Search for Signs of Infection

Use these queries to search for malicious behavior occurring in the infection stage of a cyber attack.

The example queries in this section are meant to be a starting point for your investigations. You may need to update the Features (filters) in each query to use indicators specific to your environment or situation.

Phishing

Request

curl --request POST \
    --url https://12.34.56.78/rest/visualsearch/query/simple \
    --header 'Content-Type: application/json' \
    --data '{
              "queryPath": [
                             {
                                "requestedType": "Process",
                                "filters": [
                                             {
                                                 "facetName": "productType",
                                                 "values": [
                                                              "MS_OFFICE"
                                                           ],
                                                 "filterType":"Equals"
                                             }
                                           ],
                                "connectionFeature": {
                                                        "elementInstanceType":"Process",
                                                        "featureName":"children"
                                                     }
                             },
                             {
                                  "requestedType": "Process",
                                  "filters": [
                                                 {
                                                     "facetName": "productType",
                                                     "values": [
                                                                  "SHELL"
                                                               ],
                                                     "filterType":"Equals"
                                                 }
                                             ],
                                  "isResult":true
                             }
                         ],
              "totalResultLimit": 1000,
              "perGroupLimit": 100,
              "perFeatureLimit": 100,
              "templateContext": "SPECIFIC",
              "queryTimeout": 120000,
              "customFields": [
                                "elementDisplayName",
                                "ransomwareAutoRemediationSuspended",
                                "executionPrevented",
                                "creationTime",
                                "endTime",
                                "commandLine",
                                "decodedCommandLine",
                                "isImageFileSignedAndVerified",
                                "productType",
                                "children",
                                "parentProcess",
                                "ownerMachine",
                                "imageFile",
                                "calculatedUser",
                                "pid"
                              ]
            }'

Response

{
  "data": {
    "resultIdToElementDataMap": {
      "-1417547681.9114014601243363792": {
        "simpleValues": {
          "isImageFileSignedAndVerified": {
            "totalValues": 1,
            "values": [
              "true"
            ]
          },
          "commandLine": {
            "totalValues": 1,
            "values": [
              "Powershell echo"
            ]
          },
          "creationTime": {
            "totalValues": 1,
            "values": [
              "1495442695230"
            ]
          },
          "pid": {
            "totalValues": 1,
            "values": [
              "1804"
            ]
          },
          "endTime": {
            "totalValues": 1,
            "values": [
              "1495442696368"
            ]
          },
          "executionPrevented": {
            "totalValues": 1,
            "values": [
              "false"
            ]
          },
          "elementDisplayName": {
            "totalValues": 1,
            "values": [
              "powershell.exe"
            ]
          },
          "productType": {
            "totalValues": 1,
            "values": [
              "SHELL"
            ]
          }
        },
        "elementValues": {
          "calculatedUser": {
            "totalValues": 1,
            "elementValues": [
              {
                "elementType": "User",
                "guid": "0.7211211867331652428",
                "name": "test-pc\\test",
                "hasSuspicions": false,
                "hasMalops": false
              }
            ],
            "totalSuspicious": 0,
            "totalMalicious": 0
          },
          "ownerMachine": {
            "totalValues": 1,
            "elementValues": [
              {
                "elementType": "Machine",
                "guid": "-1417547681.1198775089551518743",
                "name": null,
                "hasSuspicions": false,
                "hasMalops": false
              }
            ],
            "totalSuspicious": 0,
            "totalMalicious": 0
          },
          "parentProcess": {
            "totalValues": 1,
            "elementValues": [
              {
                "elementType": "Process",
                "guid": "-1417547681.-8191079222435001861",
                "name": "excel.exe",
                "hasSuspicions": false,
                "hasMalops": false
              }
            ],
            "totalSuspicious": 0,
            "totalMalicious": 0
          },
          "imageFile": {
            "totalValues": 1,
            "elementValues": [
              {
                "elementType": "File",
                "guid": "-1417547681.534938948395932559",
                "name": "powershell.exe",
                "hasSuspicions": false,
                "hasMalops": false
              }
            ],
            "totalSuspicious": 0,
            "totalMalicious": 0
          }
        },
        "suspicions": {
          "shellOfNonShellRunnerSuspicion": 1495442710604
        },
        "filterData": {
          "sortInGroupValue": "-1417547681.9114014601243363792",
          "groupByValue": "powershell.exe"
        },
        "isMalicious": true,
        "suspicionCount": 1,
        "guidString": "-1417547681.9114014601243363792",
        "labelsIds": null,
        "malopPriority": null
      }
    },
    "suspicionsMap": {
      "hostingInjectedThreadSuspicion": {
        "potentialEvidence": [
          "hostingInjectedThreadEvidence"
        ],
        "firstTimestamp": 1506424896610,
        "totalSuspicions": 2
      },
      "shellOfNonShellRunnerSuspicion": {
        "potentialEvidence": [
          "shellOfNonShellRunnerEvidence"
        ],
        "firstTimestamp": 1495442710604,
        "totalSuspicions": 6
      },
      "maliciousScriptExecutionSuspicion": {
        "potentialEvidence": [
          "maliciousScriptExecutionEvidence"
        ],
        "firstTimestamp": 1495449698176,
        "totalSuspicions": 3
      }
    },
    "evidenceMap": {},
    "totalPossibleResults": 6,
    "queryLimits": {
      "totalResultLimit": 1000,
      "perGroupLimit": 100,
      "perFeatureLimit": 100,
      "groupingFeature": {
        "elementInstanceType": "Process",
        "featureName": "imageFileHash"
      },
      "sortInGroupFeature": null
    },
    "queryTerminated": false,
    "pathResultCounts": [
      {
        "featureDescriptor": {
          "elementInstanceType": "Process",
          "featureName": null
        },
        "count": 6
      },
      {
        "featureDescriptor": {
          "elementInstanceType": "Process",
          "featureName": "children"
        },
        "count": 6
      }
    ]
  },
  "status": "SUCCESS",
  "message": ""
}

First execution of downloaded file

Use this request to examine the first execution of a process downloaded from the Internet.

Request

curl --request POST \
    --url https://12.34.56.78/rest/visualsearch/query/simple \
    --header 'Content-Type: application/json' \
    --data ' {
              "queryPath":[
                            {
                             "requestedType":"Process",
                             "filters":[
                                         {
                                          "facetName":"firstExecutionOfDownloadedProcessEvidence",
                                          "values":[
                                                      true
                                                   ]
                                         }
                                       ],
                             "isResult":true
                            }
                          ],
              "totalResultLimit": 1000,
              "perGroupLimit": 100,
              "perFeatureLimit": 100,
              "templateContext": "SPECIFIC",
              "queryTimeout": 120000,
              "customFields": [
                                "elementDisplayName",
                                "ransomwareAutoRemediationSuspended",
                                "executionPrevented",
                                "creationTime",
                                "endTime",
                                "commandLine",
                                "decodedCommandLine",
                                "isImageFileSignedAndVerified",
                                "productType",
                                "children",
                                "parentProcess",
                                "ownerMachine",
                                "imageFile",
                                "calculatedUser",
                                "pid"
                              ]
              }'

Response

{
  "data": {
    "resultIdToElementDataMap": {
      "-2046359355.-446319856563366924": {
        "simpleValues": {
          "isImageFileSignedAndVerified": {
            "totalValues": 1,
            "values": [
              "false"
            ]
          },
          "creationTime": {
            "totalValues": 1,
            "values": [
              "1512300801309"
            ]
          },
          "pid": {
            "totalValues": 1,
            "values": [
              "2744"
            ]
          },
          "endTime": {
            "totalValues": 1,
            "values": [
              "1512300801311"
            ]
          },
          "executionPrevented": {
            "totalValues": 1,
            "values": [
              "false"
            ]
          },
          "elementDisplayName": {
            "totalValues": 1,
            "values": [
              "ransomfreetest.exe"
            ]
          },
          "productType": {
            "totalValues": 1,
            "values": [
              "NONE"
            ]
          }
        },
        "elementValues": {
          "calculatedUser": {
            "totalValues": 1,
            "elementValues": [
              {
                "elementType": "User",
                "guid": "0.-6313743191401684913",
                "name": "internaldomain\\admin",
                "hasSuspicions": false,
                "hasMalops": false
              }
            ],
            "totalSuspicious": 0,
            "totalMalicious": 0
          },
          "ownerMachine": {
            "totalValues": 1,
            "elementValues": [
              {
                "elementType": "Machine",
                "guid": "-2046359355.1198775089551518743",
                "name": "ADMIN",
                "hasSuspicions": false,
                "hasMalops": false
              }
            ],
            "totalSuspicious": 0,
            "totalMalicious": 0
          },
          "parentProcess": {
            "totalValues": 1,
            "elementValues": [
              {
                "elementType": "Process",
                "guid": "-2046359355.-7870067516287985870",
                "name": "cmd.exe",
                "hasSuspicions": false,
                "hasMalops": false
              }
            ],
            "totalSuspicious": 0,
            "totalMalicious": 0
          },
          "imageFile": {
            "totalValues": 1,
            "elementValues": [
              {
                "elementType": "File",
                "guid": "-2046359355.-9136389137007525685",
                "name": "ransomfreetest.exe",
                "hasSuspicions": true,
                "hasMalops": false
              }
            ],
            "totalSuspicious": 1,
            "totalMalicious": 0
          }
        },
        "suspicions": {
          "blackListFileSuspicion": 1512300804528
        },
        "filterData": {
          "sortInGroupValue": "-2046359355.-446319856563366924",
          "groupByValue": "ransomfreetest.exe"
        },
        "isMalicious": true,
        "suspicionCount": 1,
        "guidString": "-2046359355.-446319856563366924",
        "labelsIds": null,
        "malopPriority": null
      }
    },
    "suspicionsMap": {
      "dualExtensionSuspicion": {
        "potentialEvidence": [
          "dualExtensionNameEvidence",
          "hiddenFileExtensionEvidence",
          "rightToLeftFileExtensionEvidence",
          "masqueradingAsMovieEvidence"
        ],
        "firstTimestamp": 1516033781024,
        "totalSuspicions": 1
      },
      "blackListModuleSuspicion": {
        "potentialEvidence": [
          "blackListModuleEvidence"
        ],
        "firstTimestamp": 1512314218832,
        "totalSuspicions": 1
      },
      "ransomwareByCanaryFilesSuspicion": {
        "potentialEvidence": [
          "ransomwareByCanaryFilesEvidence"
        ],
        "firstTimestamp": 1512313571594,
        "totalSuspicions": 1
      },
      "connectingToBadReputationAddressSuspicion": {
        "potentialEvidence": [
          "hasMaliciousConnectionEvidence"
        ],
        "firstTimestamp": 1516033781024,
        "totalSuspicions": 1
      }
    },
    "evidenceMap": {},
    "totalPossibleResults": 13,
    "queryLimits": {
      "totalResultLimit": 1000,
      "perGroupLimit": 100,
      "perFeatureLimit": 100,
      "groupingFeature": {
        "elementInstanceType": "Process",
        "featureName": "imageFileHash"
      },
      "sortInGroupFeature": null
    },
    "queryTerminated": false,
    "pathResultCounts": [
      {
        "featureDescriptor": {
          "elementInstanceType": "Process",
          "featureName": null
        },
        "count": 13
      }
    ]
  },
  "status": "SUCCESS",
  "message": ""
}

Processes with autorun registry key

Request

curl --request POST \
    --url https://12.34.56.78/rest/visualsearch/query/simple \
    --header 'Content-Type: application/json' \
    --data '{
              "queryPath": [
                            {
                              "requestedType": "Process",
                              "filters": [
                                                      {
                                                          "facetName": "hasAutorun",
                                                          "values":[
                                                                      true
                                                                   ]
                                                      }
                                                   ],
                                        "isResult":true
                                    }
                                  ],
          "totalResultLimit":1000,
          "perGroupLimit":100,
          "perFeatureLimit":100,
          "templateContext":"SPECIFIC",
          "queryTimeout":120000,
          "customFields":[
                  "elementDisplayName",
                  "ransomwareAutoRemediationSuspended",
                  "executionPrevented",
                  "creationTime",
                  "endTime",
                  "commandLine",
                  "decodedCommandLine",
                  "isImageFileSignedAndVerified",
                  "productType",
                  "children",
                  "parentProcess",
                  "ownerMachine",
                  "imageFile",
                  "calculatedUser",
                  "pid",

          ]
        }'

Response

{
  "data": {
    "resultIdToElementDataMap": {
      "267091050.8360534414798058735": {
        "simpleValues": {
          "isImageFileSignedAndVerified": {
            "totalValues": 1,
            "values": [
              "true"
            ]
          },
          "commandLine": {
            "totalValues": 1,
            "values": [
              "\"C:\\Windows\\system32\\SearchFilterHost.exe\" 0 524 528 536 65536 532"
            ]
          },
          "creationTime": {
            "totalValues": 1,
            "values": [
              "1522799390789"
            ]
          },
          "pid": {
            "totalValues": 1,
            "values": [
              "3636"
            ]
          },
          "endTime": {
            "totalValues": 1,
            "values": [
              "1522799456793"
            ]
          },
          "executionPrevented": {
            "totalValues": 1,
            "values": [
              "false"
            ]
          },
          "elementDisplayName": {
            "totalValues": 1,
            "values": [
              "searchfilterhost.exe"
            ]
          },
          "productType": {
            "totalValues": 1,
            "values": [
              "NONE"
            ]
          }
        },
        "elementValues": {
          "calculatedUser": {
            "totalValues": 1,
            "elementValues": [
              {
                "elementType": "User",
                "guid": "0.-4551355966977379046",
                "name": "win71-pc\\system",
                "hasSuspicions": false,
                "hasMalops": false
              }
            ],
            "totalSuspicious": 0,
            "totalMalicious": 0
          },
          "ownerMachine": {
            "totalValues": 1,
            "elementValues": [
              {
                "elementType": "Machine",
                "guid": "267091050.1198775089551518743",
                "name": "WIN71-PC",
                "hasSuspicions": false,
                "hasMalops": false
              }
            ],
            "totalSuspicious": 0,
            "totalMalicious": 0
          },
          "parentProcess": {
            "totalValues": 1,
            "elementValues": [
              {
                "elementType": "Process",
                "guid": "267091050.4930923684479623136",
                "name": "searchindexer.exe",
                "hasSuspicions": false,
                "hasMalops": false
              }
            ],
            "totalSuspicious": 0,
            "totalMalicious": 0
          },
          "imageFile": {
            "totalValues": 1,
            "elementValues": [
              {
                "elementType": "File",
                "guid": "267091050.6113587215796295647",
                "name": "searchfilterhost.exe",
                "hasSuspicions": false,
                "hasMalops": false
              }
            ],
            "totalSuspicious": 0,
            "totalMalicious": 0
          }
        },
        "suspicions": {},
        "filterData": {
          "sortInGroupValue": "267091050.8360534414798058735",
          "groupByValue": "searchfilterhost.exe"
        },
        "isMalicious": false,
        "suspicionCount": 0,
        "guidString": "267091050.8360534414798058735",
        "labelsIds": null,
        "malopPriority": null
      }
    },
    "suspicionsMap": {
      "blackListModuleSuspicion": {
        "potentialEvidence": [
          "blackListModuleEvidence"
        ],
        "firstTimestamp": 1515871420726,
        "totalSuspicions": 100
      },
      "connectingToBlackListAddressSuspicion": {
        "potentialEvidence": [
          "hasBlackListConnectionEvidence"
        ],
        "firstTimestamp": 1516016860971,
        "totalSuspicions": 3
      },
      "connectionToBlackListDomainSuspicion": {
        "potentialEvidence": [
          "connectionToBlackListDomainEvidence"
        ],
        "firstTimestamp": 1512305312525,
        "totalSuspicions": 3
      }
    },
    "evidenceMap": {},
    "totalPossibleResults": 82120,
    "queryLimits": {
      "totalResultLimit": 1000,
      "perGroupLimit": 100,
      "perFeatureLimit": 100,
      "groupingFeature": {
        "elementInstanceType": "Process",
        "featureName": "imageFileHash"
      },
      "sortInGroupFeature": null
    },
    "queryTerminated": false,
    "pathResultCounts": [
      {
        "featureDescriptor": {
          "elementInstanceType": "Process",
          "featureName": null
        },
        "count": 82120
      }
    ]
  },
  "status": "SUCCESS",
  "message": ""
}

Autostart services

Use this request to search for rare services with an Auto start start type.

Request

curl --request POST \
  --url https://12.34.56.78/rest/visualsearch/query/simple \
  --header 'Content-Type: application/json' \
  --data '{
            "queryPath": [
                          {
                            "requestedType": "Service",
                            "filters": [
                                        {
                                          "facetName": "startType",
                                          "values": [
                                                      "SERVICE_START_TYPE_AUTO_START"
                                                    ],
                                          "filterType":"Equals"
                                        },
                                        {
                                          "facetName": "isActive",
                                          "values": [
                                                      true
                                                    ]
                                        },
                                        {
                                          "facetName": "rareServiceEvidence",
                                          "values": [
                                                      true
                                                    ]
                                        }
                                       ],
                            "connectionFeature": {
                                                    "elementInstanceType":"Service",
                                                    "featureName":"binaryFile"
                                                 }
                          },
                          {
                            "requestedType": "File",
                            "filters": [
                                        {
                                          "facetName": "isSigned",
                                          "values": [
                                                      false
                                                    ]
                                        }
                                       ],
                            "isResult":true
                          }
                         ],
            "totalResultLimit": 1000,
            "perGroupLimit": 100,
            "perFeatureLimit": 100,
            "templateContext": "SPECIFIC",
            "queryTimeout": 120000,
            "customFields": [
                              "elementDisplayName",
                              "maliciousClassificationType",
                              "ownerMachine",
                              "isSigned",
                              "signatureVerified",
                              "sha1String",
                              "createdTime",
                              "modifiedTime",
                              "size",
                              "correctedPath",
                              "productName",
                              "companyName",
                              "internalName",
                              "productVersion"
                            ]
          }'

Startup Windows folder

Use this request to search for executable files in a location that usually stores shortcuts.

