Query Elements and Features

Queries are comprised of Elements, Features, operators, and values. Elements are components of your Cybereason platform like machines, users, and processes. For each Element, there are a number of Features you can filter by to improve your query requests.

The following tables list Elements and Features available for use in the Cybereason UI and API calls.

Elements

Use these values to represent each Element in a query request:

Note

Some Elements below are relevant only with the Cybereason platform’s XDR module. To use the XDR module, you can add the XDR package to your Cybereason platform for an additional cost. Contact your Customer Success Manager to request access to this package.

Element UI Name	API Name	Description
Attachments	attachment	A file attached to a message.
Automatic Execution	AutomaticExecution	An operation that is run automatically.
Connection	Connection	A connection operation between machines, processes, and so forth.
Detection Event	DetectionEvents	An event on which a detection (evidence, suspicion, or Malop) was generated.
DNS query resolved Domain to Domain	DnsQueryResolvedDomainToDomain	A DNS query from one domain to another that was resolved.
DNS query resolved Domain to IP	DnsQueryResolvedDomainToIp	A DNS query from a Domain to an IP address that was resolved.
DNS query resolved IP to Domain	DnsQueryResolvedIpToDomain	A DNS query from an IP to a Domain that was resolved.
DNS query unresolved from Domain	DnsQueryUnresolvedFromDomain	A DNS query from a domain that is still not resolved.
DNS query unresolved from IP	DnsQueryUnresolvedFromIp	A DNS query from an IP address that is still not resolved.
Domain Name	DomainName	The name of a domain.
Driver	Driver	A driver for a machine, process, and so forth.
Email address	emailAddress	An email address associated with a user.
Event	Event	A security event sent from another security vendor.
File	File	A file involved in an operation.
File Event	FileAccessEvent	Operation performed by a process on a file.
Forensic Artifacts	forensicArtifacts	Data collected from a forensic tool.
Function Details	FunctionDetails	The information about a function running
Group	Group	A group of users for a specific asset.
Hosts File	HostsFile	The file on an operating system that maps host names to IP addresses.
Image file	File	The file from the disk that executes the process.
IP Address	IpAddress	The IP address of an operation.
IP Range Scan	IpRangeScan	An operation that scans the IP addresses in a range.
Listening connection	ListeningConnection	The connection on the machine that listens for incoming connection requests.
Local network	LocalNetwork	A LAN for a specific area.
Logon session	LogonSession	A computing session beginning with successful logon and ending with a user log off operation.
Machine	Machine	The machine involved in an operation.
Malop Logon session	MalopLogonSession	The specific computing session when the user was logged on in which a Malop was created.
Malop Process	MalopProcess	The specific process involved in a Malop.
Message	Message	A message sent from a user.
Module	Module	The module involved in an operation.
Mount point	MountPoint	A directory on which an accessible file system is mounted.
MS-RPC	Msrpc	A Remote Procedure Call (RPC) operation on a machine running Windows.
Network Interface	NetworkInterface	The interface between two items in a computer network.
Network Machine	NetworkMachine	A machine running on a network involved in an operation.
Process	Process	The process involved in an operation.
Proxy	Proxy	The proxy used for a connection.
QuarantineFile	QuarantineFile	The file involved in a quarantine operation.
Registry Entry	Autorun	An item in the computer’s registry.
Registry Event	RegistryEvent	An event performed on a specific registry entry.
Remote Session	RemoteSession	A computing session where a user accesses a machine running in a remote place.
Resource	Resource	A resource on another platform.
Role	Role	A role assigned to a user or group.
Scheduled task	ScheduledTask	A task scheduled to run at a certain time by the operating system’s task scheduler.
Scheduled task action	ExecutableTaskAction	The action that runs when a task runs from the task scheduler.
Service	Service	A service involved in an operation.
User Account	User	The user account for a specific activity.
User Identity	UserIdentity	The unique user in an operation.
Wmi Persistent Object	WmiPersistentObject	An object created when working with the WMI capability of the Windows operating system.

Feature values per Element

The following tables list Features available per Element. Use the following values in the “UI Name” columns when constructing queries in the Cybereason UI, and use the values in the “API Name” columns in API query requests.

In the tables, Features that are references to another Element are noted in bold. Note that in some cases, the name for the Feature linking to another Element differs from the Element name itself.

Attachments (XDR)

Use these features for Automatic Execution Elements:

UI Name	API Name	Type	Description
Extension type	extensionType	String	The type of extension for this attachment.
File name	name	String	The name of the file in the attachment.
Machines	machines	Collect	A list of the machines on which this attachment was found.
MD5 signature	md5	String	The MD-5 file hash value for the attachment.
Path	path	String	The path to the file for this attachment.
SHA1 Signature	sha1	String	The SHA-1 file hash value for the attachment.
SHA256 Signature	sha256	String	The SHA-256 file hash value for the attachment.
Size	size	Integer	The size of the attachment.
Signer	signer	String	The name of the organization that signed the attachment.

Back to top

Automatic Execution (EDR)

Use these features as filters for the Attachment Element:

UI Name	API Name	Type	Description
Extension type	extensionType	String	The type of extension for this attachment.
File name	name	String	The name of the file in the attachment.
Machines	machines	Collect	A list of the machines on which this attachment was found.
MD5 signature	md5	String	The MD-5 file hash value for the attachment.
Path	path	String	The path to the file for this attachment.
SHA1 Signature	sha1	String	The SHA-1 file hash value for the attachment.
SHA256 Signature	sha256	String	The SHA-256 file hash value for the attachment.
Size	size	Integer	The size of the attachment.
Signer	signer	String	The name of the organization that signed the attachment.

Back to top

Connection (EDR and XDR)

Use these features as filters for the Connection Element:

UI Name	API Name	Type	Description
Absolute high transmitted bytes	absoluteHighTransmittedBytesEvidence	Boolean	Indicates whether there is evidence the connection transferred a high volume of data.
Address accessed by Malware	accessedByMalwareEvidence	Boolean	Indicates whether there is evidence the connection’s remote address is used by malware.
App-based communication that includes a password in an unencrypted (or easily decrypted) format, significantly increasing the risk of compromise	passwordDataLeakEvidence	Boolean	Indicates there is evidence of app-based communication with a password in an unencrypted or easily decrypted format.
App-based communication that includes a password in an unencrypted (or easily decrypted) format, significantly increasing the risk of compromise	passwordDataLeakSuspicion	Boolean	Indicates there is evidence of app-based communication with a password in an unencrypted or easily decrypted format.
App-based communication that includes an identifiable service username in an unencrypted (or easily decrypted) format	userInformationDataLeakEvidence	Boolean	Indicates there is evidence of app-based communication with an identifiable service user name in an unencrypted or easily decrypted format.
Application	application	String	The name of the application that is the target of the connection.
Application protocol used	protocol	String	Protocol name used by the application initiating the connection.
Associated listening socket	parent	String	The local address and port of the parent listening socket.
Blocklisted URL domain	blackListUrlDomainEvidence	Boolean	Indicates whether or not the connection is communicating with a domain on the blocklist.
Browser-based communication that includes a credit card number in an unencrypted (or easily decrypted) format	creditCardDataLeakEvidence	Boolean	Indicates there is evidence of browser-based communication in which the communication contains a credit card number that is not encrypted or is easily decrypted.
Browser-based communication that includes a credit card number in an unencrypted (or easily decrypted) format	creditCardDataLeakSuspicion	Boolean	Indicates there is browser-based communication in which the communication contains a credit card number that is not encrypted or is easily decrypted.
Browser-based communication that includes the device’s physical geo-location in an unencrypted (or easily decrypted) format	webLocationDataLeakEvidence	Boolean	Indicates there is evidence of browser-based communication in which the communication contains the device’s physical geo-location.
Browser-based communication transmitted across the Internet that includes an email address in an unencrypted (or easily decrypted) format	webEmailInformationDataLeakEvidence	Boolean	Indicates there is evidence of browser-based communication in which the communication contains an email address in an an unencrypted or easily decrypted format
Classification type	remoteAddressMaliciousClassificationType	Enum	Classification for the remote address. Possible values include: Blacklisted Detected by Anti-Malware Hacking tool Malicious tool Malware Neutral None found Ransomware Sinkhole domain Suspicious Unknown Unresolved domain Unwanted program Whitelisted
Connection to domain on blocklist	blackListDomainSuspicion	Boolean	Indicates whether or not the connection is communicating with a domain on the blocklist
Connection to IP address on the blocklist	blackListIPSuspicion	Boolean	Indicates whether or not the connection is communicating with an IP address on the blocklist
Connected to FTP port	ftpPortEvidence	Boolean	Indicates whether or not the connection uses an outgoing FTP port
Connected to IRC port	ircPortEvidence	Boolean	Indicates whether or not the connection uses an outgoing IRC port
Connected to mail port	mailPortEvidence	Boolean	Indicates whether or not the connection uses an outgoing mail port
Connected to Tor port	torPortEvidence	Boolean	Indicates whether or not the connection uses an outgoing TOR port
Connection name	elementDisplayName	String	Source IP address and target IP addresses of the connection
Duration	duration	Long	The connection duration in nanoseconds
HTTP method	httpRequestMethod	String	HTTP method used in the communication
Remote address for connection used by malware	connectionToAddressUsedByMalwareSuspicion	Boolean	Indicates whether the remote address of this connection was used by malware but was not used by legitimate process
Connection to malicious address	maliciousConnectionSuspicion	Boolean	Indicates whether this connection is directed to an address that was identified as malicious
Connection to proxy	isConnectionToProxy	Boolean	Indicates whether the connection is targeting a proxy address
Connection to Tor address	connectionToTorAddressEvidence	Boolean	Indicates whether Cybereason identified the connection’s remote address as an address in the TOR network
Device configurations that may put corporate and personal data at risk	untrustedProfileEvidence	Boolean	Indicates that there is evidence configurations on the device may put corporate and personal data at risk
Device configurations that may put corporate and personal data at risk	untrustedProfileByDomainSuspicion	Boolean	Indicates that configurations on the device may put corporate and personal data at risk
DNS query	dnsQuery	Array	Collection of DNS queries associated with this connection
Direction	direction	Enum	Direction of the connection. Possible values include: In the UI: Incoming Incoming (guessed) Outgoing Outgoing (guessed) Unknown In the API: INCOMING INCOMING_GUESSED OUTGOING OUTGOING_GUESSED UNKNOWN
Domain name	domainName	String	The domain name associated with this connection
Malicious process opened external connection	externalConnectionOfMaliciousProcessByHashSuspicion	Boolean	Indicates whether this external connection was marked as suspicious since it was executed by a malicious process and may be part of the malicious activity of the process
External connection to well known port	externalConnectionToWellKnownPortEvidence	Boolean	Indicates whether there is evidence the connection is an external connection and the connection uses a port that is registered (less than 1024)
Has Malops	hasMalops	Boolean	Indicates whether or not the connection is associated with any Malops
Has Suspicions	hasSuspicions	Boolean	Indicates whether or not the connection is associated with any suspicions
High data volume transmission to malicious address	absoluteHighDataVolumeTransmittedToMaliciousAddressSuspicion	Boolean	Indicates whether this connection was identified as transmitting high data volume to an address marked as malicious
Internal connection of a malicious process	internalConnectionOfMaliciousProcessByHashSuspicion	Boolean	Indicates whether this internal connection was marked as suspicious since it was executed by a malicious process hence may be part of the malicious activity of the process
IP address for connection destination	destinationNatIpAddress	IP address	IP address of the destination of the connection
IP address (NAT) for destination	destinationNatPort	IP address	The IP address in NAT form for the destination of the connection
Irrelevant or unsolicited content that is disseminated for the purposes of advertising, phishing or spreading malware	unwantedWebContentEvidence	Boolean	Indicates the device received irrelevant or unsolicited content sent for advertising or phishing reasons, or for the purposes of spreading malware
Is external	isExternalConnection	Boolean	Indicates whether or not the connection is an external connection
Is incoming	isIncoming	Boolean	Indicates whether or not the connection is an incoming connection
Is live connection	isLiveConnection	Boolean	Indicates whether or not the connection is currently open
Is live owner process	isLiveProcess	Boolean	Indicates whether or not the connection’s owner process is currently running
Is proxy connection	isProxyConnection	Boolean	Indicates whether or not the connection is targeting a proxy address
Is related to Malop	relatedToMalop	Boolean	Indicates whether or not the connection is related to a malicious operation
Is well known port	isWellKnownPort	Boolean	Indicates whether or not the connection uses a well known port
Local address	localAddress	String	The local address associated with the connection
Local port	localPort	Integer	The local port number used by the connection
Malicious address	maliciousAddressEvidence	Boolean	Indicates whether there is evidence that the Cybereason threat intelligence service identifies the connection’s remote address as malicious
Malicious domain	suspiciousDomainEvidence	Boolean	Indicates whether there is evidence that Cybereason threat intelligence classified the domain the connection uses as suspicious
