Reference: EDR Events
- 05 Oct 2024
- 23 Minutes to read
- Contributors
- Print
- DarkLight
Reference: EDR Events
- Updated on 05 Oct 2024
- 23 Minutes to read
- Contributors
- Print
- DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback
Overview
This page provides a detailed overview of all events generated by the LimaCharlie Endpoint Agent. Each event type represents a specific system activity, from process creation to network connections and file modifications. Events serve as key components in detection, response, and monitoring, enabling security teams to track, analyze, and take action on endpoint behavior. Use this guide to understand the purpose and structure of each event for effective threat detection and investigation.
Generally, event types ending with *_REP are emitted in response to a command being issued to the endpoint agent.
EDR Events by Supported OS
These are the events emitted by the endpoint agent for each supported operating system. Below the table, you can find descriptions of each event type.
Event Descriptions
AUTORUN_CHANGE
Generated when an Autorun is changed.
Platforms:
{
"REGISTRY_KEY": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"TIMESTAMP": 1627497894000
}
CLOUD_NOTIFICATION
This event is a receipt from the agent that it has received the task sent to it, and includes high-level errors (if any).
Platforms:
{
"NOTIFICATION_ID": "ADD_EXFIL_EVENT_REQ",
"NOTIFICATION": {
"INVESTIGATION_ID": "digger-4afdeb2b-a0d8-4a37-83b5-48996117998e"
},
"HCP_IDENT": {
"HCP_ORG_ID": "c82e5c17d5194ef5a4acc454a95d31db",
"HCP_SENSOR_ID": "8fc370e6699a49858e75c1316b725570",
"HCP_INSTALLER_ID": "00000000000000000000000000000000",
"HCP_ARCHITECTURE": 0,
"HCP_PLATFORM": 0
},
"EXPIRY": 0
}
CODE_IDENTITY
Unique combinations of file hash and file path. This event is emitted the first time the combination is seen, typically when the binary is executed or loaded. Therefore it's a great event to look for hashes without being overwhelmed by process execution or module loads.
ONGOING_IDENTITY
The ONGOING_IDENTITY event emits code signature information even if not newly seen, however this data can become duplicative and verbose.
Platforms:
{
"MEMORY_SIZE": 0,
"FILE_PATH": "C:\\Users\\dev\\AppData\\Local\\Temp\\B1B207E5-300E-434F-B4FE-A4816E6551BE\\dismhost.exe",
"TIMESTAMP": 1456285265,
"SIGNATURE": {
"CERT_ISSUER": "C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Code Signing PCA",
"CERT_CHAIN_STATUS": 124,
"FILE_PATH": "C:\\Users\\dev\\AppData\\Local\\Temp\\B1B207E5-300E-434F-B4FE-A4816E6551BE\\dismhost.exe",
"CERT_SUBJECT": "C=US, S=Washington, L=Redmond, O=Microsoft Corporation, OU=MOPR, CN=Microsoft Corporation"
},
"HASH": "4ab4024eb555b2e4c54d378a846a847bd02f66ac54849bbce5a1c8b787f1d26c"
}
CONNECTED
This event is generated when a Sensor connects to the cloud.
Platforms:
{
"HOST_NAME" : "demo-win-2016",
"IS_SEGREGATED" : 0,
"KERNEL_ACQ_AVAILABLE" : 1,
"MAC_ADDRESS" : "42-01-0A-80-00-02"
}
DEBUG_DATA_REP
Response from a get_debug_data request.
DIR_FINDHASH_REP
Response event for the dir_find_hash sensor command.
Platforms:
Sample Event:
{
"DIRECTORY_LIST": [
{
"HASH": "f11dda931637a1a1bc614fc2f320326b24336c5155679aa062acae7c79f33d67",
"ACCESS_TIME": 1535994794247,
"FILE_SIZE": 113664,
"CREATION_TIME": 1467173189067,
"MODIFICATION_TIME": 1467173190171,
"FILE_NAME": "MALWARE_DEMO_WINDOWS_1.exe",
"ATTRIBUTES": 32,
"FILE_PATH": "c:\\users\\dev\\desktop\\MALWARE_DEMO_WINDOWS_1.exe"
},
{
"HASH": "e37726feee8e72f3ab006e023cb9d6fa1a4087274b47217d2462325fa8008515",
"ACCESS_TIME": 1535989041078,
"FILE_SIZE": 1016320,
"CREATION_TIME": 1522507344821,
"MODIFICATION_TIME": 1522507355732,
"FILE_NAME": "lc_win_64.exe",
"ATTRIBUTES": 32,
"FILE_PATH": "c:\\users\\dev\\desktop\\lc_win_64.exe"
}
],
"HASH": [
"f11dda931637a1a1bc614fc2f320326b24336c5155679aa062acae7c79f33d67",
"e37726feee8e72f3ab006e023cb9d6fa1a4087274b47217d2462325fa8008515"
],
"FILE_PATH": "*.exe",
"DIRECTORY_LIST_DEPTH": 0,
"DIRECTORY_PATH": "c:\\users\\dev\\desktop\\"
}
DIR_LIST_REP
Response event for the dir_list sensor command. Includes Alternate Data Streams on Windows.
Platforms:
Sample Event:
{
"DIRECTORY_LIST": [
{
"FILE_NAME": "vssdk_full.exe",
"CREATION_TIME": 1553437930012,
"MODIFICATION_TIME": 1553437937000,
"STREAMS": [
{
"FILE_NAME": "::$DATA",
"SIZE": 13782032
}
],
"ACCESS_TIME": 1567868284440,
"FILE_SIZE": 13782032,
"ATTRIBUTES": 32,
"FILE_PATH": "c:\\users\\dev\\desktop\\vssdk_full.exe"
},
{
"FILE_NAME": "UniversalLog.txt",
"CREATION_TIME": 1553028205525,
"MODIFICATION_TIME": 1553028206289,
"STREAMS": [
{
"FILE_NAME": "::$DATA",
"SIZE": 125
},
{
"FILE_NAME": ":Zone.Identifier:$DATA",
"SIZE": 377
}
],
"ACCESS_TIME": 1567868284158,
"FILE_SIZE": 125,
"ATTRIBUTES": 32,
"FILE_PATH": "c:\\users\\dev\\desktop\\UniversalLog.txt"
}
]
}
DISCONNECTED
This event is generated when a Sensor disconnects from the cloud.
Platforms:
{
"DISCONNECTED": {},
"ts": 1455674775
}
DNS_REQUEST
Generated from DNS responses and therefore includes both the requested domain and the response from the server. If the server responds with multiple responses (as allowed by the DNS protocol) the N answers will become N DNS_REQUEST events, so you can always assume one DNS_REQUEST event means one answer.
Platforms:
{
"DNS_TYPE": 1,
"TIMESTAMP": 1456285240,
"DNS_FLAGS": 0,
"DOMAIN_NAME": "time.windows.com"
}
DRIVER_CHANGE
Generated when a driver is changed.
Platforms:
{
"PROCESS_ID": 0,
"SVC_DISPLAY_NAME": "HbsAcq",
"SVC_NAME": "HbsAcq",
"SVC_STATE": 1,
"SVC_TYPE": 1,
"TIMESTAMP": 1517377895873
}
EXISTING_PROCESS
This event is similar to the NEW_PROCESS event. It gets emitted when a process existed prior to the LimaCharlie sensor loading.
Platforms:
FILE_CREATE
Generated when a file is created.
Platforms:
{
"FILE_PATH": "C:\\Users\\dev\\AppData\\Local\\Microsoft\\Windows\\WebCache\\V01tmp.log",
"TIMESTAMP": 1468335271948
}
FILE_DEL_REP
Response event for the file_del sensor command.
Platforms:
Sample Event:
{
"FILE_PATH": "C:\\test\\test.txt"
}
FILE_DELETE
Generated when a file is deleted.
Platforms:
{
"FILE_PATH": "C:\\Users\\dev\\AppData\\Local\\Temp\\EBA4E4F0-3020-459E-9E34-D5336E244F05\\api-ms-win-core-processthreads-l1-1-2.dll",
"TIMESTAMP": 1468335611906
}
FILE_GET_REP
Response event for the file_get sensor command.
Platforms:
Sample Event:
{
"FILE_CONTENT": "$BASE64_ENCODED_FILE_CONTENTS",
"FILE_PATH": "C:\\windows\\system32\\svchost.exe",
"FILE_SIZE": 78880
}
FILE_HASH_REP
Response event for the file_hash sensor command.
Platforms:
Sample Event:
{
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\System32\\svchost.exe",
"HASH": "31780ff2aaf7bc71f755ba0e4fef1d61b060d1d2741eafb33cbab44d889595a0",
"SIGNATURE": {
"CERT_ISSUER": "C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011",
"CERT_SUBJECT": "C=US, S=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Publisher",
"FILE_CERT_IS_VERIFIED_LOCAL": 1,
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\System32\\svchost.exe"
}
}
FILE_INFO_REP
Response event for the file_info sensor command.
Platforms:
Sample Event:
{
"ACCESS_TIME": 1686685723546,
"ATTRIBUTES": 0,
"CREATION_TIME": 1686685723546,
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\System32\\svchost.exe",
"FILE_SIZE": 78880,
"MODIFICATION_TIME": 1686685723546
}
FILE_MODIFIED
Generated when a file is modified.
Platforms:
{
"FILE_PATH": "C:\\Users\\dev\\AppData\\Local\\Microsoft\\Windows\\WebCache\\V01.log",
"TIMESTAMP": 1468335272949
}
FILE_MOV_REP
Response event for the file_mov sensor command.
Platforms:
Sample Event:
{
"DESTINATION": "C:\\test\\test.txt.bak",
"SOURCE": "C:\\test\\test.txt"
}
FILE_TYPE_ACCESSED
Generated when a new process is observed interacting with certain file types.
