Fields for filtering events
8 November 2023
ID 249086
The fields for filtering events are listed in the table below.
List of fields for filtering events
Field name | Type | Description |
---|---|---|
hostName | string | Host name. |
HostIp | string | IP address of the host. |
EventType | string | Event type. Possible values:
|
UserName | string | User name. |
OsFamily | string | Family of the operating system. |
OsVersion | string | Version of the operating system being used on the host. |
Ioa.Rules.Id | string | TAA (IOA) rule ID. |
Ioa.Rules.Name | string | Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert. |
Ioa.Rules.Techniques | string | MITRE technique |
Ioa.Rules.Tactics | string | MITRE tactic |
Ioa.Severity | string | Importance level that is assigned to an event generated using this TAA (IOA) rule. Possible values:
|
Ioa.Confidence | string | Level of confidence depending on the likelihood of false alarms caused by the rule. Possible values:
|
FileCreationTime | integer | File creation time. |
DllCreationTime | integer | DLL creation time. |
DroppedCreationTime | integer | Creation time of the modified file. |
InterpretedFileCreationTime | integer | Creation time of the interpreted file. |
FileName | string | File name. |
DllName | string | DLL name. |
DroppedName | string | Name of the modified file. |
BlockedName | string | Name of the blocked file. |
InterpretedFileName | string | Name of the interpreted file. |
FilePath If filtering by this field, you must use URL Encode. | string | Path to the directory where the file is located. |
DllPath | string | Path to the directory where the DLL is located. |
DroppedPath | string | Path to the directory where the modified file is located. |
BlockedPath | string | Path to the directory where the blocked file is located. |
InterpretedFilePath | string | Path to the directory where the interpreted file is located. |
FileFullName If filtering by this field, you must use URL Encode. | string | Full path to the file. Includes the path to the directory and the file name. |
DllFullName | string | Full path to the DLL. Includes the path to the directory and the file name. |
DroppedFullName | string | Full path to the modified file. Includes the path to the directory and the file name. |
BlockedFullName | string | Full path to the blocked file. Includes the path to the directory and the file name. |
DetectedName | string | Full path to the detected file. Includes the path to the directory and the file name. |
OriginalFileName | string | Full path to the original file. Includes the path to the directory and the file name. |
InterpretedFileFullName | string | Full path to the interpreted file. Includes the path to the directory and the file name. |
FileModificationTime | integer | File modification time. |
DllModificationTime | integer | DLL modification time. |
DroppedModificationTime | integer | Modification time of the modified time. |
InterpretedFileModificationTime | integer | Modification time of the interpreted time. |
FileSize | integer | File size. |
DllSize | integer | DLL size. |
DroppedSize | integer | Size of the modified file. |
InterpretedFileSize | integer | Size of the interpreted file. |
Md5 | string | MD5 hash of the file. |
DllMd5 | string | MD5 hash of the DLL |
DroppedMd5 | string | MD5 hash of the modified file. |
InterpretedMd5 | string | MD5 hash of the interpreted file. |
DetectedMd5 | string | MD5 hash of the detected file. |
Sha256 | string | SHA256 hash of the file. |
DllSha256 | string | SHA256 hash of the DLL. |
DroppedSha256 | string | SHA256 hash of the modified file. |
BlockedSha256 | string | SHA256 hash of the blocked file. |
InterpretedSha256 | string | SHA256 hash of the interpreted file. |
DetectedSha256 | string | SHA256 hash of the detected file. |
HijackingPath | string | A malicious DLL placed in a directory on the standard search path to make the operating system load it before the original DLL. |
LogonRemoteHost | string | IP address of the host that initiated remote access. |
RealUserName | string | Name of the user assigned when the user was registered in the system. |
EffectiveUserName | string | User name that was used to log in to the system. |
Environment | string | Environment variables. |
ProcessType | integer | Process type. Possible values:
|
LinuxOperationResult | string | Result of the operation. Possible values:
|
SystemPid. | integer | Process ID. |
ParentFileFullName. If filtering by this field, you must use URL Encode. | string | Path to the parent process file. |
ParentMd5 | string | MD5 hash of the parent process file. |
ParentSha256 | string | SHA256 hash of the parent process file. |
StartupParameters | string | Start options. |
ParentSystemPid | integer | Parent process ID. |
Method. | string | HTTP request method. |
Direction. | string | Connection direction. Possible values:
|
LocalIp | string | IP address of the local computer from which the remote connection attempt was made. |
LocalPort | integer | Port of the local computer from which the remote connection attempt was made. |
RemoteHostName | string | Name of the computer that was the target of the remote connection attempt. |
RemoteIp | string | IP address of the computer that was the target of the remote connection attempt. |
RemotePort | integer | Port of the computer that was the target of the remote connection attempt. |
URI | string | Address of the resource to which the HTTP request was made. |
KeyName | string | Path to the registry key. |
ValueName | string | Registry value name. |
ValueData | string | Registry value data. |
RegistryOperationType | integer | Type of the operation with the registry. Possible values:
|
PreviousKeyName | string | Previous path to the registry key. |
PreviousValueData | string | Previous name of the registry value. |
System.EventID.value | string | Type ID of the security event in the Windows log. |
LinuxEventType | string | Event type. Possible values:
|
System.Channel.value | string | Log name. |
System.EventRecordID.value | string | Entry ID in the log. |
System.Provider.Name.value | string | ID of the system that logged the event. |
EventData.Data.TargetDomainName.value | string | Domain name of the remote computer. |
EventData.Data.ObjectName.value | string | Name of the object that initiated the event. |
EventData.Data.PackageName.value | string | Name of the package that initiated the event. |
EventData.Data.ProcessName.value | string | Name of the process that initiated the event. |
VerdictName | string | Name of the detected object. |
RecordId | integer | ID of the triggered rule. |
ProcessingMode | string | Scanning mode. Possible values:
|
DetectedName | string | Name of the object. |
DetectedObjectType | string | Type of the object. Possible values:
|
ThreatStatus | string | Discovery mode. Possible values:
|
UntreatedReason | string | Object processing status. Possible values:
|
InteractiveInputText | string | Interpreter command. |
ObjectContent | string | Contents of the script sent to be scanned. |
ObjectContentType | integer | Content type of the script. Possible values:
|
FileOperationType | integer | Type of the file operation. Possible values:
|
PreviousFileName | string | Path to the directory where the file was previously located. |
PreviousFileFullName | string | Full name of the file including the path to the directory where the file was previously located and/or the previous file name. |
DroppedFileType | integer | Type of the modified file. Possible values:
|