The events table is displayed in the Threat Hunting section of the program web interface window after completion of the search for threats in the events database.
Events are grouped by hosts of the selected servers and organizations. The table of events contains the following information:
Each type of event has its own type of cell value in the Details column of the events table (see the table below).
Correspondence of the types of cell values in the Event and Details columns
Event |
Details |
|---|---|
Process started |
Name of the process file that was started. SHA256- and MD5 hash. |
Module loaded |
Name of the dynamic library that was loaded. SHA256- and MD5 hash. |
Remote connection |
URL to which a remote connection attempt was made. Name of the file that attempted to establish a remote connection. |
Prevention rule |
Name of the file of the application that was blocked from starting. SHA256- and MD5 hash. |
Document blocked |
Name of the document that was blocked from starting. SHA256- and MD5 hash. |
File created |
Name of the created file. SHA256- and MD5 hash. |
Windows Log event |
Windows event logging channel. Event type ID. |
Registry modified |
Name of key in registry. |
Port listened |
Server address and port. Name of the file of the process that listens to the port. |
Driver loaded |
File name of the driver that has been loaded. SHA256- and MD5 hash. |
Host name changed |
Old host name. New host name. |
Clicking the link with the name of the event type, data, additional information and user name opens a list in which you can select the action to perform on the object. Depending on the type of value of the cell, you can perform one of the following actions: