Contents x
    Sensor Activity
    • 08 Feb 2024
    • 1 Minute to read
    • Contributors
    • Print
    • Dark
      Light
    Contents
      This documentation version is deprecated, please click here for the latest version.

    Sensor Activity

    • Updated on 08 Feb 2024
    • 1 Minute to read
    • Contributors
    • Print
    • Dark
      Light
    Article summary

    The following events pertain to general sensor activity (e.g. start up, shut down, etc.).

    CLOUD_NOTIFICATION

    This event is a receipt from the agent that it has received the task sent to it, and includes high level errors (if any).

    Platforms:

    {
  "NOTIFICATION_ID": "ADD_EXFIL_EVENT_REQ",
  "NOTIFICATION": {
    "INVESTIGATION_ID": "digger-4afdeb2b-a0d8-4a37-83b5-48996117998e"
  },
  "HCP_IDENT": {
    "HCP_ORG_ID": "c82e5c17d5194ef5a4acc454a95d31db",
    "HCP_SENSOR_ID": "8fc370e6699a49858e75c1316b725570",
    "HCP_INSTALLER_ID": "00000000000000000000000000000000",
    "HCP_ARCHITECTURE": 0,
    "HCP_PLATFORM": 0
  },
  "EXPIRY": 0
}

    CONNECTED

    This event is generated when a Sensor connects to the cloud.

    Platforms:

    Event Data:

    FieldTypeNotes
    HOST_NAMEString
    IS_SEGREGATEDBoolean integerSignals whether the sensor is currently under network isolation.
    KERNEL_ACQ_AVAILABLEBoolean integer
    MAC_ADDRESSMAC Address

    Sample Event:

    {
    "HOST_NAME" : "demo-win-2016",
    "IS_SEGREGATED" : 0,
    "KERNEL_ACQ_AVAILABLE" : 1,
    "MAC_ADDRESS" : "42-01-0A-80-00-02"
}

    DISCONNECTED

    This event is generated when a Sensor disconnects from the cloud.

    Platforms:

    Event Data

    FieldTypeNotes
    tsEpoch timestamp

    Sample Event:

    {
  "DISCONNECTED": {
  },
  "ts": 1455674775
}

    RECEIPT

    This event is used as a generic response to some commands. The contents of a RECEIPT event usually contain an ERROR code that you can use to determine if the command was successful (ERROR codes can be explored here). It's often a good idea to issue the original command with an investigation_id which will get echoed in the RECEIPT related to that command to make it easier to track.

    Platforms:

    SEGREGATE_NETWORK

    Emitted when a sensor is segregated (isolated) from the network using the segregate_network command.

    Platforms:

    SELF_TEST

    Internal event to manually request a power-on-self-test (POST) from the sensor.

    SHUTTING_DOWN

    Event generated when the sensor shuts down. Note: this event may not be observed if the host shuts down abruptly or too quickly.

    Platforms:

    Event Data

    FieldTypeNotes
    tsEpoch timestamp

    Sample Event:

    {
  "SHUTTING_DOWN": {
    "ts": 1455674775
  }
}

    STARTING_UP

    Event generated when the sensor starts.

    Platforms:

    Event Data

    FieldTypeNotes
    tsEpoch timestamp

    Sample Event:

    {
  "STARTING_UP": {
    "ts": 1455674775
  }
}
    Was this article helpful?
    What's Next