Event rule attributes
The following tables, grouped by event type, detail the event attributes available for use in rules.
Clipboard paste event (Windows only)
Clipboard paste events are generated in response to the pasting of data from the clipboard. The following table describes the events attribute, allowed values, and description for each clipboard paste event type.
Universal Windows Platform apps, also known as Windows Store apps and Metro-style apps, are designed to run in Windows AppContainers. Applications running in Windows AppContainers do not have direct access to the Windows clipboard. Their access to the Windows clipboard is brokered through another process. Due to this architecture, Adaptive Security may not be able to monitor clipboard activity performed by these applications.
| Clipboard attribute name |
Allowed values |
Description |
| clipboard.pid |
pid |
The process id for the process performing the paste operation. |
| clipboard.processname |
string |
The path of the executable for the process performing the paste operation. |
| clipboard.windowtitle |
string |
The window title for the process performing the paste operation. |
| clipboard.userid |
string |
Security identifier (SID) string representing the user associated with the paste operation. Well known SIDs are represented using the Microsoft Security Definition Language. Other SIDs use the standard string representation of a SID (S-R-I-S-S…). |
| clipboard.producer.pid |
pid |
The process id for the process that originally placed the data onto the clipboard. In some cases this may be zero if the data was placed onto the clipboard before the Adaptive Security agent was running. |
| clipboard.producer.processname |
string |
The path of the executable for the process that originally placed the data onto the clipboard. In some cases this may be empty if the data was placed onto the clipboard before the Adaptive Security agent was running.
|
| clipboard.producer.windowtitle |
string |
The window title for the process that originally placed the data onto the clipboard. In some cases this may be zero if the data was placed onto the clipboard before the Adaptive Security agent was running.
|
| clipboard.datatimestamp |
uint64 |
The timestamp indicating when the data was originally placed onto the clipboard. This will be zero is the data was placed onto the clipboard before the Adaptive Security agent was running. |
| clipboard.format |
CB_FORMAT_STRING CB_FORMAT_JPEG CB_FORMAT_FILE_LIST |
The format of the data that is being pasted. CB_FORMAT_STRING indicates that text data is being pasted. CB_FORMAT_JPEG indicates that an image is being pasted. CB_FORMAT_FILE_LIST indicates that files are being pasted on the explorer desktop. |
| clipboard.data.string |
string |
If clipboard.format is CB_FORMAT_STRING, this field will contain the string data. |
| clipboard.data.string |
string |
If clipboard.format is CB_FORMAT_FILE_LIST, this field will contain a comma separated list of file paths. |
| clipboard.timestamp |
uint64 |
The timestamp of the event. |
Event type (Windows, macOS)
These attributes exist to allow an entire event class to be specified at once. These are appropriate for use in suppress rules to suppress the writing of an entire class of events to the DVR or for use in forwarding rules to forward an entire class of events to the server.
The following table describes the event attribute, allowed values, and description for each event type.
| Event attribute |
Allowed values |
Description |
| eventtype.process |
TRUE or FALSE |
Process events |
| eventtype.file |
TRUE or FALSE |
File events |
| eventype.inspectfilematch |
TRUE or False |
Inspect file match events (Windows only) |
| eventtype.session |
TRUE or FALSE |
Session events |
| eventtype.media |
TRUE or FALSE |
Media events |
| eventtype.thread |
TRUE or FALSE |
Thread events |
| eventtype.imageload |
TRUE or FALSE |
Image load events |
| eventtype.object |
TRUE or FALSE |
Object events |
| eventtype.registry |
TRUE or FALSE |
Registry events |
| eventtype.print |
TRUE or FALSE |
Print events |
| eventtype.namespace |
TRUE or FALSE |
Namespace events |
| eventtype.network |
TRUE or FALSE |
Network events |
| eventtype.keystroke |
TRUE or FALSE |
Keystroke events |
| eventtype.defender |
TRUE or FALSE |
Microsoft Defender events |
| eventtype.clipboard |
TRUE or FALSE |
Clipboard events |
| eventtype.url |
TRUE or FALSE |
URL events |
File event (Windows, macOS, Linux)
File events are generated when the following occurs:
A file is closed if the file has had content written to it.
A file is renamed.
A file is deleted.
A file is opened.
A volume is mounted.
Note: The macOS agent does not generate events for files written through command line redirection in the shell. For example, the shell command “cat myfile > output.txt” will not generate a file write event for the file output.txt.
The following table describes the file attribute, allowed values, and description for each file event type.