Domain for connection classified as malicious	domainClassificationSuspicion	Boolean	Indicates whether the Cybereason threat intelligence service classified the domain the connection uses as suspicious
Network access to a web service that is known to demonstrate malicious behavior	connectionToMaliciousDomainEvidence	Boolean	Indicates there is evidence the device has network access to a web service that is known by threat intelligence sources to demonstrate malicious behavior
Network access to a web service that is known to demonstrate malicious behavior	connectionToMaliciousDomainSuspicion	Boolean	Indicates the device has network access to a web service that is known by threat intelligence sources to demonstrate malicious behavior
Opened by legitimate process	isProcessLegit	Boolean	Indicates whether or not the process that opened the connection is known to be legitimate
Opened by malware	isProcessMalware	Boolean	Indicates whether or not the process that opened the connection is known to be malware
Origin URL for request	httpRequestReferrer	String	The URL from which the connection originated
Outgoing connection with listening socket	outgoingWithListeningConnectionEvidence	Boolean	Indicates whether there is evidence the connection is an outgoing connection with a listening socket
Owner machine	ownerMachine	String	Name of the machine from which the the connection originated
Owner process	ownerProcess	String	The name of the process that created the connection
Port (NAT) for connection source	sourceNatPort	Integer	The port in NAT form for the origin of the connection
Port description	portDescription	String	The description of the port used by the connection
Port type	portType	Enum	The type of service that opened the connection. Possible values include: In the UI: FTP HTTP IRC Mail Malware None Service Tor Windows In the API: SERVICE_FTP SERVICE_HTTP SERVICE_IRC SERVICE_MAIL MALWARE NONE SERVICE SERVICE_TOR SERVICE_WINDOWS
Process Malicious by Hash	isProcessMaliciousByHashEvidence	Boolean	Indicates whether there is evidence that the Cybereason threat intelligence service identified the process creating the connection as malicious by its image file’s hash
Process name	processName	String	The name of the process that created the connection
Rare address for machine	rareAddressOnMachineEvidence	Boolean	Indicates whether there is evidence the connection’s address is rare for the associated machine
Rare address for process	rareAddressByProcessEvidence	Boolean	Indicates whether there is evidence the connection’s address is rare for the associated process
Rare address location by process	rareAddressInternalExternalLocalByProcessEvidence	Boolean	Indicates whether there is evidence the connection’s remote address location (external/ internal/ local) is unusual for the associated process
Rare connection direction for process	rareDirectionByProcessEvidence	Boolean	Indicates whether there is evidence the connection direction is rare for the associated process
Rare port for address	rarePortAddressByProcessEvidence	Boolean	Indicates whether there is evidence the port used by the connection is rare for the associated address
Rare port for process	rarePortByProcessEvidence	Boolean	Indicates whether or not there is evidence the port used by the connection is rare for the associated process
Rare port type for process	rarePortTypeByProcessEvidence	Boolean	Indicates whether there is evidence the port type of the port used by the connection is rare for the associated process
Rare remote address country for machine	rareCountryByMachineEvidence	Boolean	Indicates whether there is evidence the country location for the remote address of the connection is rare for the associated machine
Rare remote address country for process	rareCountryByProcessEvidence	Boolean	Indicates whether there is evidence the country location for the remote address for the connection is rare for the associated process
Received bytes	aggregatedReceivedBytesCount	Long	The number of bytes received by the connection
Received bytes count	receivedBytesCount	Long	The amount of data (in bytes) received in this connection
Remote address	remoteAddress	String	The address for the remote connection
Remote address location	remoteAddressCountryName	String	The name of the country for the remote address for the connection
Remote address name	remoteAddressName	String	The name associated with the remote address for the connection
Remote address type	remoteAddressInternalExternalLocal	Enum	The type of the remote address for the connection. Possible values include: In the UI: Dynamic Configuration External Internal Local Proxy In the API: DYNAMIC_CONFIGURATION EXTERNAL INTERNAL LOCAL PROXY
Remote machine	remoteMachine	String	The name of the machine involved in the connection
Remote port	remotePort	Integer	The port used on the target machine used to establish the connection
Request header with requester details	httpUseragent	String	Header details with the request user details for the connection
Response code for request	httpResponseCode	String	The response code for the request in the connection
Server address	serverAddress	String	The address for the server side of the connection
Server port	serverPort	Integer	The port used for the server side of the connection
Session ID	sessionId	String	Session ID for the connection
Significantly low ratio of address for machine	lowAddressByMachineEvidence	Boolean	Indicates whether there is evidence the address for the machine associated with the connection shows up significantly less than addresses for other machines in the environment
Significantly low ratio of address for process	lowAddressByProcessEvidence	Boolean	Indicates whether there is evidence the remote address for the process involved in the connection shows up significantly less than addresses for other processes in the environment
Significantly low ratio of address for process on machine	lowAddressOnMachineByProcessRatioEvidence	Boolean	Indicates whether there is evidence the address for the connection opened by the process on the machine shows up significantly less than process addresses on other machines in the environment
Site designed to deceive the end user into submitting sensitive personal or corporate information through a seemingly trusted web form	maliciousPhishingEvidence	Boolean	Indicates there is evidence of the device visiting a site designed (through the use of what appears to be a trusted web form) to deceive the user to enter and submit sensitive information
Site designed to deceive the end user into submitting sensitive personal or corporate information through a seemingly trusted web form	maliciousPhishingSuspicion	Boolean	Indicates the device visited a site designed (through the use of what appears to be a trusted web form)to deceive the user to enter and submit sensitive information
Site designed to secretly hijack the target’s device to mine cryptocurrencies	cryptojackingDomainEvidence	Boolean	Indicates there is evidence the device visited a site designed to hijack the device and use the device to mine cryptocurrencies.
Site designed to secretly hijack the target’s device to mine cryptocurrencies	cryptojackingDomainSuspicion	Boolean	Indicates there is evidence the device visited a site designed to hijack the device and use the device to mine cryptocurrencies.
Source IP address (NAT)	sourceNatIpAddress	IP address	IP address (in NAT format) for the entity that initiated the connection
State	state	Enum	The state of the connection. Possible values include: In the UI: Closed Closed Embryonic Established Listening Open Unknown In the API: CONNECTION_CLOSED CONNECTION_CLOSE_WAIT CONNECTION_EMBRYONIC CONNECTION_LISTENING CONNECTION_ESTABLISHED CONNECTION_OPEN CONNECTION_UNKNOWN
Suspicious	isSuspicious	Boolean	Indicates whether or not Cybereason detected suspicions associated with this connection.
Suspicious URL domain	suspiciousUrlDomainEvidence	Boolean	Indicates whether there is evidence that one of the URLs associated with the connection is classified as suspicious.
Suspicious URL domain	urlDomainClassificationSuspicion	Boolean	Indicates whether one of the URLs associated with the connection is classified as suspicious
Transmitted bytes	aggregatedTransmittedBytesCount	Long	The number of bytes transmitted by the connection.
Transport protocol	transportProtocol	Enum	The protocol used to establish the connection. Possible values include: In the UI: ICMP TCP UDP Other In the API: ICMP TCP UDP OTHER
URL domains	urlDomains	String	Collection of all domains of the URLs that were associated with this connection
URL for connection destination	UrlDomain	String	Unmodified URL for destination of the connection as reported from the event source.