The RULE_NAME component is the class of file extension involved:
Rule 1:
.doc,.docm,.docxRule 2:
.xlt,.xlsm,.xlsxRule 3:
.ppt,.pptm,.pptx,.pptsRule 4:
.pdfRule 5:
.rtfRule 50:
.zipRule 51:
.rarRule 64:
.locky,.aesir
Platforms:
{
"PROCESS_ID": 2048,
"RULE_NAME": 50,
"FILE_PATH": "C:\\Program Files\\7-Zip\\7zG.exe"
}
FIM_ADD
Response event for the fim_add sensor command. An ERROR: 0 implies the path was successfully added.
Platforms:
Output:
"event": {
"ERROR":0
}
FIM_DEL
Response event for the fim_del sensor command. An ERROR: 0 implies the path was successfully removed.
An ERROR: 3 response implies the provided path was not found in the list of FIM patterns.
Platforms:
Output:
"event": {
"ERROR":0
}
FIM_HIT
A file, directory, or registry key being monitored by File & Registry Integrity Monitoring has been modified.
Platforms:
{
"PROCESS": {
"MEMORY_USAGE": 25808896,
"TIMESTAMP": 1541348299886,
"COMMAND_LINE": "\"C:\\WINDOWS\\regedit.exe\" ",
"PROCESS_ID": 4340,
"THREADS": 3,
"USER_NAME": "BUILTIN\\Administrators",
"FILE_PATH": "C:\\WINDOWS\\regedit.exe",
"PARENT_PROCESS_ID": 6260
},
"REGISTRY_KEY": "\\REGISTRY\\MACHINE\\SOFTWARE\\ActiveState\\New Value #1",
"PROCESS_ID": 4340
}
FIM_LIST_REP
Response event for the fim_get sensor command. The response will be a JSON list of FIM patterns.
Platforms:
Output:
{
"PATTERNS": [
0: "/home/*",
1: "/home/*/.ssh/*",
2: "/root/.ssh/authorized_keys"
]
}
GET_DOCUMENT_REP
Generated when a doc_cache_get task requests a cached document.
Platforms:
GET_EXFIL_EVENT_REP
Response from an exfil_get sensor command.
Platforms:
HIDDEN_MODULE_DETECTED
Generated when a hidden_module_scan command is issued.
Note that the name of the event does not confirm the presence of a hidden module. Please check the output to
confirm whether a hidden module was detected.
Platforms:
Sample Event:
{
"ERROR": 0,
"ERROR_MESSAGE": "done"
}
HISTORY_DUMP_REP
Response from history_dump sensor command. Does not itself contain the historic events but will be generated along them.
Platforms:
HTTP_REQUEST
This event is emitted whenever an HTTP request is made.
Platforms:
Sample Event:
{
"URL": "https://play.google.com/log?authuser=0",
"IP_ADDRESS": "172.217.2.142",
"RESULT": 200,
"PARENT": {
"URL": "https://console.cloud.google.com"
}
}
HTTP_REQUEST_HEADERS
Provides HTTP Request headers.
Platforms:
Sample Event:
{
"HEADERS": [
{
"NAME": "User-Agent",
"VALUE": "Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
},
{
"NAME": "Accept",
"VALUE": "*/*"
}
]
}
HTTP_RESPONSE_HEADERS
Provides HTTP Response headers.
Platforms:
Sample Event:
{
"HEADERS": [
{
"NAME": "content-length",
"VALUE": "859"
},
{
"NAME": "cache-control",
"VALUE": "max-age=3600"
},
{
"NAME": "content-encoding",
"VALUE": "br"
},
{
"NAME": "content-type",
"VALUE": "text/html; charset=utf-8"
},
{
"NAME": "etag",
"VALUE": "\"1540d7725dd15680377d45886baba56f620f7692faa530bc3597226ffadd77d1-br\""
},
{
"NAME": "last-modified",
"VALUE": "Thu, 21 Dec 2023 23:59:32 GMT"
},
{
"NAME": "referrer-policy",
"VALUE": "sameorigin"
},
{
"NAME": "strict-transport-security",
"VALUE": "max-age=3600 ; includeSubDomains"
},
{
"NAME": "x-content-type-options",
"VALUE": "nosniff"
},
{
"NAME": "x-frame-options",
"VALUE": "sameorigin"
},
{
"NAME": "accept-ranges",
"VALUE": "bytes"
},
{
"NAME": "date",
"VALUE": "Fri, 22 Dec 2023 19:10:58 GMT"
},
{
"NAME": "x-served-by",
"VALUE": "cache-dub4332-DUB"
},
{
"NAME": "x-cache",
"VALUE": "HIT"
},
{
"NAME": "x-cache-hits",
"VALUE": "1"
},
{
"NAME": "x-timer",
"VALUE": "S1703272259.579745,VS0,VE1"
},
{
"NAME": "vary",
"VALUE": "x-fh-requested-host, accept-encoding"
},
{
"NAME": "alt-svc",
"VALUE": "h3=\":443\";ma=86400,h3-29=\":443\";ma=86400,h3-27=\":443\";ma=86400"
}
]
}
LOG_GET_REP
Response from a log_get request.