| File attribute name |
Allowed values |
Description |
| file.event |
FILE_WRITE FILE_RENAME FILE_DELETE FILE_OPEN |
Indicates the file event type. FILE_WRITE is generated at the time a file is closed if the file was written to. FILE_DELETE is generated when a file is deleted. FILE_RENAME is generated in response to files being renamed. FILE_OPEN is generated in response to a non-directory file, not ending in .exe or .dll, that is opened for reading or writing of data. |
| file.path |
string |
Indicates the full path of the file that was written for FILE_WRITE operations or the full path of the newly renamed file for FILE_RENAME operations. |
| file.size |
uint64 |
Indicates the size of the file after the file was written to and closed for FILE_WRITE operations or the size of the file that was deleted for FILE_DELETE operations. This will be 0 for FILE_RENAME operations. |
| file.md5 |
md5digest |
The MD5 hash digest for the file after the file was written and closed for FILE_WRITE operations or the hash digest of the file that was deleted for FILE_DELETE operations. This will be 0 for FILE_RENAME and FILE_OPEN operations. |
| file.originalpath |
string |
Indicates the full path of the original filename for FILE_RENAME operations. |
| file.creationdisposition |
FILE_CREATE_NEW FILE_CREATE_ALWAYS FILE_OPEN_EXISTING FILE_OPEN_ALWAYS |
Indicates the disposition with which the file was opened. This Windows-only field is valid only for FILE_WRITE and FILE_OPEN operations. This is only available on Windows. |
| file.shareaccess |
FILE_SHARE_READ FILE_SHARE_WRITE FILE_SHARE_DELETE |
A bitmask indicating the shared access with which the file was opened. This field is valid only for FILE_WRITE and FILE_OPEN operations. This is only available on Windows. |
| file.desiredaccess |
FILE_READ_DATA FILE_LIST_DIRECTORY FILE_WRITE_DATA FILE_ADD_FILE FILE_APPEND_DATA FILE_ADD_SUBDIRECTORY FILE_CREATE_PIPE_INSTANCE FILE_READ_EA FILE_WRITE_EA FILE_EXECUTE FILE_TRAVERSE FILE_DELETE_CHILD FILE_READ_ATTRIBUTES FILE_WRITE_ATTRIBUTES FILE_ALL_ACCESS FILE_GENERIC_READ FILE_GENERIC_WRITE FILE_GENERIC_EXECUTE |
A bitmask indicating the access with which the file was opened. This field is only valid for FILE_WRITE and FILE_OPEN operations. This is only available on Windows. |
| file.pid |
pid |
The process id associated with the file action. |
| file.entropy |
double |
The entropy of the file that was written for FILE_WRITE operations or deleted for FILE_DELETE operations. |
| file.usersid |
string |
Security identifier (SID) string representing the user associated with the file operation. Well-known SIDs are represented using Microsoft Security Definition Language. Other SIDs use the standard string representation of a SID (S-R-I-S-S…). This is only available on Windows. |
| file.userid |
uint64 |
The numeric user id of the user associated with the file operation. This is only available on macOS. |
| file.devicepath |
string |
The kernel device path associated with the file, for example. \device\harddiskvolume1, or similar. This is only available on Windows. |
| file.timestamp |
uint64 |
The timestamp of the event. |
| file.labels |
string |
Contains a key/value pair list of sensitivity labels from a Microsoft Office document. This field is only populated for Microsoft Office documents for FILE_WRITE and FILE_RENAME operations. |
Imageload event (Windows, macOS, Linux)
Imageload events are generated whenever an executable image is loaded on the endpoint. This includes the loading of executable images and dynamic link libraries that take place whenever a new process is started. It also includes the loading of dynamic link libraries, which can occur after a process has started through the use of the Win32 LoadLibrary/LoadLibraryEx APIs or the macOS/Linux dlopen API.
The following table describes the ImageLoad attribute, allowed values, and description for each ImageLoad event type
| Imageload attribute name |
Allowed values |
Description |
| imageload.imagepath |
string |
Indicates the full path of the image that was loaded. |
| imageload.baseaddr |
uint64 |
Indicates the base address where the image was loaded. This is only available on Windows. |
| imageload.imagesize |
uint64 |
Indicates the image size that was loaded. |
| imageload.loadstate |
IMAGE_LOADED IMAGE_EXISTING |
IMAGE_LOADED indicates that the image has been loaded. IMAGE_EXISTING is used in image load attributes generated for images already loaded at the time the endpoint agent started. |
| imageload.md5 |
string |
Indicates the MD5 digest of the image that was loaded. This is only available on Windows. |
| imageload.usersid |
string |
Security identifier string representing the user associated with the image load operation. Well-known SIDs are represented using the Microsoft Security Definition Language. Other SIDs use the standard string representation of a SID (S-R-I-S-S…). This is only available on Windows. |
| imageload.pid |
pid |
The process id for the process performing the image load. |
| image.timestamp |
uint64 |
The timestamp of the event. |
InspectFileMatch event (Windows only)
InspectFileMatch events are generated whenever one or more regular expressions matches occur as the result of an InspectFile rule action. Only one InspectFileMatch event is returned per InspectFile action regardless of how many matches occurred within that file.
The following table describes the InspectFileMatch attribute, allowed values, and description for each InspectFileMatch event type.
| InspectFileMatch attribute name |
Allowed values |
Description |
| inspectfilematch.path |
string |
Indicates the full path of the file that was inspected. |
| inspectfilematch.label |
string |
The label string corresponding to the label string used in the InspectFile rule action that resulted in this match event. |
| inspectfilematch.pid |
pid |
The process id for the process that triggered the inspect rule. |
| inspectfilematch.timestamp |
uint64 |
The timestamp of the event. |
Keystroke event (Windows only)
Keystroke events are generated in response to keystrokes entered on the endpoint machine, but not for each individual keystroke entered. Instead, keystrokes are collected into a buffer, and then keystroke events are generated at specific tear points, that include when the following occurs:
The user presses the enter/return key.
The user presses a control sequence that includes any of the following keys: ALT, CTRL, WIN, F1-F24, ESCAPE, PRINT SCREEN.
The user shifts focus to another window and enters a keystroke in that window.
The keystroke log buffer has reached its maximum buffered keys limit.
The timeout keystroke buffer periodic flush timer has elapsed.
Note: The keystroke periodic flush timer and the keystroke maximum buffered keys limit can be configured on a per endpoint basis from the Nuix Adaptive Security console.
The following table describes the keystroke attribute, allowed values, and description for each keystroke event type.
| Keystroke attribute name |
Allowed values |
Description |
| keystroke.pid |
pid |
The process id for the application receiving the keystrokes. |
| keystroke.windowtitle |
string |
The contents of the title bar for the application window receiving the keystrokes. |
| keystroke.usersid |
string |
Security identifier (SID) string representing the user associated with the process creation. Well-known SIDs are represented using the Microsoft Security Definition Language. Other SIDs use the standard string representation of a SID (S-R-I-S-S…). |
| keystroke.keydata |
string |
A string of captured keystroke data. This is a decoded representation of the virtual keys codes captured from the operating system. When representing non-alphanumeric keys and control key sequences a special notation is used. See Appendix A: Keystroke Event Special Character Notation for more details and examples. |
| keystroke.timestamp |
uint64 |
The timestamp of the event. |
Media event (Windows, macOS, Linux)
Media events are generated in response to the insertion or removal of removable media, which includes USB thumb drives as well as external hard drives connected by USB or Firewire.
The following table describes the removable media attribute, allowed values, and description for each media event type.
| Removable media attribute name |
Allowed values |
Description |
| media.event |
DEVICE_INSERTED DEVICE_REMOVED |
Indicates whether a removable media device is being inserted or removed from the system. |
| media.rootpathname |
string |
The pathname where the removable media device is mounted. On Windows, the path is displayed in the format [DriveLetter]:\. ("e:\", "f:\"). On macOS, the path is displayed as a volume path such as “/Volumes/mydevice”. |
| media.bustype |
BUS_FIREWIRE BUS_USB BUS_ESATA |
The type of bus the removable media device was attached to. |
| media.filesystemname |
string |
The name of the file system used to format the volume, which is usually one of the following: "NTFS", "FAT32", for example, FAT”, “HFS”, or “APFS”. On Linux, exFat and NTFS file system may appear with the name “fuseblk”. See Filesystem in Userspace. |
| media.volumelabel |
string |
The volume label assigned to the removable media volume. A user can set the volume labels anytime during or after formatting a volume. The volume label may give insight as to what the storage volume contains. |
| media.volumeserial |
string |
The volume serial number is a 32-bit value assigned to a volume by Windows at the time a volume is formatted. It is one way of tracking media volumes, although the volume serial number can potentially be changed by a user with enough effort. It is displayed in the header of the output from the command prompt "dir" command. |
| media.volumefreebytes |
uint64 |
Indicates the number of free bytes on the removable media storage volume. |
| media.volumetotalbytes |
uint64 |
Indicates the total size in bytes of the removable media storage volume. |
| media.deviceserial |
string |
For USB thumb drives, the serial number is embedded in the hardware by the manufacturer. An example serial number taken from a SanDisk thumb drive is: "SNDKAA03743213606705". |
| media.devicepid |
string |
The device product id string value. The value is set by the device manufacturer. An example pid string from a SanDisk Cruzer Mini thumb drive is: "Cruzer Mini". |
| media.devicevid |
string |
The device vendor id string. The value is set by the device manufacturer. An example vendor string from a SanDisk Cruzer Mini thumb drive is: "SanDisk". |
| media.devicepath |
string |
The kernel device path associated with the mounted drive, for example, \device\harddiskvolume4, or similar. |
| media.timestamp |
uint64 |
The timestamp of the event. |
Memory scan injection event (Windows only)
Memory scan injection events are generated in response to instances of covertly injected portable executable (PE) modules discovered when executing the memscan rule action on the endpoint.
The following table describes the injected image attribute, allowed values, and description for each memory scan injection event type.
| Injected image attribute name |
Allowed values |
Description |
| injectedImage.timestamp |
uint64 |
The timestamp of the event. |
| injectedImage.pid |
pid |
The process id of the process in which the injected module was found. |
| injectedImage.imagepath |
string |
The full path of the process executable in which the injected module was found. |
| injectedImage.baseaddress |
uint64 |
The base virtual address where the injected module is loaded in memory. |
| injectedImage.checksum |
uint32 |
The checksum of the injected PE module as pulled from the Checksum field in the PE headers of the injected module in memory. |
| injectedImage.sizeofimage |
uint32 |
The size of the injected PE module, as pulled from the SizeOfImage field in the PE headers of the injected module in memory. |
| injectedImage.owner |
MEMSCAN_OWNER_UNKNOWN MEMSCAN_OWNER_NUIX |
Indicates the source or owner of the injected module: MEMSCAN_OWNER_UNKNOWN indicates that the source of this injected module is unknown and may be malicious. MEMSCAN_OWNER_NUIX indicates that this is an injected module that belongs to Nuix Adaptive Security and is not a security threat. |
Memory scan patch event (Windows only)
Memory scan patch events are generated in response to instances of code patches discovered when executing the memscan rule action on the endpoint.
