH.

Platforms:

{
  "USER_NAME": "root",
  "TIMESTAMP": 1468335816308
}

SELF_TEST

Internal event to manually request a power-on-self-test (POST) from the sensor.


SHUTTING_DOWN

Event generated when the sensor shuts down. Note: this event may not be observed if the host shuts down abruptly or too quickly.

Platforms:

Event Data

Field

Type

Notes

ts

Epoch timestamp

Sample Event:

{
  "SHUTTING_DOWN": {
    "ts": 1455674775
  }
}

SSH_LOGOUT

Generated when a user logs out via SSH.

Platforms:

{
  "USER_NAME": "root",
  "TIMESTAMP": 1468335916308
}

STARTING_UP

Event generated when the sensor starts.

Platforms:

Event Data

Field

Type

Notes

ts

Epoch timestamp

Sample Event:

{
  "STARTING_UP": {
    "ts": 1455674775
  }
}

TERMINATE_PROCESS

Generated when a process exits.

Platforms:

{
  "PARENT_PROCESS_ID": 5820,
  "TIMESTAMP": 1456285661,
  "PROCESS_ID": 6072
}

TERMINATE_TCP4_CONNECTION

Generated when a TCPv4 connection terminates.

{
  "DESTINATION": {
    "IP_ADDRESS": "61.55.252.93",
    "PORT": 443
  },
  "PROCESS_ID": 4784,
  "SOURCE": {
    "IP_ADDRESS": "172.16.223.138",
    "PORT": 50145
  }
}

TERMINATE_TCP6_CONNECTION

Generated when a TCPv6 connection terminates.


TERMINATE_UDP4_CONNECTION

Generated when a UDPv4 socket terminates.


TERMINATE_UDP6_CONNECTION

Generated when a UDPv6 socket terminates.


THREAD_INJECTION

This event is generated when the sensor detects what looks like a thread injection into a remote process.

Platforms:

{
  "event": {
    "EVENTS": [
      {
        "event": {
          "ACCESS_FLAGS": 2097151,
          "PARENT_PROCESS_ID": 5380,
          "PROCESS_ID": 4276,
          "SOURCE": {
            "BASE_ADDRESS": 140701160243200,
            "COMMAND_LINE": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --continue-active-setup",
            "FILE_IS_SIGNED": 1,
            "FILE_PATH": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
            "HASH": "c47fc20231ffc1e3befef952478363bff96cf3af1f36da4bd1129c8ed0e17fdb",
            "MEMORY_USAGE": 5881856,
            "PARENT_ATOM": "df4e951a09e365cb46c36c11659ee556",
            "PARENT_PROCESS_ID": 5972,
            "PROCESS_ID": 5380,
            "THIS_ATOM": "37b57d228af708b25d097f32659ee557",
            "THREADS": 3,
            "TIMESTAMP": 1704912214704,
            "USER_NAME": "WINDOWS-SERVER-\\whitney"
          },
          "TARGET": {
            "COMMAND_LINE": "C:\\Windows\\system32\\sppsvc.exe",
            "FILE_IS_SIGNED": 1,
            "FILE_PATH": "C:\\Windows\\system32\\sppsvc.exe",
            "HASH": "1ca5b9745872748575c452e456966b8ed1c4153757e9f4faf6f86c78c53d4ae8",
            "MEMORY_USAGE": 6156288,
            "PARENT_ATOM": "74be005ef68f6edb8682d972659ee024",
            "PARENT_PROCESS_ID": 628,
            "PROCESS_ID": 4276,
            "THIS_ATOM": "fe1dee93442392ea97becdad659ee516",
            "THREADS": 3,
            "TIMESTAMP": 1704912150174,
            "USER_NAME": "NT AUTHORITY\\NETWORK SERVICE"
          }
        },
        "routing": {
          "arch": 2,
          "did": "",
          "event_id": "d61caa47-225a-4f6a-9f3a-6094cdb3c383",
          "event_time": 1704912219717,
          "event_type": "REMOTE_PROCESS_HANDLE",
          "ext_ip": "104.198.223.172",
          "hostname": "windows-server-2022-bc76d608-9d83-4c6c-bdd5-f86bbd385a94-0.c.lc-demo-infra.internal.",
          "iid": "3c5c33e6-daaf-4029-be0b-94f50b86777e",
          "int_ip": "10.128.15.197",
          "moduleid": 2,
          "oid": "bc76d608-9d83-4c6c-bdd5-f86bbd385a94",
          "parent": "37b57d228af708b25d097f32659ee557",
          "plat": 268435456,
          "sid": "ccd0c386-88c1-4f8d-954c-581a95a1cc34",
          "tags": [
            "windows"
          ],
          "target": "fe1dee93442392ea97becdad659ee516",
          "this": "87509849fc608bce8a236f49659ee55b"
        }
      },
      {
        "event": {
          "PARENT_PROCESS_ID": 5380,
          "PROCESS_ID": 4276,
          "SOURCE": {
            "BASE_ADDRESS": 140701160243200,
            "COMMAND_LINE": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --continue-active-setup",
            "FILE_IS_SIGNED": 1,
            "FILE_PATH": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
            "HASH": "c47fc20231ffc1e3befef952478363bff96cf3af1f36da4bd1129c8ed0e17fdb",
            "MEMORY_USAGE": 5881856,
            "PARENT_ATOM": "df4e951a09e365cb46c36c11659ee556",
            "PARENT_PROCESS_ID": 5972,
            "PROCESS_ID": 5380,
            "THIS_ATOM": "37b57d228af708b25d097f32659ee557",
            "THREADS": 3,
            "TIMESTAMP": 1704912214704,
            "USER_NAME": "WINDOWS-SERVER-\\whitney"
          },
          "TARGET": {
            "COMMAND_LINE": "C:\\Windows\\system32\\sppsvc.exe",
            "FILE_IS_SIGNED": 1,
            "FILE_PATH": "C:\\Windows\\system32\\sppsvc.exe",
            "HASH": "1ca5b9745872748575c452e456966b8ed1c4153757e9f4faf6f86c78c53d4ae8",
            "MEMORY_USAGE": 6156288,
            "PARENT_ATOM": "74be005ef68f6edb8682d972659ee024",
            "PARENT_PROCESS_ID": 628,
            "PROCESS_ID": 4276,
            "THIS_ATOM": "fe1dee93442392ea97becdad659ee516",
            "THREADS": 3,
            "TIMESTAMP": 1704912150174,
            "USER_NAME": "NT AUTHORITY\\NETWORK SERVICE"
          },
          "THREAD_ID": 3672
        },
        "routing": {
          "arch": 2,
          "did": "",
          "event_id": "ece7d85e-a43c-49d3-bc9a-28ace6dc1b02",
          "event_time": 1704912219967,
          "event_type": "NEW_REMOTE_THREAD",
          "ext_ip": "104.198.223.172",
          "hostname": "windows-server-2022-bc76d608-9d83-4c6c-bdd5-f86bbd385a94-0.c.lc-demo-infra.internal.",
          "iid": "3c5c33e6-daaf-4029-be0b-94f50b86777e",
          "int_ip": "10.128.15.197",
          "moduleid": 2,
          "oid": "bc76d608-9d83-4c6c-bdd5-f86bbd385a94",
          "parent": "37b57d228af708b25d097f32659ee557",
          "plat": 268435456,
          "sid": "ccd0c386-88c1-4f8d-954c-581a95a1cc34",
          "tags": [
            "windows"
          ],
          "target": "fe1dee93442392ea97becdad659ee516",
          "this": "b30a499edf9ec2e424b07d20659ee55b"
        }
      }
    ]
  }
  "ts": "2024-01-10 18:43:39"
}

USER_LOGIN

Generated when a user logs in to the operating system.

Platforms:


USER_LOGOUT

Generated when a user logs out of the operating system.

Platforms:


USER_OBSERVED

Generated the first time a user is observed on a host.

Platforms:

{
  "TIMESTAMP": 1479241363009,
  "USER_NAME": "root"
}

VOLUME_MOUNT

This event is generated when a volume is mounted.

Platforms:

{
  "VOLUME_PATH": "E:",
  "DEVICE_NAME": "\\Device\\HarddiskVolume3"
}

VOLUME_UNMOUNT

This event is generated when a volume is unmounted.

Platforms:

{
  "VOLUME_PATH": "/Volumes/RECOVERY",
  "VOLUME_NAME": "/dev/disk2s1"
}

YARA_DETECTION

Generated when a YARA scan finds a match.

Platforms:

{
  "RULE_NAME": "malware_detection_rule",
  "FILE_PATH": "C:\\malicious.exe",
  "HASH": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
}


Was this article helpful?