Request

curl --request POST \
    --url https://12.34.56.78/rest/visualsearch/query/simple \
    --header 'Content-Type: application/json' \
    --data '{
              "queryPath": [
                            {
                              "requestedType": "File",
                              "filters": [
                                          {
                                            "facetName": "path",
                                            "values": [
                                                        "\\startup"
                                                      ],
                                            "filterType":"ContainsIgnoreCase"
                                          },
                                          {
                                            "facetName": "elementDisplayName",
                                            "values": [
                                                        ".exe"
                                                      ],
                                            "filterType":"Equals"
                                          }
                                         ],
                              "connectionFeature": {
                                                    "elementInstanceType": "File",
                                                    "featureName": "ownerMachine"
                                                   }
                            },
                            {
                              "requestedType": "Machine",
                              "filters": [
                                          {
                                            "facetName": "osVersionType",
                                            "values": [
                                                        "Windows_Server_2012"
                                                      ],
                                            "filterType":"Equals"
                                          }
                                         ],
                              "isResult": true
                            }
                           ],
              "totalResultLimit": 1000,
              "perGroupLimit": 100,
              "perFeatureLimit": 100,
              "templateContext": "SPECIFIC",
              "queryTimeout": 120000,
              "customFields": [
                                "elementDisplayName",
                                "osVersionType",
                                "platformArchitecture",
                                "uptime"
                              ]
            }'

External connections from processes hosting injected threads

Use this request to find external connections coming from processes that host injected threads.

Request

curl --request POST \
  --url https://12.34.56.78/rest/visualsearch/query/simple \
  --header 'Content-Type: application/json' \
  --data '{
            "queryPath": [
                          {
                            "requestedType": "Connection",
                            "filters": [
                                        {
                                          "facetName": "isExternalConnection",
                                          "values": [
                                                      true
                                                    ]
                                        }
                                       ],
                            "connectionFeature": {
                                                  "elementInstanceType": "Process",
                                                  "featureName": "connections"
                                                 },
                            "isReversed": true
                          },
                          {
                            "requestedType": "Process",
                            "filters": [
                                        {
                                          "facetName": "hostingInjectedThreadEvidence",
                                          "values": [
                                                      true
                                                    ]
                                        }
                                                     ],
                            "isResult":true
                          }
                         ],
            "totalResultLimit": 1000,
            "perGroupLimit": 100,
            "perFeatureLimit": 100,
            "templateContext": "SPECIFIC",
            "queryTimeout": 120000,
            "customFields": [
                              "elementDisplayName",
                              "ransomwareAutoRemediationSuspended",
                              "executionPrevented",
                              "creationTime",
                              "endTime",
                              "commandLine",
                              "decodedCommandLine",
                              "isImageFileSignedAndVerified",
                              "productType",
                              "children",
                              "parentProcess",
                              "ownerMachine",
                              "imageFile",
                              "calculatedUser",
                              "pid"
                            ]
          }'

Response

{
  "data": {
    "resultIdToElementDataMap": {
      "923810613.5459536954088141082": {
        "simpleValues": {
          "isImageFileSignedAndVerified": {
            "totalValues": 1,
            "values": [
              "true"
            ]
          },
          "commandLine": {
            "totalValues": 1,
            "values": [
              "C:\\Windows\\notepad.exe"
            ]
          },
          "creationTime": {
            "totalValues": 1,
            "values": [
              "1512312089658"
            ]
          },
          "pid": {
            "totalValues": 1,
            "values": [
              "2368"
            ]
          },
          "endTime": {
            "totalValues": 1,
            "values": [
              "1512312370121"
            ]
          },
          "executionPrevented": {
            "totalValues": 1,
            "values": [
              "false"
            ]
          },
          "elementDisplayName": {
            "totalValues": 1,
            "values": [
              "notepad.exe"
            ]
          },
          "productType": {
            "totalValues": 1,
            "values": [
              "MS_OFFICE"
            ]
          }
        },
        "elementValues": {
          "calculatedUser": {
            "totalValues": 1,
            "elementValues": [
              {
                "elementType": "User",
                "guid": "0.7211211867331652428",
                "name": "test-pc\\test",
                "hasSuspicions": false,
                "hasMalops": false
              }
            ],
            "totalSuspicious": 0,
            "totalMalicious": 0
          },
          "ownerMachine": {
            "totalValues": 1,
            "elementValues": [
              {
                "elementType": "Machine",
                "guid": "923810613.1198775089551518743",
                "name": "TEST-PC",
                "hasSuspicions": false,
                "hasMalops": false
              }
            ],
            "totalSuspicious": 0,
            "totalMalicious": 0
          },
          "parentProcess": {
            "totalValues": 1,
            "elementValues": [
              {
                "elementType": "Process",
                "guid": "923810613.-5857374796952605910",
                "name": "malopgenerator.exe",
                "hasSuspicions": true,
                "hasMalops": false
              }
            ],
            "totalSuspicious": 1,
            "totalMalicious": 0
          },
          "imageFile": {
            "totalValues": 1,
            "elementValues": [
              {
                "elementType": "File",
                "guid": "923810613.-321082463497460897",
                "name": "notepad.exe",
                "hasSuspicions": true,
                "hasMalops": false
              }
            ],
            "totalSuspicious": 1,
            "totalMalicious": 0
          }
        },
        "suspicions": {
          "connectingToBadReputationAddressSuspicion": 1512312116630,
          "hostingInjectedThreadSuspicion": 1512312887600,
          "hasSuspiciousExternalConnectionSuspicion": 1512312116630
        },
        "filterData": {
          "sortInGroupValue": "923810613.5459536954088141082",
          "groupByValue": "notepad.exe"
        },
        "isMalicious": true,
        "suspicionCount": 3,
        "guidString": "923810613.5459536954088141082",
        "labelsIds": null,
        "malopPriority": null
      }
    },
    "suspicionsMap": {
      "blackListModuleSuspicion": {
        "potentialEvidence": [
          "blackListModuleEvidence"
        ],
        "firstTimestamp": 1512305559971,
        "totalSuspicions": 10
      },
      "connectingToBlackListAddressSuspicion": {
        "potentialEvidence": [
          "hasBlackListConnectionEvidence"
        ],
        "firstTimestamp": 1500464023832,
        "totalSuspicions": 4
      },
      "connectionToBlackListDomainSuspicion": {
        "potentialEvidence": [
          "connectionToBlackListDomainEvidence"
        ],
        "firstTimestamp": 1512301930448,
        "totalSuspicions": 3
      }
    },
    "evidenceMap": {},
    "totalPossibleResults": 19,
    "queryLimits": {
      "totalResultLimit": 1000,
      "perGroupLimit": 100,
      "perFeatureLimit": 100,
      "groupingFeature": {
        "elementInstanceType": "Process",
        "featureName": "imageFileHash"
      },
      "sortInGroupFeature": null
    },
    "queryTerminated": false,
    "pathResultCounts": [
      {
        "featureDescriptor": {
          "elementInstanceType": "Connection",
          "featureName": null
        },
        "count": 5960
      },
      {
        "featureDescriptor": {
          "elementInstanceType": "Process",
          "featureName": "connections"
        },
        "count": 19
      }
    ]
  },
  "status": "SUCCESS",
  "message": ""
}

External connections from processes with Suspicions

Use this request to find external connections coming from processes with Suspicions.