LOG_LIST_REP
Response from a log_list request.
MEM_FIND_HANDLES_REP
Response event for the mem_find_handle sensor command.
Platforms:
MEM_FIND_STRING_REP
Response event for the mem_find_string sensor command.
Platforms:
MEM_HANDLES_REP
Response event for the mem_handles sensor command. This event will contain an array of handles identified in memory.
Platforms:
Sample Event:
{
"HANDLES": [
{
"HANDLE_NAME": "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options",
"HANDLE_TYPE": "Key",
"HANDLE_VALUE": 4,
"PROCESS_ID": 908
},
{
"HANDLE_NAME": "\\KnownDlls",
"HANDLE_TYPE": "Directory",
"HANDLE_VALUE": 48,
"PROCESS_ID": 908
},
"..."]
}
MEM_MAP_REP
Response event for the mem_map sensor command. This event will contain an array of arrays, representing processes and their associated memory data.
Platforms:
Sample Event:
{
"MEMORY_MAP": [
{
"BASE_ADDRESS": 94100802174976,
"MEMORY_ACCESS": 6,
"MEMORY_SIZE": 4096,
"MEMORY_TYPE": 3
}
]
}
MEM_READ_REP
Response event for the mem_read sensor command.
Platforms:
Sample Event:
{
"MEMORY_DUMP": "TGltYU...",
"PROCESS_ID": 745
}
MEM_STRINGS_REP
Response event for the mem_strings sensor command. The response will contain two arrays of arrays, STRINGSA and STRINGSW.
Platforms:
Sample Event:
{
"PROCESS_ID" : 745,
"STRINGSA" : [
[
0 : "/lib64/ld-linux-x86-64.so.2",
1 : "__gmon_start__"
]
]
}
MODULE_LOAD
Generated when a module (like DLL on Windows) is loaded in a process.
Platforms:
{
"MEMORY_SIZE": 241664,
"PROCESS_ID": 2904,
"FILE_PATH": "C:\\Windows\\System32\\imm32.dll",
"MODULE_NAME": "imm32.dll",
"TIMESTAMP": 1468335264989,
"BASE_ADDRESS": 140715814092800
}
NETSTAT_REP
Response from a netstat command to list active network sockets.
Platforms:
Sample Event:
{
"FRIENDLY": 0,
"NETWORK_ACTIVITY": [
{
"DESTINATION": {
"IP_ADDRESS": "0.0.0.0",
"PORT": 0
},
"PROCESS_ID": 856,
"PROTOCOL": "tcp4",
"SOURCE": {
"IP_ADDRESS": "0.0.0.0",
"PORT": 135
}
}
]
}
NETWORK_CONNECTIONS
List of recent network connections performed by a process.
Platforms:
{
"NETWORK_ACTIVITY": [
{
"SOURCE": {
"IP_ADDRESS": "172.16.223.138",
"PORT": 50396
},
"IS_OUTGOING": 1,
"DESTINATION": {
"IP_ADDRESS": "23.214.49.56",
"PORT": 80
}
},
{
"SOURCE": {
"IP_ADDRESS": "172.16.223.138",
"PORT": 50397
},
"IS_OUTGOING": 1,
"DESTINATION": {
"IP_ADDRESS": "189.247.166.18",
"PORT": 80
}
},
{
"SOURCE": {
"IP_ADDRESS": "172.16.223.138",
"PORT": 50398
},
"IS_OUTGOING": 1,
"DESTINATION": {
"IP_ADDRESS": "23.217.70.67",
"PORT": 80
}
},
{
"SOURCE": {
"IP_ADDRESS": "172.16.223.138",
"PORT": 50399
},
"IS_OUTGOING": 1,
"DESTINATION": {
"IP_ADDRESS": "104.110.238.53",
"PORT": 80
}
},
{
"SOURCE": {
"IP_ADDRESS": "172.16.223.138",
"PORT": 50400
},
"IS_OUTGOING": 1,
"DESTINATION": {
"IP_ADDRESS": "23.214.49.56",
"PORT": 80
}
},
{
"SOURCE": {
"IP_ADDRESS": "172.16.223.138",
"PORT": 50401
},
"IS_OUTGOING": 1,
"DESTINATION": {
"IP_ADDRESS": "204.79.197.203",
"PORT": 80
}
}
],
"HASH": "2de228cad2e542b2af2554d61fab5463ecbba3ff8349ba88c3e48637ed8086e9",
"COMMAND_LINE": "C:\\WINDOWS\\system32\\msfeedssync.exe sync",
"PROCESS_ID": 6968,
"FILE_IS_SIGNED": 1,
"USER_NAME": "WIN-5KC7E0NG1OD\\dev",
"FILE_PATH": "C:\\WINDOWS\\system32\\msfeedssync.exe",
"PARENT_PROCESS_ID": 1892
}
NEW_DOCUMENT
Generated when a file is created that matches a set list of locations and extensions. It indicates the file has been cached in memory and can be retrieved using the doc_cache_get task.