The following table describes the patched image attribute, allowed values, and description for each memory scan patch event type.
| Patched image attribute name |
Allowed values |
Description |
| patchedImage.timestamp |
uint64 |
The timestamp of the event. |
| patchedImage.pid |
pid |
The process id of the process in which the patched code was found. |
| patchedImage.imagepath |
string |
The full path of the process executable in which the injected module was found. |
| patchedImage.modulepath |
string |
The full path of the process executable in which the injected module was found. |
| patchedImage.baseaddress |
uint64 |
Indicates the virtual address in memory where the patch begins. |
| patchedImage.length |
uint64 |
The length in bytes of the patch. |
| patchedImage.inlinehook |
bool |
Indicates that the patch represents an inline hook used to redirect the flow of execution code to another location in memory. |
| patchedImage.eathook |
bool |
Indicates that the patch is a patch of the PE export address table. |
| patchedImage.targetaddress |
uint64 |
If patchedImage.inlinehook or patchedImage.eathook is TRUE, this field contains the target virtual address for the hook. |
| patchedImage.targetsymbol |
string |
Symbolic name representing the target address in the event of an Export Address Table (EAT) hook or inline hook. Depending on the amount of symbolic data that can be resolved. the content of the string will vary. An example of symbolic data for an inline hook pointing into a non-exported function within chrome.exe is shown below: \Device\HarddiskVolume3\Program Files (x86)\Google\Chrome\Application\chrome.exe!0x00000000000bd9f0 |
| patchedImage.patchsymbol |
string |
Symbolic name representing the address where the patch begins. Depending on the amount of symbolic data that can be resolved, the content of the string will vary. An example of symbolic data for a patch that occurs in a function exported from ntdll.dll is shown below: \Device\HarddiskVolume3\Windows\System32\ntdll.dll!NtOpenSymbolicLinkObject+0x00000020 |
| patchedImage.owner |
MEMSCAN_OWNER_UNKNOWN MEMSCAN_OWNER_NUIX |
Indicates the source or owner of the patch. MEMSCAN_OWNER_UNKNOWN indicates that the source of this patch is unknown and may be malicious. MEMSCAN_OWNER_NUIX indicates that this is a patch installed by Nuix Adaptive Security and is not a security threat. |
Microsoft Defender events (Windows only)
The endpoint agent interacts with Microsoft Defender to identify active threats on the endpoint. When the endpoint agent starts, the endpoint agent polls Microsoft Defender for active threats. After startup, the endpoint agent periodically polls (using a 30-second interval) Microsoft Defender to identify subsequent threats. For each threat reported by Microsoft Defender, the endpoint agent generates an event and sends the event to the filter engine for processing.
The following table describes the defender attribute, allowed values, and description.
| Defender attribute name |
Allowed values |
Description |
| defender.timestamp |
uint64 |
The timestamp of the event. |
| defender.threatid |
uint64 |
GUID uniquely identifying a threat for Microsoft Defender. Note: Windows 7 and versions of Windows greater than Windows 8 use different domains for their GUIDs. |
| defender.threatname |
string |
Name of the threat. |
| defender.threatstatus |
THREAT_STATUS_UNKNOWN THREAT_STATUS_DETECTED THREAT_STATUS_CLEANED THREAT_STATUS_QUARANTINED THREAT_STATUS_REMOVED THREAT_STATUS_ALLOWED THREAT_STATUS_BLOCKED THREAT_STATUS_CLEAN_FAILED THREAT_STATUS_QUARANTINE_FAILED THREAT_STATUS_REMOVE_FAILED THREAT_STATUS_ALLOW_FAILED THREAT_STATUS_ABANDONED THREAT_STATUS_BLOCK_FAILED THREAT_STATUS_INVALID |
The status of the threat at the time the event was received by the filter engine. It is important to understand that Microsoft Defender often cleans/removes/quarantines active threats automatically. If a threat event indicates DETECTED, the threat event may be cleaned automatically in very short order. DETECTED: Threat is discovered, but not remediated. CLEANED: Threat has been eliminated, likely including multiple steps (killing a malicious process and deleting a file). QUARANTINED: Threat has been moved and access has been restricted in a way that it is mitigated presently. REMOVED: Threat has been deleted. Often just deleting a file, otherwise, the status would likely be CLEANED. ALLOWED: The user was prompted with a warning and authorized the threat to proceed. BLOCKED: The threat was prevented, blocked execution, for example, through user action or automatically. THREAT_STATUS_*_FAILED: An attempt was made to perform the action, but that attempt did not succeed. |
| defender.detectiontime |
uint64 |
The timestamp of when Microsoft Defender detected the threat. |
| defender.remediationtime |
uint64 |
The timestamp of when Microsoft Defender cleaned/quarantined/removed the threat. |
| defender.threattype |
THREAT_TYPE_UNKNOWN THREAT_TYPE_KNOWN_BAD THREAT_TYPE_BEHAVIOR THREAT_TYPE_KNOWN_GOOD THREAT_TYPE_NIS |
Microsoft Defender characterizes threat types as follows: KNOWN_BAD: Microsoft Defender matched a threat signature. BEHAVIOR: Microsoft Defender noticed a behavior. KNOWN_GOOD: Microsoft Defender matched a signature, but the "threat" is not a problem (likely used for their testing). NIS: Microsoft Defender observed a network attack (or attempt to attack). |