Request

curl --request POST \
  --url https://12.34.56.78/rest/visualsearch/query/simple \
  --header 'Content-Type: application/json' \
  --data '{
            "queryPath": [
                          {
                            "requestedType": "Connection",
                            "filters": [
                                        {
                                          "facetName": "isExternalConnection",
                                          "values": [
                                                      true
                                                    ]
                                        }
                                       ],
                            "connectionFeature": {
                                                  "elementInstanceType": "Process",
                                                  "featureName": "connections"
                                                 },
                            "isReversed": true
                          },
                          {
                            "requestedType": "Process",
                            "filters": [
                                        {
                                          "facetName": "hostingInjectedThreadEvidence",
                                          "values": [
                                                      true
                                                    ]
                                        }
                                       ],
                            "isResult":true
                          }
                         ],
            "totalResultLimit": 1000,
            "perGroupLimit": 100,
            "perFeatureLimit": 100,
            "templateContext": "SPECIFIC",
            "queryTimeout": 120000,
            "customFields": [
                              "elementDisplayName",
                              "ransomwareAutoRemediationSuspended",
                              "executionPrevented",
                              "creationTime",
                              "endTime",
                              "commandLine",
                              "decodedCommandLine",
                              "isImageFileSignedAndVerified",
                              "productType",
                              "children",
                              "parentProcess",
                              "ownerMachine",
                              "imageFile",
                              "calculatedUser",
                              "pid"
                            ]
          }'

Response

{
  "data": {
    "resultIdToElementDataMap": {
      "-1791914021.8293258253983840250": {
        "simpleValues": {
          "isImageFileSignedAndVerified": {
            "totalValues": 1,
            "values": [
              "true"
            ]
          },
          "commandLine": {
            "totalValues": 1,
            "values": [
              "/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/Contents/MacOS/com.apple.WebKit.Networking"
            ]
          },
          "creationTime": {
            "totalValues": 1,
            "values": [
              "1512498446891"
            ]
          },
          "pid": {
            "totalValues": 1,
            "values": [
              "900"
            ]
          },
          "endTime": {
            "totalValues": 1,
            "values": [
              "1512644640207"
            ]
          },
          "executionPrevented": {
            "totalValues": 1,
            "values": [
              "false"
            ]
          },
          "elementDisplayName": {
            "totalValues": 1,
            "values": [
              "com.apple.webkit.networking"
            ]
          },
          "productType": {
            "totalValues": 1,
            "values": [
              "NONE"
            ]
          }
        },
        "elementValues": {
          "calculatedUser": {
            "totalValues": 1,
            "elementValues": [
              {
                "elementType": "User",
                "guid": "0.-5892322381850775686",
                "name": "localuser\\admin",
                "hasSuspicions": false,
                "hasMalops": false
              }
            ],
            "totalSuspicious": 0,
            "totalMalicious": 0
          },
          "ownerMachine": {
            "totalValues": 1,
            "elementValues": [
              {
                "elementType": "Machine",
                "guid": "-1791914021.1198775089551518743",
                "name": null,
                "hasSuspicions": false,
                "hasMalops": false
              }
            ],
            "totalSuspicious": 0,
            "totalMalicious": 0
          },
          "parentProcess": {
            "totalValues": 1,
            "elementValues": [
              {
                "elementType": "Process",
                "guid": "-1791914021.8681015292824309857",
                "name": "launchd",
                "hasSuspicions": false,
                "hasMalops": false
              }
            ],
            "totalSuspicious": 0,
            "totalMalicious": 0
          },
          "imageFile": {
            "totalValues": 1,
            "elementValues": [
              {
                "elementType": "File",
                "guid": "-1791914021.1904150027510249381",
                "name": "com.apple.WebKit.Networking",
                "hasSuspicions": false,
                "hasMalops": false
              }
            ],
            "totalSuspicious": 0,
            "totalMalicious": 0
          }
        },
        "suspicions": {
          "connectionToBlackListDomainSuspicion": 1515336860778,
          "highNumberOfExternalConnectionsSuspicion": 1512642488897
        },
        "filterData": {
          "sortInGroupValue": "-1791914021.8293258253983840250",
          "groupByValue": "com.apple.webkit.networking"
        },
        "isMalicious": true,
        "suspicionCount": 2,
        "guidString": "-1791914021.8293258253983840250",
        "labelsIds": null,
        "malopPriority": null
      }
    },
    "suspicionsMap": {
      "hiddenProcessSuspicion": {
        "potentialEvidence": [
          "hiddenProcessEvidence"
        ],
        "firstTimestamp": 1504002648939,
        "totalSuspicions": 2
      },
      "maliciousSignedUnverifiedSuspicion": {
        "potentialEvidence": [
          "imageFileUnverifiedEvidence"
        ],
        "firstTimestamp": 1506331616644,
        "totalSuspicions": 42
      },
      "processExecutionPreventedByNGAVSuspicion": {
        "potentialEvidence": [
          "processExecutionPreventedByNGAVEvidence"
        ],
        "firstTimestamp": 1514122808150,
        "totalSuspicions": 8
      }
    },
    "evidenceMap": {},
    "totalPossibleResults": 610,
    "queryLimits": {
      "totalResultLimit": 1000,
      "perGroupLimit": 100,
      "perFeatureLimit": 100,
      "groupingFeature": {
        "elementInstanceType": "Process",
        "featureName": "imageFileHash"
      },
      "sortInGroupFeature": null
    },
    "queryTerminated": false,
    "pathResultCounts": [
      {
        "featureDescriptor": {
          "elementInstanceType": "Connection",
          "featureName": null
        },
        "count": 121789
      },
      {
        "featureDescriptor": {
          "elementInstanceType": "Process",
          "featureName": "connections"
        },
        "count": 610
      }
    ]
  },
  "status": "SUCCESS",
  "message": ""
}

Encoded command

Use this request to search for processes that are not powershell.exe or cmd.exe but are executing Powershell.