The following file patterns are considered "documents":
.bat.js.ps1.sh.py.exe.scr.pdf.doc.docm.docx.ppt.pptm.pptx.xlt.xlsm.xlsx.vbs.rtf.hta.lnk.xsl.com.png.jpg.asp.aspx.php\windows\system32\
Platforms:
{
"FILE_PATH": "C:\\Users\\dev\\Desktop\\evil.exe",
"TIMESTAMP": 1468335816308,
"HASH": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
}
NEW_NAMED_PIPE
This event is emitted when a new Named Pipe is created by a process.
Platforms:
{
"FILE_PATH": "\\Device\\NamedPipe\\LOCAL\\mojo.6380.1072.2134013463507075011",
"PROCESS_ID": 6380
}
NEW_PROCESS
Generated when a new process starts.
Platforms:
{
"PARENT": {
"PARENT_PROCESS_ID": 7076,
"COMMAND_LINE": "\"C:\\Program Files (x86)\\Microsoft Visual Studio 12.0\\Common7\\IDE\\devenv.exe\" ",
"MEMORY_USAGE": 438730752,
"PROCESS_ID": 5820,
"THREADS": 39,
"FILE_PATH": "C:\\Program Files (x86)\\Microsoft Visual Studio 12.0\\Common7\\IDE\\devenv.exe",
"BASE_ADDRESS": 798949376
},
"PARENT_PROCESS_ID": 5820,
"COMMAND_LINE": "-q -s {0257E42D-7F05-42C4-B402-34C1CC2F2EAD} -p 5820",
"FILE_PATH": "C:\\Program Files (x86)\\Microsoft Visual Studio 12.0\\VC\\vcpackages\\VCPkgSrv.exe",
"PROCESS_ID": 1080,
"THREADS": 9,
"MEMORY_USAGE": 8282112,
"TIMESTAMP": 1456285660,
"BASE_ADDRESS": 4194304
}
NEW_REMOTE_THREAD
Generated when a thread is created by a process in another process. This is often used by malware during various forms of code injection.
In this case, the process id 492 created a thread (with id 9012) in the process id 7944. The parent process is also globally uniquely identified by the routing/parent and the process where the thread was started is globally uniquely identified by the routing/target (not visible here).
Platforms:
{
"THREAD_ID": 9012,
"PROCESS_ID": 7944,
"PARENT_PROCESS_ID": 492
}
NEW_TCP4_CONNECTION
Generated when a new TCPv4 connection is established, either inbound or outbound.
Platforms:
{
"PROCESS_ID": 6788,
"DESTINATION": {
"IP_ADDRESS": "172.16.223.219",
"PORT": 80
},
"STATE": 5,
"TIMESTAMP": 1468335512047,
"SOURCE": {
"IP_ADDRESS": "172.16.223.163",
"PORT": 63581
}
}
NEW_TCP6_CONNECTION
Generated when a new TCPv6 connection is established, either inbound or outbound.
Platforms:
NEW_UDP4_CONNECTION
Generated when a new UDPv4 socket "connection" is established, either inbound or outbound.
Platforms:
{
"TIMESTAMP": 1468335452828,
"PROCESS_ID": 924,
"IP_ADDRESS": "172.16.223.163",
"PORT": 63057
}
NEW_UDP6_CONNECTION
Generated when a new UDPv6 socket "connection" is established, either inbound or outbound.
Platforms:
OPEN_NAMED_PIPE
This event is emitted when an existing Named Pipe is opened by a process.
Platforms:
{
"FILE_PATH": "\\Device\\NamedPipe\\lsass",
"PROCESS_ID": 2232
}
OS_AUTORUNS_REP
Response from an os_autoruns request.
Platforms:
Sample Event:
{
"TIMESTAMP": 1456194620,
"AUTORUNS": [
{
"REGISTRY_KEY": "Software\\Microsoft\\Windows\\CurrentVersion\\Run\\VMware User Process",
"FILE_PATH": "\"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\" -n vmusr",
"HASH": "036608644e3c282efaac49792a2bb2534df95e859e2ddc727cd5d2e764133d14"
}
]
}
OS_DRIVERS_REP
Response from an os_drivers request.
Platforms:
Sample Event:
{
"SVCS": [
{
"PROCESS_ID": 0,
"SVC_TYPE": 1,
"SVC_NAME": "1394ohci",
"SVC_STATE": 1,
"HASH": "9ecf6211ccd30273a23247e87c31b3a2acda623133cef6e9b3243463c0609c5f",
"SVC_DISPLAY_NAME": "1394 OHCI Compliant Host Controller",
"EXECUTABLE": "\\SystemRoot\\System32\\drivers\\1394ohci.sys"
}
]
}
OS_KILL_PROCESS_REP
Response from an os_kill_process request.