| defender.threatorigin |
THREAT_ORIGIN_UNKNOWN THREAT_ORIGIN_LOCAL_MACHINE THREAT_ORIGIN_NETWORK_SHARE THREAT_ORIGIN_INTERNET THREAT_ORIGIN_OUTBOUND THREAT_ORIGIN_INBOUND |
Where the threat came from. LOCAL_MACHINE, NETWORK_SHARE, and INTERNET are derived from the NTFS Zone ADS on the threat originating file. OUTBOUND and INBOUND are only applications for NIS-detected events and indicate the direction of network traffic associated with the threat. |
| defender.threatexecutionstatus |
THREAT_EXECUTION_STATUS_UNKNOWN THREAT_EXECUTION_STATUS_BLOCKED THREAT_EXECUTION_STATUS_ALLOWED THREAT_EXECUTION_STATUS_EXECUTING THREAT_EXECUTION_STATUS_NOT_EXECUTING |
Whether or not the threat has executed. UNKNOWN: Microsoft Defender does not know if the threat ran. BLOCKED: Microsoft Defender blocked the threat from running. ALLOWED: The threat was allowed to run. EXECUTING: The threat is currently executing. NOT EXECUTING: The threat is not currently executing. For a threat that was detected as Microsoft Defender attempted to execute, you should see BLOCKED or ALLOWED. For a threat that was detected after Microsoft Defender was already running, you should see EXECUTING. You would perhaps then expect to see NOT_EXECUTING for a threat that was found on disk that was not presently executing or discovered when Microsoft Defender was attempting to execute, but that has never been observed in testing. In that case, UNKNOWN is observed. |
| defender.detectionsource |
THREAT_DETECTION_SOURCE_UNKNOWN THREAT_DETECTION_SOURCE_USER_SCAN THREAT_DETECTION_SOURCE_SYSTEM_SCAN THREAT_DETECTION_SOURCE_REALTIME THREAT_DETECTION_SOURCE_IE_OUTLOOK THREAT_DETECTION_SOURCE_NETWORK_INSPECTION THREAT_DETECTION_SOURCE_IE_BHO THREAT_DETECTION_SOURCE_ELAM THREAT_DETECTION_SOURCE_LOCAL_ATTESTATION THREAT_DETECTION_SOURCE_REMOTE_ATTESTATION THREAT_DETECTION_SOURCE_AMSI |
How did Microsoft Defender come to learn about this threat? UNKNOWN: Have not seen this occur. USER_SCAN: The user requested a scan and the threat was found. SYSTEM_SCAN: A regular recurring scan found the threat. REALTIME: Real-time protection mechanisms. IE_OUTLOOK: Found while scanning browser downloads or email attachments. NETWORK_INSPECTION: Found looking at network traffic. IE_BHO: IExtensionValidation failed to validate a web control. ELAM: Early Load Anti-Malware detected a threat. LOCAL_ATTESTATION: System integrity did not validate based on a local attestation client. REMOTE_ATTESTATION: System integrity did not validate based on a remote attestation client. AMSI: Anti-Malware Scan Interface (used by third-party applications to ask Microsoft Defender to scan resources for them). |
| defender.detectiontype |
THREAT_DETECTION_TYPE_UNKNOWN THREAT_DETECTION_TYPE_CONCRETE THREAT_DETECTION_TYPE_HEURISTIC THREAT_DETECTION_TYPE_GENERIC THREAT_DETECTION_TYPE_SUSPICIOUS THREAT_DETECTION_TYPE_FASTPATH |
A nuanced field considering the threattype field; this field is basically a clarifying or subcategory of that threattype. If a threat is THREAT_TYPE_KNOWN_BAD and THREAT_DETECTION_TYPE_CONCRETE that means that a "concrete" signature (byte pattern or some other unambiguous attribute) was matched to declare the threat a KNOWN_BAD. If the threat is KNOWN_BAD, but the detection type is THREAT_DETECTION_TYPE_HEURISTIC, then the threat matched a heuristic, non-concrete, signature. A THREAT_DETECTION_TYPE_SUSPICIOUS indicates lower confidence that the threat event is a serious risk. It is unknown when THREAT_DETECTION_TYPE_GENERIC or THREAT_DETECTION_TYPE_FASTPATH are used. |
Namespace event (Windows only)
Namespace events are generated in response to Domain Name System queries generated on the endpoint.
Note: Keep the following in mind when capturing namespace Insights: All Namespace events are displayed in the Insights list, including blocked namespace events. Some namespace events, like ns lookup, cannot be captured or blocked.
To know when a namespace is blocked, add an alert. Use the following as an example:
`rulegroup NamespaceAlert
(author="Nuix",
type="Namespace")
{
#
# Alert for Blocked Namespace Event
#
rule(name="Blocked Namespace Event",
description="A blocked namespace event was generated.")
{
alert when namespace.blocked == true;
}
}`
The following table describes the namespace attribute, allowed values, and description for each namespace type.
| Namespace attribute name |
Allowed values |
Description |
| namespace.processname |
string |
The full path of the program that generated the request, for example, "c:\program files\Internet Explorer\iexplore.exe" or similar. |
| namespace.query |
string |
The name to be resolved, for example, "go.microsoft.com", "wpad", www.nuix.com. |
| namespace.pid |
pid |
Process id associated with the namespace activity. |
| namespace.timestamp |
uint64 |
The timestamp of the event. |
| namespace.results |
ipaddr |
This attribute contains a list of IP addresses returned as a result of a successful query. |
| namespace.blocked |
TRUE FALSE |
Indicates whether the namespace query was blocked or not. |
Network event (Windows, macOS, Linux)
Network events are generated when a network connection is established or terminated. Events are also generated periodically during the lifetime of a connection to provide updated statistics on the amount of data transferred to date. Finally, events are generated for certain socket state events of interest such as entering the listening state.
