Sensor Activity
- 08 Feb 2024
- 1 Minute to read
- Contributors
- Print
- DarkLight
Sensor Activity
- Updated on 08 Feb 2024
- 1 Minute to read
- Contributors
- Print
- DarkLight
Article Summary
Share feedback
Thanks for sharing your feedback!
The following events pertain to general sensor activity (e.g. start up, shut down, etc.).
CLOUD_NOTIFICATION
This event is a receipt from the agent that it has received the task sent to it, and includes high level errors (if any).
Platforms:
{
"NOTIFICATION_ID": "ADD_EXFIL_EVENT_REQ",
"NOTIFICATION": {
"INVESTIGATION_ID": "digger-4afdeb2b-a0d8-4a37-83b5-48996117998e"
},
"HCP_IDENT": {
"HCP_ORG_ID": "c82e5c17d5194ef5a4acc454a95d31db",
"HCP_SENSOR_ID": "8fc370e6699a49858e75c1316b725570",
"HCP_INSTALLER_ID": "00000000000000000000000000000000",
"HCP_ARCHITECTURE": 0,
"HCP_PLATFORM": 0
},
"EXPIRY": 0
}
CONNECTED
This event is generated when a Sensor connects to the cloud.
Platforms:
Event Data:
| Field | Type | Notes |
|---|---|---|
| HOST_NAME | String | |
| IS_SEGREGATED | Boolean integer | Signals whether the sensor is currently under network isolation. |
| KERNEL_ACQ_AVAILABLE | Boolean integer | |
| MAC_ADDRESS | MAC Address |
Sample Event:
{
"HOST_NAME" : "demo-win-2016",
"IS_SEGREGATED" : 0,
"KERNEL_ACQ_AVAILABLE" : 1,
"MAC_ADDRESS" : "42-01-0A-80-00-02"
}
DISCONNECTED
This event is generated when a Sensor disconnects from the cloud.
Platforms:
Event Data
| Field | Type | Notes |
|---|---|---|
| ts | Epoch timestamp |
Sample Event:
{
"DISCONNECTED": {
},
"ts": 1455674775
}
RECEIPT
This event is used as a generic response to some commands. The contents of a RECEIPT event usually contain an ERROR code that you can use to determine if the command was successful (ERROR codes can be explored here). It's often a good idea to issue the original command with an investigation_id which will get echoed in the RECEIPT related to that command to make it easier to track.
Platforms:
SEGREGATE_NETWORK
Emitted when a sensor is segregated (isolated) from the network using the segregate_network command.
Platforms:
SELF_TEST
Internal event to manually request a power-on-self-test (POST) from the sensor.
SHUTTING_DOWN
Event generated when the sensor shuts down. Note: this event may not be observed if the host shuts down abruptly or too quickly.
Platforms:
Event Data
| Field | Type | Notes |
|---|---|---|
| ts | Epoch timestamp |
Sample Event:
{
"SHUTTING_DOWN": {
"ts": 1455674775
}
}
STARTING_UP
Event generated when the sensor starts.
Platforms:
Event Data
| Field | Type | Notes |
|---|---|---|
| ts | Epoch timestamp |
Sample Event:
{
"STARTING_UP": {
"ts": 1455674775
}
}
Was this article helpful?