Platforms:
Sample Event:
{
"ERROR": 0,
"PROCESS_ID": 579
}
OS_PACKAGES_REP
List of packages installed on the system. This is currently Windows only but will be expanded to MacOS and Linux in the future.
Platforms:
Sample Event:
"PACKAGES": [
{
"PACKAGE_NAME": "Microsoft Windows Driver Development Kit Uninstall"
}
]
OS_PROCESSES_REP
Response from an os_process request.
Platforms:
Sample Event:
{
"PROCESSES": [
{
"COMMAND_LINE": "/sbin/init",
"FILE_PATH": "/usr/lib/systemd/systemd",
"HASH": "477209848fabcaf52c060d98287f880845cb07fc9696216dbcfe9b6ea8e72bcd"
}
]
}
OS_RESUME_REP
Response from an os_resume request.
Platforms:
OS_SERVICES_REP
Response from an os_services request.
Platforms:
Sample Event:
{
"SVCS": [
{
"PROCESS_ID": 0,
"SVC_TYPE": 32,
"DLL": "%SystemRoot%\\System32\\AJRouter.dll",
"SVC_NAME": "AJRouter"
}
]
}
OS_SUSPEND_REP
Response from an os_suspend request.
Platforms:
OS_USERS_REP
Response from an os_users request.
Platforms:
Sample Event:
{
"USERS": [
{
"USER_NAME": "Administrator"
}
]
}
OS_VERSION_REP
Response from an os_version request.
Platforms:
Sample Event:
{
"BUILD_NUMBER": 20348
}
PCAP_LIST
_INTERFACES_REP
Response from a pcap_ifaces request.
Platforms:
Sample Event:
{
"INTERFACE": [
{
"NAME": "ens4",
"IPV4": ["10.128.15.198"]
}
]
}
PROCESS_ENVIRONMENT
Generated when a process starts. It lists all environment variables associated with that new process.
Platforms:
{
"ENVIRONMENT_VARIABLES": [
"LANG=en_US.UTF-8",
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"NOTIFY_SOCKET=/run/systemd/notify",
"LISTEN_PID=18950",
"LISTEN_FDS=2"
],
"PROCESS_ID": 13463
}
RECEIPT
This event is used as a generic response to some commands. The contents of a RECEIPT event usually contain an ERROR code that you can use to determine if the command was successful (ERROR codes can be explored here). It's often a good idea to issue the original command with an investigation_id which will get echoed in the RECEIPT related to that command to make it easier to track.
Platforms:
REGISTRY_CREATE
This event is generated whenever a registry key / value is created on a Windows OS.
Platforms:
{
"PROCESS_ID": 764,
"REGISTRY_KEY": "\\REGISTRY\\A\\{fddf4643-a007-4086-903e-be998801d0f7}\\Events\\{8fb5d848-23dc-498f-ac61-84b93aac1c33}"
}
REGISTRY_DELETE
This event is generated whenever a registry key / value is deleted on a Windows OS.
Platforms:
{
"PROCESS_ID": 764,
"REGISTRY_KEY": "\\REGISTRY\\A\\{fddf4643-a007-4086-903e-be998801d0f7}\\Events\\{8fb5d848-23dc-498f-ac61-84b93aac1c33}"
}
REGISTRY_LIST_REP
This event is generated in response to the reg_list command to list keys and values in a registry key.
Platforms:
Sample Event:
{
"REGISTRY_KEY": [
"ActiveState"
],
"ROOT": "hklm\\software",
"REGISTRY_VALUE": [
{
"TYPE": 4,
"NAME": "Order"
}
],
"ERROR": 0
}
REGISTRY_WRITE
This event is generated whenever a registry value is written to on a Windows OS.
The REGISTRY_VALUE contains the first 16 bytes of the value written to the registry. If this value is a valid ASCII or Unicode string, the value will be as-is. On the other hand if the value is binary data, it will be a base64 encoded string, see examples below.
The SIZE is the size value used in the original registry write call. The TYPE is the Windows data type of the entry written as per Microsoft's definition.
Platforms:
Valid string payload:
{
"PROCESS_ID":1820,
"REGISTRY_KEY":"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Diagnostics\\LastKnownGoodPlatformLocation",
"REGISTRY_VALUE":"C:\\Progr",
"SIZE":1,
"TYPE":1,
}
Binary payload:
{
"PROCESS_ID": 1700,
"REGISTRY_KEY": "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Diagnostics\\DiagTrack\\HeartBeats\\Default\\LastHeartBeatTime",
"REGISTRY_VALUE": "bMPGjjDM1wE=",
"SIZE": 11,
"TYPE": 11
}
REJOIN_NETWORK
Emitted after a sensor is allowed network connectivity again (after it was previously segregated). An error code of 0 indicates success.
Platforms:
Sample Event:
{
"ERROR": 0
}
REMOTE_PROCESS_HANDLE
Generated whenever a process opens a handle to another process with access flags like VM_READ, VM_WRITE, or PROCESS_CREATE_THREAD.
The ACCESS_FLAGS is the access mask as defined here.