Back to top

Detection Event (EDR)

Use these features as filters for the Detection Event Element:

UI Name	API Name	Type	Description
Application Control blocked application on blocklist	applicationControlMalop	Boolean	Indicates whether the event is the root cause of the Application Control blocked application on blocklist Malop.
Known malware detected by Cybereason Anti-Malware	avDetectionMalop	Boolean	Indicates whether the event is the root cause of the Known Malware detected by Cybereason Anti-Malware Malop.
Connection associated with this event	connection	Array	Collection of connections associated with this event.
Status	decisionStatus	Enum	The status of the detected event. Possible values include: In the UI: Collected Deleting on restart Detected Disinfected Failed to prevent Failed to quarantine Failed to disinfect Mitigated Prevented Quarantined Unknown Detected Allowlist In the API: DDS_COLLECTED DDS_DELETE_AFTER_REBOOT DDS_DETECTED DDS_DISINFECTED DDS_FAILED_TO_PREVENT DDS_FAILED_TO_QUARANTINE DDS_FAILURE DDS_MITIGATED DDS_PREVENTED DDS_QURANTINED DDS_UNKNOWN DDS_USER_DETECT_ONLY DDS_WHITELISTED
Engine	detectionEngine	Enum	The detection method that detected the event. Possible values include: In the UI: Exploit was detected Anti-Virus detected known malware Application control detected malware Behavioral document protection detected unknown malware MSRPC Mobile Fileless malware detected Artificial intelligence detected unknown malware In the API: AntiExploit AntiVirus ApplicationControl Document MSRPC Mobile Script StaticAnalysis
Detection value	detectionValue	String	The value used in the decision to raise this as a detected event.
Detection type	detectionValueType	Enum	The method the Cybereason platform used to make the decision to raise this as a detected event. Possible values include: In the UI: Details JSON Domain type File type Module type Signature type In the API: DVT_DETAILS_JSON DVT_DOMAIN DVT_FILE DVT_FILE DVT_MODULE DVT_SIGNATURE
Domain name associated with this event	domain	Array	Collection of domains associated with this event.
Detection event	elementDisplayName	String	The name of the detected event.
Exploitation attempt	exploitAttemptMalop	Boolean	Indicates whether this event is the root cause of the Exploitation attempt Malop.
File associated with this event	file	Array	Collection of files associated with the detected event.
Process used Download and Execute	filelessDownloadAndExecuteMalop	Boolean	Indicates whether this event is the root cause of the Process used Download and Execute Malop.
Download from malicious domain	filelessDownloadMalop	Boolean	Indicates whether the event is the root cause of the Download from malicious domain Malop.
Process ran malicious command	filelessMaliciousContentMalop	Boolean	Indicates whether the event is the root cause of the Process ran malicious command Malop.
Malicious floating module	filelessMaliciousModuleMalop	Boolean	Indicates whether the event is the root cause of the Malicious floating module Malop.
Associated with Malops	hasMalops	Boolean	Indicates whether the event is associated with any Malops.
Associated with suspicions	hasSuspicions	Boolean	Indicates whether the event is associated with any suspicions.
Machines associated with the detection event	machine	Array	Collection of machines associated with the event.
Malicious document detected	maliciousDocumentMalop	Boolean	Indicates whether the event is the root cause of a Malicious document detected Malop.
Owner machine	ownerMachine	String	The machine on which this event was detected.
Owner process	process	String	The process with which this event is associated.
Detection event	relatedToMalop	Boolean	Indicates whether this event is associated with Malops.
Script engine	scriptEngine	Enum	The scripting engine used to trigger this event. Possible values include: In the UI: Microsoft .NET Microsoft JScript Office Visual Basic for Applications (VBA) Microsoft PowerShell Unknown Microsoft Visual Basic Scripting (VBScript) Windows Management Instrumentation (WMI) In the API: SE_DOTNET SE_JSCRIPT SE_OFFICE_VBA SE_POWERSHELL SE_UNKNOWN SE_VBSCRIPT SE_WMI
Malware detection by Anti-Malware Artificial Intelligence classification	staticAnalysisDetectionMalop	Boolean	Indicates whether the event is the root cause of the Malware detection by Anti-Malware Artificial Intelligence classification Malop.
Connected user	user	Array	Collection of users associated with the event.