Request

curl --request POST \
    --url https://12.34.56.78/rest/visualsearch/query/simple \
    --header 'Content-Type: application/json' \
    --data '{
              "queryPath": [
                            {
                              "requestedType": "Process",
                              "filters": [
                                          {
                                            "facetName": "commandLine",
                                            "values": [
                                                        "encoded",
                                                        "encode"
                                                      ],
                                            "filterType": "ContainsIgnoreCase"
                                          }
                                         ],
                              "isResult":true
                             }
                           ],
              "totalResultLimit": 1000,
              "perGroupLimit": 100,
              "perFeatureLimit": 100,
              "templateContext": "SPECIFIC",
              "queryTimeout": 120000,
              "customFields": [
                                "elementDisplayName",
                                "ransomwareAutoRemediationSuspended",
                                "executionPrevented",
                                "creationTime",
                                "endTime",
                                "commandLine",
                                "decodedCommandLine",
                                "isImageFileSignedAndVerified",
                                "productType",
                                "children",
                                "parentProcess",
                                "ownerMachine",
                                "imageFile",
                                "calculatedUser",
                                "pid"
                              ]
            }'

Response

{
   "data": {
     "resultIdToElementDataMap": {
       "-1417547681.-6099520395638744455": {
         "simpleValues": {
           "isImageFileSignedAndVerified": {
             "totalValues": 1,
             "values": [
               "true"
             ]
           },
           "commandLine": {
             "totalValues": 1,
             "values": [
               "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"  -EncodedCommand JwBpAGUAeAAoACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwB3AHcAdwAuAGcAbwBvAGcAbABlAC4AYwBvAG0AJwApACkAOwAnAA=="
             ]
           },
           "creationTime": {
             "totalValues": 1,
             "values": [
               "1495441518959"
             ]
           },
           "pid": {
             "totalValues": 1,
             "values": [
               "1952"
             ]
           },
           "endTime": {
             "totalValues": 1,
             "values": [
               "1495441519604"
             ]
           },
           "decodedCommandLine": {
             "totalValues": 1,
             "values": [
               "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"  -EncodedCommand 'iex((New-Object Net.WebClient).DownloadString('http://www.google.com'));'"
             ]
           },
           "executionPrevented": {
             "totalValues": 1,
             "values": [
               "false"
             ]
           },
           "elementDisplayName": {
             "totalValues": 1,
             "values": [
               "powershell.exe"
             ]
           },
           "productType": {
             "totalValues": 1,
             "values": [
               "SHELL"
             ]
           }
         },
         "elementValues": {
           "calculatedUser": {
             "totalValues": 1,
             "elementValues": [
               {
                 "elementType": "User",
                 "guid": "0.7211211867331652428",
                 "name": "test-pc\\test",
                 "hasSuspicions": false,
                 "hasMalops": false
               }
             ],
             "totalSuspicious": 0,
             "totalMalicious": 0
           },
           "ownerMachine": {
             "totalValues": 1,
             "elementValues": [
               {
                 "elementType": "Machine",
                 "guid": "-1417547681.1198775089551518743",
                 "name": null,
                 "hasSuspicions": false,
                 "hasMalops": false
               }
             ],
             "totalSuspicious": 0,
             "totalMalicious": 0
           },
           "parentProcess": {
             "totalValues": 1,
             "elementValues": [
               {
                 "elementType": "Process",
                 "guid": "-1417547681.-6305483075129395110",
                 "name": "powershell.exe",
                 "hasSuspicions": false,
                 "hasMalops": false
               }
             ],
             "totalSuspicious": 0,
             "totalMalicious": 0
           },
           "imageFile": {
             "totalValues": 1,
             "elementValues": [
               {
                 "elementType": "File",
                 "guid": "-1417547681.1858268050595817728",
                 "name": "powershell.exe",
                 "hasSuspicions": false,
                 "hasMalops": false
               }
             ],
             "totalSuspicious": 0,
             "totalMalicious": 0
           }
         },
         "suspicions": {
           "powerShellDownloaderSuspcion": 1495441530360
         },
         "filterData": {
           "sortInGroupValue": "-1417547681.-6099520395638744455",
           "groupByValue": "powershell.exe"
         },
         "isMalicious": true,
         "suspicionCount": 1,
         "guidString": "-1417547681.-6099520395638744455",
         "labelsIds": null,
         "malopPriority": null
       }
     },
     "suspicionsMap": {
       "powerupExecutionSuspicion": {
         "potentialEvidence": [
           "powerupExecutionEvidence"
         ],
         "firstTimestamp": 1502697699755,
         "totalSuspicions": 2
       },
       "filelessMalwareSuspicion": {
         "potentialEvidence": [
           "parentOfPowerShellProcessRunningJavaScriptEvidence",
           "injectedPowershellProcessEvidence"
         ],
         "firstTimestamp": 1502697669745,
         "totalSuspicions": 2
       },
       "powerShellDownloaderSuspcion": {
         "potentialEvidence": [
           "powershellDownloaderEvidence"
         ],
         "firstTimestamp": 1495441530360,
         "totalSuspicions": 3
       }
     },
     "evidenceMap": {},
     "totalPossibleResults": 3,
     "queryLimits": {
       "totalResultLimit": 1000,
       "perGroupLimit": 100,
       "perFeatureLimit": 100,
       "groupingFeature": {
         "elementInstanceType": "Process",
         "featureName": "imageFileHash"
       },
       "sortInGroupFeature": null
     },
     "queryTerminated": false,
     "pathResultCounts": [
       {
         "featureDescriptor": {
           "elementInstanceType": "Process",
           "featureName": null
         },
         "count": 3
       }
     ]
   },
   "status": "SUCCESS",
   "message": ""
 }

Executed from Temp evidence

Use this request to review processes executed from temporary folders, has a command line with a parameter of a temporary location, or has a module located in a temporary folder.

Note

For this query, the OR operator does not work. As a result, you must execute 3 separate queries or one query that includes all 3 of the filters.

Request

curl --request POST \
    --url https://12.34.56.78/rest/visualsearch/query/simple \
    --header 'Content-Type: application/json' \
    --data '{
              "queryPath":[
                            {
                              "requestedType":"Process",
                              "filters": [
                                          {
                                            "facetName": "runningFromTempEvidence",
                                            "values": [
                                                        true
                                                      ]
                                          }
                                         ],
                              "isResult":true
                            }
                          ],
              "totalResultLimit": 1000,
              "perGroupLimit": 100,
              "perFeatureLimit": 100,
              "templateContext": "SPECIFIC",
              "queryTimeout": 120000,
              "customFields": [
                                "elementDisplayName",
                                "ransomwareAutoRemediationSuspended",
                                "executionPrevented",
                                "creationTime",
                                "endTime",
                                "commandLine",
                                "decodedCommandLine",
                                "isImageFileSignedAndVerified",
                                "productType",
                                "children",
                                "parentProcess",
                                "ownerMachine",
                                "imageFile",
                                "calculatedUser",
                                "pid"
                              ]
            }'

Response

{
  "data": {
    "resultIdToElementDataMap": {
      "-2121263591.-1170597184827326668": {
        "simpleValues": {
          "isImageFileSignedAndVerified": {
            "totalValues": 1,
            "values": [
              "false"
            ]
          },
          "commandLine": {
            "totalValues": 1,
            "values": [
              "\"c:\\temp\\nothing209.exe\""
            ]
          },
          "creationTime": {
            "totalValues": 1,
            "values": [
              "1523873943744"
            ]
          },
          "pid": {
            "totalValues": 1,
            "values": [
              "4640"
            ]
          },
          "endTime": {
            "totalValues": 1,
            "values": [
              "1523873943793"
            ]
          },
          "executionPrevented": {
            "totalValues": 1,
            "values": [
              "false"
            ]
          },
          "elementDisplayName": {
            "totalValues": 1,
            "values": [
              "nothing209.exe"
            ]
          },
          "productType": {
            "totalValues": 1,
            "values": [
              "NONE"
            ]
          }
        },
        "elementValues": {
          "children": {
            "totalValues": 1,
            "elementValues": null,
            "totalSuspicious": 0,
            "totalMalicious": 0
          },
          "calculatedUser": {
            "totalValues": 1,
            "elementValues": [
              {
                "elementType": "User",
                "guid": "0.7714334058151834290",
                "name": "desktop-ko9mk53\\system",
                "hasSuspicions": false,
                "hasMalops": false
              }
            ],
            "totalSuspicious": 0,
            "totalMalicious": 0
          },
          "ownerMachine": {
            "totalValues": 1,
            "elementValues": [
              {
                "elementType": "Machine",
                "guid": "-2121263591.1198775089551518743",
                "name": "DESKTOP-KO9MK53",
                "hasSuspicions": false,
                "hasMalops": false
              }
            ],
            "totalSuspicious": 0,
            "totalMalicious": 0
          },
          "parentProcess": {
            "totalValues": 1,
            "elementValues": [
              {
                "elementType": "Process",
                "guid": "-2121263591.3346991678838942661",
                "name": "drivertester.exe",
                "hasSuspicions": true,
                "hasMalops": false
              }
            ],
            "totalSuspicious": 1,
            "totalMalicious": 0
          },
          "imageFile": {
            "totalValues": 1,
            "elementValues": [
              {
                "elementType": "File",
                "guid": "-2121263591.-2222875830664609005",
                "name": "nothing209.exe",
                "hasSuspicions": true,
                "hasMalops": false
              }
            ],
            "totalSuspicious": 1,
            "totalMalicious": 0
          }
        },
        "suspicions": {
          "privilegeEscalationSuspicion": 1523873951364
        },
        "filterData": {
          "sortInGroupValue": "-2121263591.-1170597184827326668",
          "groupByValue": "nothing209.exe"
        },
        "isMalicious": false,
        "suspicionCount": 1,
        "guidString": "-2121263591.-1170597184827326668",
        "labelsIds": null,
        "malopPriority": null
      }
    },
    "suspicionsMap": {
      "dualExtensionSuspicion": {
        "potentialEvidence": [
          "dualExtensionNameEvidence",
          "hiddenFileExtensionEvidence",
          "rightToLeftFileExtensionEvidence",
          "masqueradingAsMovieEvidence"
        ],
        "firstTimestamp": 1496563660122,
        "totalSuspicions": 44
      },
      "blackListModuleSuspicion": {
        "potentialEvidence": [
          "blackListModuleEvidence"
        ],
        "firstTimestamp": 1499871083186,
        "totalSuspicions": 42
      },
      "legitProcessInjectionSuspicion": {
        "potentialEvidence": [
          "detectedInjectedEvidence"
        ],
        "firstTimestamp": 1509888844361,
        "totalSuspicions": 7
      }
    },
    "evidenceMap": {},
    "totalPossibleResults": 3445,
    "queryLimits": {
      "totalResultLimit": 1000,
      "perGroupLimit": 100,
      "perFeatureLimit": 100,
      "groupingFeature": {
        "elementInstanceType": "Process",
        "featureName": "imageFileHash"
      },
      "sortInGroupFeature": null
    },
    "queryTerminated": false,
    "pathResultCounts": [
      {
        "featureDescriptor": {
          "elementInstanceType": "Process",
          "featureName": null
        },
        "count": 3445
      }
    ]
  },
  "status": "SUCCESS",
  "message": ""
}

Request

curl --request POST \
    --url https://12.34.56.78/rest/visualsearch/query/simple \
    --header 'Content-Type: application/json' \
    --data '{
              "queryPath": [
                            {
                              "requestedType": "Process",
                              "filters": [
                                          {
                                            "facetName": "commandLineContainsTempEvidence",
                                            "values": [
                                                        true
                                                      ]
                                          }
                                         ],
                              "isResult":true
                            }
                           ],
              "totalResultLimit": 1000,
              "perGroupLimit": 100,
              "perFeatureLimit": 100,
              "templateContext": "SPECIFIC",
              "queryTimeout": 120000,
              "customFields": [
                                "elementDisplayName",
                                "ransomwareAutoRemediationSuspended",
                                "executionPrevented",
                                "creationTime",
                                "endTime",
                                "commandLine",
                                "decodedCommandLine",
                                "isImageFileSignedAndVerified",
                                "productType",
                                "children",
                                "parentProcess",
                                "ownerMachine",
                                "imageFile",
                                "calculatedUser",
                                "pid"
                              ]
            }'