Platforms:
{
"ACCESS_FLAGS": 136208,
"PARENT_PROCESS_ID": 6492,
"PROCESS_ID": 2516
}
SEGREGATE_NETWORK
Emitted when a sensor is segregated (isolated) from the network using the segregate_network command. An error code of 0 indicates success.
Platforms:
Sample Event:
{
"ERROR": 0
}
SENSITIVE_PROCESS_ACCESS
Generated when a process gains sensitive access to operating system processes like lsass.exe on Windows.
Note
SENSITIVE_PROCESS_ACCESS currently is only emitted for processes accessing lsass.exe on Windows.
Platforms:
{
"EVENTS": [
{
"event": {
"COMMAND_LINE": "C:\\WINDOWS\\system32\\lsass.exe",
"FILE_PATH": "C:\\WINDOWS\\system32\\lsass.exe",
"PARENT_PROCESS_ID": 484,
"PROCESS_ID": 636,
"THREADS": 12,
"USER_NAME": "BUILTIN\\Administrators"
}
}
]
}
SERVICE_CHANGE
Generated when a Service is changed.
Platforms:
{
"PROCESS_ID": 0,
"SVC_TYPE": 32,
"DLL": "%SystemRoot%\\system32\\wlidsvc.dll",
"SVC_NAME": "wlidsvc",
"SVC_STATE": 1,
"HASH": "b37199495115ed423ba99b7317377ce865bb482d4e847861e871480ac49d4a84",
"SVC_DISPLAY_NAME": "Microsoft Account Sign-in Assistant",
"TIMESTAMP": 1467942600540,
"EXECUTABLE": "%SystemRoot%\\system32\\svchost.exe -k netsvcs"
}
SEGREGATE_NETWORK
Emitted when a sensor is segregated (isolated) from the network using the segregate_network command.
Platforms:
SSH_LOGIN
Generated when a user logs in via SSH.
Platforms:
{
"USER_NAME": "root",
"TIMESTAMP": 1468335816308
}
SELF_TEST
Internal event to manually request a power-on-self-test (POST) from the sensor.
SHUTTING_DOWN
Event generated when the sensor shuts down. Note: this event may not be observed if the host shuts down abruptly or too quickly.
Platforms:
Event Data
Field | Type | Notes |
|---|---|---|
ts | Epoch timestamp |
Sample Event:
{
"SHUTTING_DOWN": {
"ts": 1455674775
}
}
SSH_LOGOUT
Generated when a user logs out via SSH.
Platforms:
{
"USER_NAME": "root",
"TIMESTAMP": 1468335916308
}
STARTING_UP
Event generated when the sensor starts.
Platforms:
Event Data
Field | Type | Notes |
|---|---|---|
ts | Epoch timestamp |
Sample Event:
{
"STARTING_UP": {
"ts": 1455674775
}
}
TERMINATE_PROCESS
Generated when a process exits.
Platforms:
{
"PARENT_PROCESS_ID": 5820,
"TIMESTAMP": 1456285661,
"PROCESS_ID": 6072
}
TERMINATE_TCP4_CONNECTION
Generated when a TCPv4 connection terminates.
{
"DESTINATION": {
"IP_ADDRESS": "61.55.252.93",
"PORT": 443
},
"PROCESS_ID": 4784,
"SOURCE": {
"IP_ADDRESS": "172.16.223.138",
"PORT": 50145
}
}
TERMINATE_TCP6_CONNECTION
Generated when a TCPv6 connection terminates.
TERMINATE_UDP4_CONNECTION
Generated when a UDPv4 socket terminates.
TERMINATE_UDP6_CONNECTION
Generated when a UDPv6 socket terminates.
THREAD_INJECTION
This event is generated when the sensor detects what looks like a thread injection into a remote process.