Back to top

DNS Query Resolved Domain to Domain (EDR)

Use these features to filter for DNS Query Resolved Domain to Domain Elements:

UI Name	API Name	Type	Description
Blocklisted source domain	blacklistSourceDomainEvidence	Boolean	Indicates whether there is evidence that the source domain for the DNS request is a domain on the blocklist.
Blocklisted target domain	blacklistTargetDomainEvidence	Boolean	Indicates whether there is evidence the target domain for the DNS request is a domain on the blocklist.
Malicious source domain	sourceDomainClassificationSuspicion	Boolean	Indicates whether the Cybereason threat intelligence service classified the source domain for the DNS request as malicious.
Malicious target domain	targetDomainClassificationSuspicion	Boolean	Indicates whether the Cybereason threat intelligence serve classified the target domain for the DNS request as malicious.
Malware source domain	malwareSourceDomainEvidence	Boolean	Indicates whether there is evidence that the Cybereason threat intelligence service classifies the source domain for the DNS request as malware.
Malware target domain	malwareTargetDomainEvidence	Boolean	Indicates whether there is evidence the Cybereason threat intelligence service classified the target domain for the DNS request as malware.
Non-default resolver	nonDefaultResolverEvidence	Boolean	Indicates whether there is evidence that the resolver of this DNS request is the default resolver set to the machine.
Record type	recordType	Enum	The type of DNS record. Possible values include: In the UI: Domain to IP (A) Domain to Domain (CNAME) Ip to Domain (PTR) Mail server domain to Ip (MX) Type (HINFO) Type MB Type MD Type MF Type MG Type MINFO Type MR Type NS Type Null Type SOA Type Text Type WKS Unknown In the API: DNS_RECORD_TYPE_A DNS_RECORD_TYPE_PTR DNS_RECORD_TYPE_MX DNS_RECORD_TYPE_CNAME DNS_RECORD_TYPE_HINFO DNS_RECORD_TYPE_MB DNS_RECORD_TYPE_MD DNS_RECORD_TYPE_MF DNS_RECORD_TYPE_MG DNS_RECORD_TYPE_MINFO DNS_RECORD_TYPE_MR DNS_RECORD_TYPE_NS DNS_RECORD_TYPE_NULL DNS_RECORD_TYPE_SOA DNS_RECORD_TYPE_TEXT DNS_RECORD_TYPE_WKS DNS_RECORD_TYPE_UNKNOWN
Resolvers	resolvers	Array	A collection of resolvers for this DNS query.
Sinkhole source domain	sinkholeSourceDomainEvidence	Boolean	Indicates whether there is evidence the Cybereason threat intelligence classified the source domain for the DNS request as a sinkhole domain.
Sinkhole target domain	sinkholeTargetDomainEvidence	Boolean	Indicates whether there is evidence that the Cybereason threat intelligence service classified the target domain for the DNS request as a sinkhole domain.
Source domain	sourceDomain	String	The name of the source domain for this DNS request.
Source and target domain	elementDisplayName	String	The DNS address of the source domain and target domain involved in this DNS request.
Target domain	targetDomain	String	The name of the target domain in this DNS request.
TTL range	ttlRange	Enum	The time-to-live (TTL) range for the DNS record. Possible values include: In the UI: Five minutes Old One day One month One week One year Zero In the API: FiveMinutes Old OneDay OneMonth OneWeek OneYear Zero

Back to top

DNS Query Resolved Domain to IP (EDR)

Use these features to filter for DNS Query Resolved Domain to IP Elements:

UI Name	API Name	Type	Description
Blocklist domain	blacklistDomainEvidence	Boolean	Indicates whether there is evidence that the domain in this DNS request is a domain on the blocklist.
Device configurations that may put corporate and personal data at risk	untrustedProfileEvidence	Boolean	Indicates there is evidence that device configurations may put corporate and personal data at risk.	✓
Low max TTL	lowMaxTtlEvidence	Boolean	Indicates whether there is evidence the response time-to-live (TTL) for this DNS request is low.
Domain for DNS request classified as malicious	domainClassificationSuspicion	Boolean	Indicates whether the Cybereason threat intelligence service classified the domain in ths DNS request as malicious.
Malware evidence	malwareDomainEvidence	Boolean	Indicates whether there is evidence that the Cybereason threat intelligence service classified the domain for this DNS request as malware.
Network access to a web service that is known to demonstrate malicious behavior	connectionToMaliciousDomainEvidence	Boolean	Indicates there is evidence the device has network access to a web service known by threat intelligence sources to demonstrate malicious behavior.	✓
Non-default resolver	nonDefaultResolverEvidence	Boolean	Indicates whether or not the resolver server for this DNS request is the default resolver used by the machine.
Record type	recordType	Enum	The type of DNS record. Possible values include: In the UI: Domain to IP (A) Domain to Domain (CNAME) Ip to Domain (PTR) Mail server domain to Ip (MX) Type (HINFO) Type MB Type MD Type MF Type MG Type MINFO Type MR Type NS Type Null Type SOA Type Text Type WKS Unknown In the API: DNS_RECORD_TYPE_A DNS_RECORD_TYPE_PTR DNS_RECORD_TYPE_MX DNS_RECORD_TYPE_CNAME DNS_RECORD_TYPE_HINFO DNS_RECORD_TYPE_MB DNS_RECORD_TYPE_MD DNS_RECORD_TYPE_MF DNS_RECORD_TYPE_MG DNS_RECORD_TYPE_MINFO DNS_RECORD_TYPE_MR DNS_RECORD_TYPE_NS DNS_RECORD_TYPE_NULL DNS_RECORD_TYPE_SOA DNS_RECORD_TYPE_TEXT DNS_RECORD_TYPE_WKS DNS_RECORD_TYPE_UNKNOWN
Resolvers	resolvers	Array	Collection of resolvers for this DNS query.
Sinkhole domain	sinkholeDomainEvidence	Boolean	Indicates whether there is evidence that the Cybereason threat intelligence service classified the domain in this DNS request as a sinkhole domain.
Site designed to deceive the end user into submitting sensitive personal or corporate information through a seemingly trusted web form	maliciousPhishingEvidence	Boolean	Indicates there is evidence the device visited a site designed (through the use of what appears to be a trusted web form) to deceive the device user to enter and submit personal or corporate information.	✓
Site designed to secretly hijack the target’s device to mine cryptocurrencies	cryptojackingDomainEvidence	Boolean	Indicates there is evidence the device visited a site designed to hijack the device for purposes of cryptocurrency mining.	✓
Source domain	sourceDomain	String	The domain requested in this request.
Source domain and target IP	elementDisplayName	String	The source domain and target IP address resolved by the request.
Target IP	targetIpAddress	String	The target IP address for this request.
TTL Range	ttlRange	Enum	The time-to-live (TTL) range for the DNS record. Possible values include: In the UI: Five minutes Old One day One month One week One year Zero In the API: FiveMinutes Old OneDay OneMonth OneWeek OneYear Zero

Back to top

DNS Query Resolved IP to Domain (EDR)

Use these features to filter for DNS Query Resolved IP to Domain Elements:

UI Name	API Name	Type	Description
Blocklist domain	blacklistDomainEvidence	Boolean	Indicates whether there is evidence that the domain in the DNS request resolution is a domain on the blocklist.
Has suspicions	hasSuspicions	Boolean	Indicates whether or not the DNS request has any suspicions.
IP address	IpAddress	String	The IP address associated with the DNS request.
Domain for DNS request classified as malicious	domainClassificationSuspicion	Boolean	Indicates whether the Cybereason threat intelligence service classified the domain used in this DNS request as malicious.
Malware domain	malwareDomainEvidence	Boolean	Indicates whether there is evidence the Cybereason threat intelligence servier classified the domain in this DNS request as malware.
Non Default Resolver	nonDefaultResolverEvidence	Boolean	Indicates whether there is evidence the resolver server for this DNS request is the default resolver used for the machine.
Record type	recordType	Enum	The type of DNS record. Possible values include: In the UI: Domain to IP (A) Domain to Domain (CNAME) Ip to Domain (PTR) Mail server domain to Ip (MX) Type (HINFO) Type MB Type MD Type MF Type MG Type MINFO Type MR Type NS Type Null Type SOA Type Text Type WKS Unknown In the API: DNS_RECORD_TYPE_A DNS_RECORD_TYPE_PTR DNS_RECORD_TYPE_MX DNS_RECORD_TYPE_CNAME DNS_RECORD_TYPE_HINFO DNS_RECORD_TYPE_MB DNS_RECORD_TYPE_MD DNS_RECORD_TYPE_MF DNS_RECORD_TYPE_MG DNS_RECORD_TYPE_MINFO DNS_RECORD_TYPE_MR DNS_RECORD_TYPE_NS DNS_RECORD_TYPE_NULL DNS_RECORD_TYPE_SOA DNS_RECORD_TYPE_TEXT DNS_RECORD_TYPE_WKS DNS_RECORD_TYPE_UNKNOWN
Resolvers	resolvers	Array	List of resolvers for this DNS record
Sinkhole domain	sinkholeDomainEvidence	Boolean	Indicates whether there is evidence that the Cybereason threat intelligence server classified the domain used by this DNS request as a sinkhole domain.
Source domain	sourceIpAddress	String	The source IP address for this DNS request.
Source IP and target domain	elementDisplayName	String	The source domain and target IP address used by this request.
Target IP	targetDomain	String	The target domain for this DNS request
TTL Range	ttlRange	Enum	The time-to-live (TTL) range for the DNS record. Possible values include: In the UI: Five minutes Old One day One month One week One year Zero In the API: FiveMinutes Old OneDay OneMonth OneWeek OneYear Zero

Back to top

DNS Query Unresolved to Domain (EDR)

Use these features to filter for DNS Query Unresolved to Domain Elements:

UI Name	API Name	Type	Description
Blocklisted domain	blacklistDomainEvidence	Boolean	Indicates whether there is evidence that the domain in this DNS request is a domain on the blocklist.
Device configurations that may put corporate and personal data at risk	untrustedProfileEvidence	Boolean	Indicates there is evidence the device has configurations that may put corporate and personal data at risk.
Device configurations that may put corporate and personal data at risk	untrustedProfileByDomainSuspicion	Boolean	Indicates there is evidence the device has configurations that may put corporate and personal data at risk.
Domain name	sourceDomain	String	The source domain name for this unresolved DNS request.
Domain does not exist	confirmedUnresolvedDomainEvidence	Boolean	Indicates whether there is evidence that the DNS request is an unresolved request that reports an error value revealing that the domain does not exist (9003).
Error code	errorCode	Integer	The error code returned for the unresolved request.
Has Connection To Malicious Domain	connectionToMaliciousDomainEvidence	Boolean	Indicates the device has a network connection to a malicious domain.
Has Connection To Malicious Domain	connectionToMaliciousDomainSuspicion	Boolean	Indicates the device has a network connection to a malicious domain.
Has resolved classification	hasResolvedClassification	Boolean	Indicates whether or not the requested domain in the DNS query has been previously resolved.
Is internal domain	isInternalDomain	Boolean	Indicates whether or not the source domain in the DNS request is an internal domain.
Domain for DNS request classified as malicious	domainClassificationSuspicion	Boolean	Indicates whether the Cybereason threat intelligence service classified the unresolved domain in the DNS request as malicious.
Malware domain	malwareDomainEvidence	Boolean	Indicates whether there is evidence the Cybereason threat intelligence service classified the domain in this DNS request as malware.
Never seen resolved in organization	neverSeenResolvedInOrganization	Boolean	Indicates whether the requested domain in the DNS request has been resolved in your organization.
Never seen resolved second level domain in organization	neverSeenResolvedSecondLevelDomainInOrganization	Boolean	Indicates whether or not the second-level domain in the DNS request has ever been resolved in your organization.
Record type	recordType	Enum	The type of DNS record. Possible values include: In the UI: Domain to IP (A) Domain to Domain (CNAME) Ip to Domain (PTR) Mail server domain to Ip (MX) Type (HINFO) Type MB Type MD Type MF Type MG Type MINFO Type MR Type NS Type Null Type SOA Type Text Type WKS Unknown In the API: DNS_RECORD_TYPE_A DNS_RECORD_TYPE_PTR DNS_RECORD_TYPE_MX DNS_RECORD_TYPE_CNAME DNS_RECORD_TYPE_HINFO DNS_RECORD_TYPE_MB DNS_RECORD_TYPE_MD DNS_RECORD_TYPE_MF DNS_RECORD_TYPE_MG DNS_RECORD_TYPE_MINFO DNS_RECORD_TYPE_MR DNS_RECORD_TYPE_NS DNS_RECORD_TYPE_NULL DNS_RECORD_TYPE_SOA DNS_RECORD_TYPE_TEXT DNS_RECORD_TYPE_WKS DNS_RECORD_TYPE_UNKNOWN
Resolvers	resolvers	Array	A collection of of resolvers used in this DNS query.
Sinkhole domain	sinkholeDomainEvidence	Boolean	Indicates whether there is evidence the Cybereason threat intelligence service classified the domain in this DNS request as a sinkhole domain.
Site designed to deceive the end user into submitting sensitive personal or corporate information through a seemingly trusted web form	maliciousPhishingEvidence	Boolean	Indicates there is evidence the device visited a site designed (through the use of what appears to be a trusted web form) to deceive users to enter and submit sensitive personal information.
Site designed to deceive the end user into submitting sensitive personal or corporate information through a seemingly trusted web form	maliciousPhishingSuspicion	Boolean	Indicates the device visited a site designed (through the use of what appears to be a trusted web form) to deceive users to enter and submit sensitive personal information.
Site designed to secretly hijack the target’s device to mine cryptocurrencies	cryptojackingDomainEvidence	Boolean	Indicates there is evidence the device visited a site designed to hijack the device for the purpose of cryptocurrency mining.
Site designed to secretly hijack the target’s device to mine cryptocurrencies	cryptojackingDomainSuspicion	Boolean	Indicates the device visited a site designed to hijack the device for the purpose of cryptocurrency mining.
Source domain	elementDisplayName	String	Source domain whose query did not have a resolution

Back to top

DNS Query Unresolved to IP (EDR)

Use these features to filter for DNS Query Unresolved to IP Elements:

UI Name	API Name	Type	Description
Error code	errorCode	String	The error code returned for the unresolved DNS request.
Has Suspicions	hasSuspicions	Boolean	Indicates whether or not the unresolved DNS request for this IP address is associated with any suspicions.
Record type	recordType	Enum	The type of DNS record. Possible values include: In the UI: Domain to IP (A) Domain to Domain (CNAME) Ip to Domain (PTR) Mail server domain to Ip (MX) Type (HINFO) Type MB Type MD Type MF Type MG Type MINFO Type MR Type NS Type Null Type SOA Type Text Type WKS Unknown In the API: DNS_RECORD_TYPE_A DNS_RECORD_TYPE_PTR DNS_RECORD_TYPE_MX DNS_RECORD_TYPE_CNAME DNS_RECORD_TYPE_HINFO DNS_RECORD_TYPE_MB DNS_RECORD_TYPE_MD DNS_RECORD_TYPE_MF DNS_RECORD_TYPE_MG DNS_RECORD_TYPE_MINFO DNS_RECORD_TYPE_MR DNS_RECORD_TYPE_NS DNS_RECORD_TYPE_NULL DNS_RECORD_TYPE_SOA DNS_RECORD_TYPE_TEXT DNS_RECORD_TYPE_WKS DNS_RECORD_TYPE_UNKNOWN
Resolvers	resolvers	Array	List of resolvers for this unresolved DNS query.
Source IP	sourceIPAddress	String	The IP address queried in this unresolved DNS request.
Source IP address	elementDisplayName	String	The IP address name used in this unresolved DNS request.