Response

{
  "data": {
    "resultIdToElementDataMap": {
      "2026955568.5225164528629616608": {
        "simpleValues": {
          "isImageFileSignedAndVerified": {
            "totalValues": 1,
            "values": [
              "true"
            ]
          },
          "commandLine": {
            "totalValues": 1,
            "values": [
              "\"C:\\Program Files (x86)\\Steam2\\bin\\cef\\cef.win7\\steamwebhelper.exe\" \"-lang=en_US\" \"-cachedir=C:\\Users\\yoni\\AppData\\Local\\Steam\\htmlcache\" \"-steampid=13612\" \"-buildid=1513371133\" \"-steamid=76561198314137328\" \"-clientui=C:\\Program Files (x86)\\Steam2\\clientui\" --disable-spell-checking --disable-out-of-process-pac --enable-blink-features=ResizeObserver --disable-smooth-scrolling --disable-gpu-compositing --disable-gpu --enable-direct-write \"--log-file=C:\\Program Files (x86)\\Steam2\\logs\\cef_log.txt\""
            ]
          },
          "creationTime": {
            "totalValues": 1,
            "values": [
              "1517824706191"
            ]
          },
          "pid": {
            "totalValues": 1,
            "values": [
              "10188"
            ]
          },
          "endTime": {
            "totalValues": 1,
            "values": [
              "1517824706274"
            ]
          },
          "executionPrevented": {
            "totalValues": 1,
            "values": [
              "false"
            ]
          },
          "elementDisplayName": {
            "totalValues": 1,
            "values": [
              "steamwebhelper.exe"
            ]
          },
          "productType": {
            "totalValues": 1,
            "values": [
              "NONE"
            ]
          }
        },
        "elementValues": {
          "ownerMachine": {
            "totalValues": 1,
            "elementValues": [
              {
                "elementType": "Machine",
                "guid": "2026955568.1198775089551518743",
                "name": "MYMACHINE",
                "hasSuspicions": false,
                "hasMalops": false
              }
            ],
            "totalSuspicious": 0,
            "totalMalicious": 0
          },
          "imageFile": {
            "totalValues": 1,
            "elementValues": [
              {
                "elementType": "File",
                "guid": "2026955568.-8033472267670717927",
                "name": "steamwebhelper.exe",
                "hasSuspicions": false,
                "hasMalops": false
              }
            ],
            "totalSuspicious": 0,
            "totalMalicious": 0
          }
        },
        "suspicions": {},
        "filterData": {
          "sortInGroupValue": "2026955568.5225164528629616608",
          "groupByValue": "steamwebhelper.exe"
        },
        "isMalicious": false,
        "suspicionCount": 0,
        "guidString": "2026955568.5225164528629616608",
        "labelsIds": null,
        "malopPriority": null
      }
    },
    "suspicionsMap": {
      "blackListModuleSuspicion": {
        "potentialEvidence": [
          "blackListModuleEvidence"
        ],
        "firstTimestamp": 1496821698576,
        "totalSuspicions": 55
      },
      "suspiciousSignedUnverifiedFileSuspicion": {
        "potentialEvidence": [
          "signatureVerificationStatusBadChainOfTrustEvidence",
          "signatureVerificationStatusMisuseEvidence",
          "imageFileUnverifiedEvidence",
          "signatureVerificationStatusExplicitlyRevokedEvidence"
        ],
        "firstTimestamp": 1506680247727,
        "totalSuspicions": 1
      },
      "maliciousSignedUnverifiedSuspicion": {
        "potentialEvidence": [
          "imageFileUnverifiedEvidence"
        ],
        "firstTimestamp": 1506933478175,
        "totalSuspicions": 12
      }
    },
    "evidenceMap": {},
    "totalPossibleResults": 5786,
    "queryLimits": {
      "totalResultLimit": 1000,
      "perGroupLimit": 100,
      "perFeatureLimit": 100,
      "groupingFeature": {
        "elementInstanceType": "Process",
        "featureName": "imageFileHash"
      },
      "sortInGroupFeature": null
    },
    "queryTerminated": false,
    "pathResultCounts": [
      {
        "featureDescriptor": {
          "elementInstanceType": "Process",
          "featureName": null
        },
        "count": 5786
      }
    ]
  },
  "status": "SUCCESS",
  "message": ""
}

Suspicious temp file

Use this request to review processes running from a temporary folder that have external connections and injected processes.

Request

curl --request POST \
    --url https://12.34.56.78/rest/visualsearch/query/simple \
    --header 'Content-Type: application/json' \
    --data '{
              "queryPath": [
                            {
                              "requestedType": "Process",
                              "filters": [
                                          {
                                            "facetName": "runningFromTempEvidence",
                                            "values": [
                                                        true
                                                      ]
                                          },
                                          {
                                            "facetName":"hasExternalConnection",
                                            "values": [
                                                        true
                                                      ]
                                          },
                                          {
                                            "facetName": "detectedInjectedEvidence",
                                            "values": [
                                                        true
                                                      ]
                                          }
                                         ],
                              "isResult":true
                            }
                           ],
              "totalResultLimit": 1000,
              "perGroupLimit": 100,
              "perFeatureLimit": 100,
              "templateContext": "SPECIFIC",
              "queryTimeout": 120000,
              "customFields": [
                                "elementDisplayName",
                                "ransomwareAutoRemediationSuspended",
                                "executionPrevented",
                                "creationTime",
                                "endTime",
                                "commandLine",
                                "decodedCommandLine",
                                "isImageFileSignedAndVerified",
                                "productType",
                                "children",
                                "parentProcess",
                                "ownerMachine",
                                "imageFile",
                                "calculatedUser",
                                "pid"
                              ]
            }'

Rare extension

Use this request to search for processes with rare extensions.

Request

curl --request POST \
    --url https://12.34.56.78/rest/visualsearch/query/simple \
    --header 'Content-Type: application/json' \
    --data '{
              "queryPath":[
                            {
                              "requestedType": "Process",
                              "filters": [
                                          {
                                            "facetName":"rareExtension",
                                            "values": [
                                                        true
                                                      ]
                                          }
                                         ],
                              "isResult":true
                            }
                          ],
              "totalResultLimit": 1000,
              "perGroupLimit": 100,
              "perFeatureLimit": 100,
              "templateContext": "SPECIFIC",
              "queryTimeout": 120000,
              "customFields": [
                                "elementDisplayName",
                                "ransomwareAutoRemediationSuspended",
                                "executionPrevented",
                                "creationTime",
                                "endTime",
                                "commandLine",
                                "decodedCommandLine",
                                "isImageFileSignedAndVerified",
                                "productType",
                                "children",
                                "parentProcess",
                                "ownerMachine",
                                "imageFile",
                                "calculatedUser",
                                "pid"
                              ]
            }'