Platforms:
{
"event": {
"EVENTS": [
{
"event": {
"ACCESS_FLAGS": 2097151,
"PARENT_PROCESS_ID": 5380,
"PROCESS_ID": 4276,
"SOURCE": {
"BASE_ADDRESS": 140701160243200,
"COMMAND_LINE": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --continue-active-setup",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
"HASH": "c47fc20231ffc1e3befef952478363bff96cf3af1f36da4bd1129c8ed0e17fdb",
"MEMORY_USAGE": 5881856,
"PARENT_ATOM": "df4e951a09e365cb46c36c11659ee556",
"PARENT_PROCESS_ID": 5972,
"PROCESS_ID": 5380,
"THIS_ATOM": "37b57d228af708b25d097f32659ee557",
"THREADS": 3,
"TIMESTAMP": 1704912214704,
"USER_NAME": "WINDOWS-SERVER-\\whitney"
},
"TARGET": {
"COMMAND_LINE": "C:\\Windows\\system32\\sppsvc.exe",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\system32\\sppsvc.exe",
"HASH": "1ca5b9745872748575c452e456966b8ed1c4153757e9f4faf6f86c78c53d4ae8",
"MEMORY_USAGE": 6156288,
"PARENT_ATOM": "74be005ef68f6edb8682d972659ee024",
"PARENT_PROCESS_ID": 628,
"PROCESS_ID": 4276,
"THIS_ATOM": "fe1dee93442392ea97becdad659ee516",
"THREADS": 3,
"TIMESTAMP": 1704912150174,
"USER_NAME": "NT AUTHORITY\\NETWORK SERVICE"
}
},
"routing": {
"arch": 2,
"did": "",
"event_id": "d61caa47-225a-4f6a-9f3a-6094cdb3c383",
"event_time": 1704912219717,
"event_type": "REMOTE_PROCESS_HANDLE",
"ext_ip": "104.198.223.172",
"hostname": "windows-server-2022-bc76d608-9d83-4c6c-bdd5-f86bbd385a94-0.c.lc-demo-infra.internal.",
"iid": "3c5c33e6-daaf-4029-be0b-94f50b86777e",
"int_ip": "10.128.15.197",
"moduleid": 2,
"oid": "bc76d608-9d83-4c6c-bdd5-f86bbd385a94",
"parent": "37b57d228af708b25d097f32659ee557",
"plat": 268435456,
"sid": "ccd0c386-88c1-4f8d-954c-581a95a1cc34",
"tags": [
"windows"
],
"target": "fe1dee93442392ea97becdad659ee516",
"this": "87509849fc608bce8a236f49659ee55b"
}
},
{
"event": {
"PARENT_PROCESS_ID": 5380,
"PROCESS_ID": 4276,
"SOURCE": {
"BASE_ADDRESS": 140701160243200,
"COMMAND_LINE": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --continue-active-setup",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
"HASH": "c47fc20231ffc1e3befef952478363bff96cf3af1f36da4bd1129c8ed0e17fdb",
"MEMORY_USAGE": 5881856,
"PARENT_ATOM": "df4e951a09e365cb46c36c11659ee556",
"PARENT_PROCESS_ID": 5972,
"PROCESS_ID": 5380,
"THIS_ATOM": "37b57d228af708b25d097f32659ee557",
"THREADS": 3,
"TIMESTAMP": 1704912214704,
"USER_NAME": "WINDOWS-SERVER-\\whitney"
},
"TARGET": {
"COMMAND_LINE": "C:\\Windows\\system32\\sppsvc.exe",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Windows\\system32\\sppsvc.exe",
"HASH": "1ca5b9745872748575c452e456966b8ed1c4153757e9f4faf6f86c78c53d4ae8",
"MEMORY_USAGE": 6156288,
"PARENT_ATOM": "74be005ef68f6edb8682d972659ee024",
"PARENT_PROCESS_ID": 628,
"PROCESS_ID": 4276,
"THIS_ATOM": "fe1dee93442392ea97becdad659ee516",
"THREADS": 3,
"TIMESTAMP": 1704912150174,
"USER_NAME": "NT AUTHORITY\\NETWORK SERVICE"
},
"THREAD_ID": 3672
},
"routing": {
"arch": 2,
"did": "",
"event_id": "ece7d85e-a43c-49d3-bc9a-28ace6dc1b02",
"event_time": 1704912219967,
"event_type": "NEW_REMOTE_THREAD",
"ext_ip": "104.198.223.172",
"hostname": "windows-server-2022-bc76d608-9d83-4c6c-bdd5-f86bbd385a94-0.c.lc-demo-infra.internal.",
"iid": "3c5c33e6-daaf-4029-be0b-94f50b86777e",
"int_ip": "10.128.15.197",
"moduleid": 2,
"oid": "bc76d608-9d83-4c6c-bdd5-f86bbd385a94",
"parent": "37b57d228af708b25d097f32659ee557",
"plat": 268435456,
"sid": "ccd0c386-88c1-4f8d-954c-581a95a1cc34",
"tags": [
"windows"
],
"target": "fe1dee93442392ea97becdad659ee516",
"this": "b30a499edf9ec2e424b07d20659ee55b"
}
}
]
}
"ts": "2024-01-10 18:43:39"
}
USER_LOGIN
Generated when a user logs in to the operating system.
Platforms:
USER_LOGOUT
Generated when a user logs out of the operating system.
Platforms:
USER_OBSERVED
Generated the first time a user is observed on a host.
Platforms:
{
"TIMESTAMP": 1479241363009,
"USER_NAME": "root"
}
VOLUME_MOUNT
This event is generated when a volume is mounted.
Platforms:
{
"VOLUME_PATH": "E:",
"DEVICE_NAME": "\\Device\\HarddiskVolume3"
}
VOLUME_UNMOUNT
This event is generated when a volume is unmounted.
Platforms:
{
"VOLUME_PATH": "/Volumes/RECOVERY",
"VOLUME_NAME": "/dev/disk2s1"
}
YARA_DETECTION
Generated when a YARA scan finds a match.
Platforms:
{
"RULE_NAME": "malware_detection_rule",
"FILE_PATH": "C:\\malicious.exe",
"HASH": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
}
Was this article helpful?