Fields for filtering events
August 12, 2024
ID 249086
The fields for filtering events are listed in the table below.
If field values contain special characters, you must use URL encoding or the
--data-urlencode
option in requests.
List of fields for filtering events
Field name | Type | Description |
---|---|---|
hostName | string | Host name. |
HostIp | string | IP address of the host. |
EventType | string | Event type. Possible values:
|
UserName | string | User name. |
OsFamily | string | Family of the operating system. |
OsVersion | string | Version of the operating system being used on the host. |
Ioa.Rules.Id | string | TAA (IOA) rule ID. |
Ioa.Rules.Name | string | Information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert. |
Ioa.Rules.Techniques | string | MITRE technique |
Ioa.Rules.Tactics | string | MITRE tactic |
Ioa.Severity | string | Importance level that is assigned to an event generated using this TAA (IOA) rule. Possible values:
|
Ioa.Confidence | string | Level of confidence depending on the likelihood of false alarms caused by the rule. Possible values:
|
FileCreationTime | integer | File creation time. |
DllCreationTime | integer | DLL creation time. |
DroppedCreationTime | integer | Creation time of the modified file. |
InterpretedFileCreationTime | integer | Creation time of the interpreted file. |
FileName | string | File name. |
DllName | string | DLL name. |
DroppedName | string | Name of the modified file. |
BlockedName | string | Name of the blocked file. |
InterpretedFileName | string | Name of the interpreted file. |
FilePath | string | Path to the directory where the file is located. |
DllPath | string | Path to the directory where the DLL is located. |
DroppedPath | string | Path to the directory where the modified file is located. |
BlockedPath | string | Path to the directory where the blocked file is located. |
InterpretedFilePath | string | Path to the directory where the interpreted file is located. |
FileFullName | string | Full path to the file. Includes the path to the directory and the file name. |
DllFullName | string | Full path to the DLL. Includes the path to the directory and the file name. |
DroppedFullName | string | Full path to the modified file. Includes the path to the directory and the file name. |
BlockedFullName | string | Full path to the blocked file. Includes the path to the directory and the file name. |
DetectedName | string | Full path to the detected file. Includes the path to the directory and the file name. |
OriginalFileName | string | Full path to the original file. Includes the path to the directory and the file name. |
InterpretedFileFullName | string | Full path to the interpreted file. Includes the path to the directory and the file name. |
FileModificationTime | integer | File modification time. |
DllModificationTime | integer | DLL modification time. |
DroppedModificationTime | integer | Modification time of the modified time. |
InterpretedFileModificationTime | integer | Modification time of the interpreted time. |
FileSize | integer | File size. |
DllSize | integer | DLL size. |
DroppedSize | integer | Size of the modified file. |
InterpretedFileSize | integer | Size of the interpreted file. |
Md5 | string | MD5 hash of the file. |
DllMd5 | string | MD5 hash of the DLL |
DroppedMd5 | string | MD5 hash of the modified file. |
InterpretedMd5 | string | MD5 hash of the interpreted file. |
DetectedMd5 | string | MD5 hash of the detected file. |
Sha256 | string | SHA256 hash of the file. |
DllSha256 | string | SHA256 hash of the DLL. |
DroppedSha256 | string | SHA256 hash of the modified file. |
BlockedSha256 | string | SHA256 hash of the blocked file. |
InterpretedSha256 | string | SHA256 hash of the interpreted file. |
DetectedSha256 | string | SHA256 hash of the detected file. |
HijackingPath | string | A malicious DLL placed in a directory on the standard search path to make the operating system load it before the original DLL. |
LogonRemoteHost | string | IP address of the host that initiated remote access. |
RealUserName | string | Name of the user assigned when the user was registered in the system. |
EffectiveUserName | string | User name that was used to log in to the system. |
Environment | string | Environment variables. |
ProcessType | integer | Process type. Possible values:
|
LinuxOperationResult | string | Result of the operation. Possible values:
|
SystemPid. | integer | Process ID. |
ParentFileFullName. | string | Path to the parent process file. |
ParentMd5 | string | MD5 hash of the parent process file. |
ParentSha256 | string | SHA256 hash of the parent process file. |
StartupParameters | string | Process start options. |
ParentSystemPid | integer | Parent process ID. |
ParentStartupParameters | string | Parent process startup settings. |
Method. | string | HTTP request method. |
Direction. | string | Connection direction. Possible values:
|
LocalIp | string | IP address of the local computer from which the remote connection attempt was made. |
LocalPort | integer | Port of the local computer from which the remote connection attempt was made. |
RemoteHostName | string | Name of the computer that was the target of the remote connection attempt. |
RemoteIp | string | IP address of the computer that was the target of the remote connection attempt. |
RemotePort | integer | Port of the computer that was the target of the remote connection attempt. |
URI | string | Address of the resource to which the HTTP request was made. |
KeyName | string | Path to the registry key. |
ValueName | string | Registry value name. |
ValueData | string | Registry value data. |
RegistryOperationType | integer | Type of the operation with the registry. Possible values:
|
PreviousKeyName | string | Previous path to the registry key. |
PreviousValueData | string | Previous name of the registry value. |
System.EventID.value | string | Type ID of the security event in the Windows log. |
LinuxEventType | string | Event type. Possible values:
|
System.Channel.value | string | Log name. |
System.EventRecordID.value | string | Entry ID in the log. |
System.Provider.Name.value | string | ID of the system that logged the event. |
EventData.Data.TargetDomainName.value | string | Domain name of the remote computer. |
EventData.Data.ObjectName.value | string | Name of the object that initiated the event. |
EventData.Data.PackageName.value | string | Name of the package that initiated the event. |
EventData.Data.ProcessName.value | string | Name of the process that initiated the event. |
VerdictName | string | Name of the detected object. |
RecordId | integer | ID of the triggered rule. |
ProcessingMode | string | Scanning mode. Possible values:
|
DetectedName | string | Name of the object. |
DetectedObjectType | string | Type of the object. Possible values:
|
ThreatStatus | string | Discovery mode. Possible values:
|
UntreatedReason | string | Object processing status. Possible values:
|
InteractiveInputText | string | Interpreter command. |
ObjectContent | string | Contents of the script sent to be scanned. |
ObjectContentType | integer | Content type of the script. Possible values:
|
FileOperationType | integer | Type of the file operation. Possible values:
|
PreviousFileName | string | Path to the directory where the file was previously located. |
PreviousFileFullName | string | Full name of the file including the path to the directory where the file was previously located and/or the previous file name. |
DroppedFileType | integer | Type of the modified file. Possible values:
|