The following table describes the network attribute, allowed values, and description for each network event type.
| Network attribute name |
Allowed values |
Description |
| network.action |
NETFLOW_ESTABLISHED NETFLOW_TERMINATED NETFLOW_HEARTBEAT NETFLOW_OTHER |
Indicates the type of netflow event to match against. NETFLOW_ESTABLISHED: A new TCP session, or the flow of UDP or ICMP traffic between source and destination addresses/ports that have not been seen in the past 60 seconds. NETFLOW_TERMINATED: Termination of a TCP session, or a UDP or ICMP session over which traffic has not flowed in the past 60 seconds. NETFLOW_HEARTBEAT: A heartbeat event, which is generated on a periodic basis (every 10 minutes) for established network connections. NETFLOW_OTHER: Used to indicate socket state change events generated separately from connection establishment/termination events, including when a socket is placed into listening mode. The network.socketstate attribute indicates the state. |
| network.socketstate |
SOCKET_ESTABLISHED SOCKET_CLOSED SOCKET_LISTEN SOCKET_BOUND |
Indicates the state of the socket associated with the network event. SOCKET_ESTABLISHED: Expected for network actions of NETFLOW_ESTABLISHED or NETFLOW_HEARTBEAT. SOCKET_CLOSED: Expected for actions of NETFLOW_TERMINATED. When network.action is NETFLOW_OTHER, the SOCKET_BOUND and SOCKET_LISTEN states can indicate that the socket has been bound to a local IP address and port, for example, the socket bind API has been called on the socket or has been placed in a listening state, for example, the socket listen API has been called on the socket. SOCKET_LISTEN can be useful in detecting processes that are listening for remote connections even if no connections have been established yet. Note: The macOS agent only reports the SOCKET_LISTEN state. No other socket state changes are reported from macOS agents. |
| network.direction |
INBOUND OUTBOUND |
Indicates the direction of the flow associated with the event. INBOUND: Traffic initiated from a remote system to the system running the endpoint client. OUTBOUND: Traffic initiated from the endpoint client system to a remote system. |
| network.ipversion |
IPV4 IPV6 |
Indicates the version of the IP protocol associated with the event. |
| network.local.ipaddr |
ipaddr |
Local address or netmask associated with an inbound or outbound network connection. |
| network.remote.ipaddr |
ipaddr |
The remote address or netmask associated with an inbound or outbound network connection. |
| network.local.port |
uint32 |
Local port associated with an inbound or outbound network connection. |
| network.remote.port |
uint32 |
Remote port associated with an inbound or outbound network connection. |
| network.icmp.type |
uint32 |
ICMP type value associated with an inbound or outbound ICMP packet. |
| network.icmp.code |
uint32 |
ICMP code value associated with an inbound or outbound ICMP packet. |
| network.proto |
PROTO_ICMP PROTO_TCP PROTO_UDP |
The protocol associated with an inbound or outbound network connection. |
| network.pid |
pid |
Process id associated with network activity. |
| network.socketstate |
SOCKET_UNKNOWN SOCKET_CLOSED SOCKET_LISTEN SOCKET_BOUND |
|
| network.preexisting |
bool |
When TRUE, indicates that this network event corresponds to a network state that was pre-existing when the endpoint agent started. For example, the endpoint agent generates network events with an action value of NETFLOW_ESTABLISHED for each existing network connection found when the endpoint agent starts. This field is set to TRUE for each of those events in that scenario. |
| network.sent.bytes |
uint64 |
Total bytes of data sent over a network connection. This count does not include network or transport layer headers for TCP and UDP traffic. For ICMP traffic, the count does not include the network layer header, but it does include the full ICMP message (ICMP header plus the data portion of the ICMP message). |
| network.sent.packets |
uint64 |
Total packets sent over the network connection. |
| network.recv.bytes |
uint64 |
Total bytes of data sent over a network connection. This count does not include network or transport layer headers for TCP and UDP traffic. For ICMP traffic, the count does not include the network layer header, but the count does include the full ICMP message (ICMP header plus the data portion of the ICMP message). |
| network.recv.packets |
uint64 |
Total packets received over the network connection. |
| network.sent.bytes.differential |
uint64 |
Bytes sent over the network connection since the last network event generated for this connection. |
| network.sent.packets.differential |
uint64 |
Packets sent over the network connection since the last network event generated for this connection. |
| network.recv.bytes.differential |
uint64 |
Bytes received over the network connection since the last network event generated for this connection. |
| network.recv.packets.differential |
uint64 |
Packets received over the network connection since the last network event generated for this connection. |
| network.timestamp |
uint64 |
The timestamp of the event. |
Object event (Windows only)
Object events are generated when the Windows kernel object manager creates a new process handle. This occurs when a user process opens a handle to another process. It also happens when a user process creates a child process. A typical use of an object event in a rule is to identify a process attempting to open a handle to a non-child process with access privileges that would allow it to manipulate the memory space of the target process. An example would be a process opening a handle to lsass.exe with access privileges that allow reading of memory from lsass. This is a technique sometimes used to steal credentials. The following table describes the object attribute, allowed values, and description for each object type.
