System event types based on Endpoint Protection Platform

This article provides a description of system event types associated with Endpoint Protection Platform technology (see the table below).

System event type based on Endpoint Protection Platform (EPP)

Code

Title of event type

Registration conditions

4000005500

Activity specific for network attacks

The integration server received data indicating that the Network Threat Protection component of the EPP application was triggered.

The event type description uses the variable $epp_event_description for data from the EPP application.

4000005501

Connection of an untrusted external device

The integration server received data indicating that the Device Control component of the EPP application was triggered.

The event type description uses the variable $epp_event_description for data from the EPP application.

4000005502

Attempt to run an unauthorized or untrusted application

The integration server received data indicating that the Application Launch Control component of the EPP application was triggered.

The event type description uses the variable $epp_event_description for data from the EPP application.

4000005503

Prohibited file operation in the specified monitoring scope

The integration server received data indicating that the File Integrity Monitor component of the EPP application was triggered.

The event type description uses the variable $epp_event_description for data from the EPP application.

4000005504

Files in the specified monitoring scope are modified

The integration server received data indicating that the Baseline File Integrity Monitor component of the EPP application was triggered.

The event type description uses the variable $epp_event_description for data from the EPP application.

4000005505

Network connection not allowed by firewall rules

The integration server received data indicating that the Firewall Management component of the EPP application was triggered.

The event type description uses the variable $epp_event_description for data from the EPP application.

4000005506

System registry modifications in the specified monitoring scope

The integration server received data indicating that the Registry Access Monitor component of the EPP application is triggered.

The event type description uses the variable $epp_event_description for data from the EPP application.

4000005507

Log analysis rule is triggered

The integration server received data indicating that a rule of the Log Inspection component of the EPP application was triggered.

The event type description uses the variable $epp_event_description for data from the EPP application.

4000005508

Attempt to exploit a vulnerability in a protected process

The integration server received data indicating that the Exploit Prevention component of the EPP application is triggered.

The event type description uses the variable $epp_event_description for data from the EPP application.

4000005509

Attempt to maliciously encrypt network file resources

The integration server received data indicating that the Anti-Cryptor component of the EPP application was triggered.

The event type description uses the variable $epp_event_description for data from the EPP application.

4000005510

Attempt to connect to a Wi-Fi network

The integration server received data indicating that the Wi-Fi Control component of the EPP application was triggered.

The event type description uses the variable $epp_event_description for data from the EPP application.

4000005511

PLC project was modified compared to the baseline

The integration server received data indicating that the PLC Project Control component of the EPP application was triggered.

The event type description uses the variable $epp_event_description for data from the EPP application.

4000005512

Infected or probably infected object is detected

The integration server received data indicating that the Real-Time File Protection component of the EPP application was triggered.

The event type description uses the variable $epp_event_description for data from the EPP application.

4000005513

Sigma rule $sigmaAlertTitle triggered

The integration server received data about an Endpoint Agent component Sigma rule being triggered.

The following variables are used in the title and description of an event type:

  • $sigmaAlertTitle: Sigma rule name
  • $sigma_detection_type: detection technology
  • $sigma_object_type: the type of object that triggered the Sigma rule
  • $sigma_object_name: the name of object that triggered the Sigma rule or the name of the first triggered Sigma rule
  • $sigma_status: detection status
Page top