| Object attribute name |
Allowed values |
Description |
| object.operation |
OBJECT_CREATE |
A new object was created. |
| object.callingprocess |
string |
The full path to the executable associated with the process attempting to obtain a handle to another process, for example, \Device\HarddiskVolume1\Windows\explorer.exe or similar. |
| object.targetobjecttype |
OBJECT_TYPE_PROCESS
|
The type of object being operated on. |
| object.targetprocess |
string |
The full path to the executable associated with the process whose handle is being obtained, for example, \Device\HarddiskVolume1\Windows\explorer.exe or similar. |
| object.accessmask |
PROCESS_TERMINATE PROCESS_CREATE_THREAD PROCESS_SET_SESSIONID PROCESS_VM_OPERATION PROCESS_VM_READ PROCESS_VM_WRITE PROCESS_DUP_HANDLE PROCESS_CREATE_PROCESS PROCESS_SET_QUOTA PROCESS_SET_INFORMATION PROCESS_QUERY_INFORMATION PROCESS_SUSPEND_RESUME PROCESS_QUERY_LIMITED_INFORMATION PROCESS_SET_LIMITED_INFORMATION PROCESS_SYNCHRONIZE PROCESS_ALL_ACCESS |
The access mask requested when creating the new object. These values are used to form a bitmask representing the access mask and are not enums. |
| object.targetpid |
pid |
The process id of the process whose object is the target of the operation. |
| object.sourcepid |
pid |
The process id of the process performing the operation. |
| object.userid |
string |
Security identifier (SID) string representing the user associated with the object operation. Well-known SIDs are represented using the Microsoft Security Definition Language. Other SIDS use the standard string representation of a SID (S-R-I-S-S…). |
| object.timestamp |
uint64 |
The timestamp of the event. |
Print event (Windows only)
Print events are generated in response to the completion of a print job and are generated only for print jobs sent through print queues defined on the system where the agent is running.
The following table describes the print event attribute, allowed values, and description for each print event type.
| Print event attribute name |
Allowed values |
Description |
| print.event |
JOB_PRINTED |
Indicates the type of print event. |
| print.totalbytes |
uint32 |
Total bytes in the print job. |
| print.totalpages |
uint32 |
Total pages in the print job. |
| print.printername |
string |
The name of the printer to which the document is printed. |
| print.machinename |
string |
The name of the machine from which the print job is initiated. |
| print.username |
string |
The user name of the user who initiated the print job. |
| print.documentname |
string |
The name of the document printed. The name usually corresponds to the name in the title bar of the application from which the document was printed. |
| print.timestamp |
uint64 |
The timestamp of the event. |
Process event (Windows, macOS, Linux)
Process events are generated in response to processes starting and processes terminating. In addition, when the endpoint agent starts up, the agent enumerates all existing processes on the system and generates events.
The following table describes the process attribute, allowed values, and description for each process event type.
| Process attribute name |
Allowed values |
Description |
| process.state |
PROCESS_EXITED PROCESS_STARTING PROCESS_STARTED PROCESS_EXISTING |
Indicates the process state. PROCESS_STARTING: Process is starting, subject to block rules. PROCESS_STARTED: Process has started. PROCESS_EXITED: Process has exited. PROCESS_EXISTING: Used in process events generated for processes that were in existence at the time the endpoint agent started. |
| process.path |
string |
Indicates the full path of the executable associated with this process event, for example, \device\harddiskvolume1\windows\system32\calc.exe, or similar. |
| process.devicepath |
string |
The kernel device path associated with the executable, for example, \device\harddiskvolume1, or similar. This is only available on Windows. |
| process.parentpath |
string |
Indicates the full path of the executable associated with the parent process. |
| process.md5 |
md5digest |
Indicates the MD5 digest of the executable associated with this process. |
| process.pid |
pid |
Process id for the process being created. |
| process.ppid |
uint32 |
Process id for the parent process. |
| process.cmdline |
string |
Command-line string associated with the process. |
| process.usersid |
string |
Security identifier (SID) string representing the user associated with the process creation. Well-known SIDs are represented using the Microsoft Security Definition Language. Other SIDs use the standard string representation of a SID (S-R-I-S-S…). This is only available on Windows. |
| process.elevation |
PROCESS_ELEVATION_UNKNOWN PROCESS_NOT_ELEVATED PROCESS_ELEVATED |
Indicates whether the process is elevated. Windows considers a process to be elevated when running at an integrity level above medium. UAC elevated processes run with an integrity level of high. |
| process.timestamp |
uint64 |
The timestamp of the event. |
Registry event (Windows Only)
Registry events are generated in response to creating new registry keys, renaming existing registry keys, and setting values under registry keys.
The following table describes the registry attribute, allowed values, and description for each registry event type.
| Registry attribute name |
Allowed values |
Description |
| registry.operation |
REG_SET_VALUE REG_RENAME_KEY REG_PRE_CREATE_KEY_EX |
Indicates the registry operation. |
| registry.valuetype |
REG_NONE REG_SZ REG_EXPAND_SZ REG_BINARY REG_DWORD REG_DWORD_LITTLE_ENDIAN REG_DWORD_BIG_ENDIAN REG_LINK REG_MULTI_SZ REG_RESOURCE_LIST REG_FULL_RESOURCE_DESCRIPTOR REG_RESOURCE_REQUIREMENTS_LIST REG_QWORD REG_QWORD_LITTLE_ENDIAN |
Indicates the type of data being written in the operation. This is REG_NONE for operations other than REG_SET_VALUE. |
| registry.valuesize |
uint32 |
The size in bytes of the value being set in a REG_SET_VALUE operation. |
| registry.value.dword |
uint32 |
The uint32 value being set in a REG_SET_VALUE operation when the registry.valuetype is REG_DWORD. This field is empty for other registry operation types. |
| registry.value.qword |
uint64 |
The uint64 value being set in a REG_SET_VALUE operation when the registry.valuetype is REG_QWORD. This field is empty for other registry operation types. |
| registry.value.string |
string |
The string value is set in a REG_SET_VALUE operation when the registry.valuetype is REG_SZ. This field is empty for other registry operation types. |
| registry.keyname |
string |
The full path of the registry key associated with the registry action. In the case of a REG_RENAME_KEY operation, this field represents the original key name. |
| registry.renamedkeyname |
string |
If the registry operation is REG_RENAME_KEY, this field contains the new name of the key. This field is empty for other registry operation types. |
| registry.valuename |
string |
Contains the name of the value being set or deleted in a REG_SET_VALUE or REG_DELETE_VALUE operation. This field is empty for other registry operation types. |
| registry.usersid |
string |
Security identifier (SID) string representing the user associated with the registry operation. Well known SIDs are represented using the Microsoft Security Definition Language. Other SIDs use the standard string representation of a SID (S-R-I-S-S…). |
| registry.pid |
uint32 |
The process id associated with the registry activity. |
| registry.timestamp |
uint64 |
The timestamp of the event. |
Session event (Windows, macOS, Linux)
Session events are generated in response to logins such as console logins and RDP logins on Windows, and terminal logins and SSH sessions on macOS.
The following table describes the session attribute, allowed values, and description for each session event type.
| Session attribute name |
Allowed values |
Description |
| session.event |
SESSION_LOGON SESSION_LOGOFF SESSION_LOCK SESSION_UNLOCK SESSION_CONNECT SESSION_DISCONNECT |
Indicates the type of session event. SESSION_LOGON and SESSION_LOGOFF correspond to logging on and logging off. Both the Mac and Windows agents generate these alerts. The remaining types correspond only to Windows machines. SESSION_LOCK and SESSION_UNLOCK correspond to locking and unlocking a Windows workstation. SESSION_CONNECT occurs before the login to a new Windows session or when reconnecting to a pre-existing session using the Windows "Switch User" feature or Windows Terminal Services. SESSION_DISCONNECT occurs on Windows when: A user logs out. The Windows “Switch User” feature is used to switch to another session. A Terminal Services session is disconnected (rather than logging out). |
| session.type |
SESSION_TYPE_CONSOLE SESSION_TYPE_REMOTE SESSION_TYPE_SERVICE SESSION_TYPE_TERMINAL |
Indicates the type of session. SESSION_TYPE_CONSOLE indicates a console logon (a logon to the desktop of a Windows or macOS machine). SESSION_TYPE_REMOTE indicates a remote login such as RDP logins or SSH logins. SESSION_TYPE_SERVICE is used for logons performed by Windows services. SESSION_TYPE_TERMINAL is used for macOS and represents a new terminal login, typically associated with a new instance of a terminal window. |
| session.domain |
string |
The domain name associated with the session event. This is only available on Windows. |
| session.username |
string |
The user name associated with the session event. |
| session.locked |
TRUE FALSE |
Indicates the current locked state of the session. |
| session.preexisting |
TRUE FALSE |
When TRUE, indicates that this session event corresponds to a session that was pre-existing when the endpoint agent started. For example, the endpoint agent generates session events with an event value of SESSION_LOGON for each existing session found when the endpoint agent starts. This field is set to TRUE for each of those events in that scenario. Currently, only the Windows agent generates events for pre-existing sessions. The macOS agent does not. |
| session.ipaddr |
ipaddr |
When session.type is SESSION_TYPE_REMOTE, this attribute indicates the IP address of the remote client. |
| session.timestamp |
uint64 |
The timestamp of the event. |
Thread event (Windows only)
Thread events are generated each time a thread is started or exits.
| Thread attribute name |
Allowed values |
Description |
| thread.state |
THREAD_EXITED THREAD_STARTED |
Indicates whether the thread event is for a start or exit. |
| thread.pid |
pid |
The process id for the process in which the thread is running. |
| thread.timestamp |
uint64 |
The timestamp of the event. |
| thread.tid |
utin32 |
The thread id. |
URL event (Windows, macOS, and Linux)
URL events are generated whenever a user clicks a link or enters a URL into the browser’s address bar when using the Edge, Chrome, Firefox and Vivaldi web browsers. URL events effectively mirror the entries recorded in the browser’s history file. If a user types in a URL that does not resolve, it will not show up in the URL events.
The following table describes the events attribute, allowed values, and description for each URL event type.
| Clipboard attribute name |
Allowed values |
Description |
| url.pid |
pid |
The process id for the browser used to visit the URL. |
| url.visit_time |
uint64 |
The timestamp corresponding to the time the URL was visited. |
| url.url |
string |
The URL visited. For example, “http://www.nuix.com”. |
| url.usersid |
string |
Security identifier (SID) string representing the user associated with the URL operation. Well known SIDs are represented using the Microsoft Security Definition Language. Other SIDs use the standard string representation of a SID (S-R-I-S-S…). |
| url.title |
string |
The title of the web page visited. Corresponds with the text that is typically shown in the browser's title bar or in the page's tab. |
| url.timestamp |
uint64 |
The timestamp of the event. |