Back to top

Domain Name (EDR)

Use these features to filter for Domain Name Elements:

UI Name	API Name	Type	Description
Domain on blocklist	blacklistDomainEvidence	Boolean	Indicates whether there is evidence the domain is a domain on the blocklist.
Blocklisted domain	blacklistDomainSuspicion	Boolean	Indicates whether or not the domain is a domain on the blocklist.
Classification comment	classificationComment	String	The comment a user added when providing the domain classification.
Classification link	classificationLink	String	The link to the domain classification source.
Classification user	classificationUser	String	The user who gave the domain classification.
Device configurations that may put corporate and personal data at risk	untrustedProfileEvidence	Boolean	Indicates there is evidence the device has configurations that may put corporate and personal data at risk
Device configurations that may put corporate and personal data at risk	untrustedProfileSuspicion	Boolean	Indicates the device has configurations that may put corporate and personal data at risk
Domain name	elementDisplayName	String	The name of the domain.
Ever resolved domain	everResolvedDomainEvidence	Boolean	Indicates whether there is evidence the domain has been resolved in your organization.
Ever resolved second level domain	everResolvedSecondLevelDomainEvidence	Boolean	Indicates whether there is evidence the second level domain for this domain has been resolved in your organization.
Good domain	isGoodDomainEvidence	Boolean	Indicates whether there is evidence that the Cybereason threat intelligence service classifies the domain as safe.
Has resolved classification evidence	hasResolvedClassificationEvidence	Boolean	Indicates whether there is evidence the domain has been previously resolved.
Has suspicions	hasSuspicions	Boolean	Indicates whether or not the domain is associated with suspicions.
Indifferent domain	isIndifferentDomainEvidence	Boolean	Indicates whether there is evidence the Cybereason threat intelligence service recognizes this domain as not malicious.
Is internal domain	isInternalDomain	Boolean	Indicates whether the domain is an internal domain.
Is internal second level domain	isInternalSecondLevelDomain	Boolean	Indicates whether the domain is directly below the top level domain in the DNS hierarchy.
Is reverse lookup	isReverseLookup	Boolean	Indicates whether the domain has a reverse lookup.
Is torrent domain	isTorrentDomain	Boolean	Indicates whether the domain is a torrent domain.
Malicious domain	isMaliciousDomainEvidence	Boolean	Indicates whether there is evidence the Cybereason threat intelligence service classified the domain as malicious.
Malicious domain	malwareClassificationEvidence	Boolean	Indicates whether there is evidence the Cybereason threat intelligence service classified the domain as malware.
Malicious domain	domainClassificationSuspicion	Boolean	Indicates whether the Cybereason threat intelligence service classified the domain as suspicious.
Malware domain	domainClassificationSuspicion	Boolean	Indicates whether the Cybereason threat intelligence service classified the domain as malware.
Name	name	String	The name of the domain.
Network access to a web service that is known to demonstrate malicious behavior	connectionToMaliciousDomainEvidence	Boolean	Indicates there is evidence the device has a network connection to a web service that is known by threat intelligence services to be malicious.
Network access to a web service that is known to demonstrate malicious behavior	connectionToMaliciousDomainSuspicion	Boolean	Indicates the device has a network connection to a web service that is known by threat intelligence services to be malicious.
Related to Malop	relatedToMalop	Boolean	Indicates whether or not the domain is associated with a Malop.
Reputation	maliciousClassificationType	Enum	The reputation for the domain. Possible values include: In the UI: Blocklisted Detected by Anti-Malware Hacking Tool Malicious tool Malware Neutral None found Ransomware Sinkholed domain Suspicious Unknown Unresolved domain Unwanted program Allowlisted In the API: Blacklist av_detected hacktool maltool malware indifferent no_type_found ransomware sinkholed suspicious unknown unresolved unwanted whitelist
Second level domain	secondLevelDomain	String	The name of the second level domain for this domain.
Sinkhole domain	sinkholedClassificationEvidence	Boolean	Indicates whether there is evidence the Cybereason threat intelligence service classified the domain as a sinkhole domain.
Site designed to deceive the end user into submitting sensitive personal or corporate information through a seemingly trusted web form	maliciousPhishingEvidence	Boolean	Indicates there is evidence the device visited a site design (through the use of what appears to be a trusted web form) to deceive the device user to enter and submit sensitive personal or corporate information.
Site designed to deceive the end user into submitting sensitive personal or corporate information through a seemingly trusted web form	maliciousPhishingSuspicion	Boolean	Indicates the device visited a site design (through the use of what appears to be a trusted web form) to deceive the device user to enter and submit sensitive personal or corporate information.
Site designed to secretly hijack the target’s device to mine cryptocurrencies	cryptojackingDomainEvidence	Boolean	Indicates there is evidence the device visited a site designed to hijack the device for the purpose of cryptocurrency mining.
Site designed to secretly hijack the target’s device to mine cryptocurrencies	cryptojackingDomainSuspicion	Boolean	Indicates the device visited a site designed to hijack the device for the purpose of cryptocurrency mining.
Suspicious domain	isSuspiciousDomainEvidence	Boolean	Indicates whether there is evidence that the Cybereason threat intelligence service classified the domain as suspicious.
Top level domain	topLevelDomain	String	The name of the top level domain (TLD) of this domain.
Unknown domain	isUnknownDomainEvidence	Boolean	Indicates whether there is evidence the domain is known by the Cybereason threat intelligence service.
URL for domain name	url	String	URL associated with the domain name
Was ever resolved	everResolvedDomain	Boolean	Indicates whether the domain was resolved in your organization.
Was ever resolved as a second level domain	everResolvedSecondLevelDomain	Boolean	Indicates whether the second level domain for this domain has been resolved in your organization.

Back to top

Driver (EDR)

Use these features to filter for Driver Elements:

UI Name	API Name	Type	Description
Driver filename	name	String	The name of the file executing the driver.
Driver name	elementDisplayName	String	The name of the driver.
File	file	String	The file that created the driver.
Has Suspicions	hasSuspicions	Boolean	Indicates whether or not the driver is associated with any Suspicions.
Known malicious driver	knownMaliciousDriverFileEvidence	Boolean	Indicates whether there is evidence the file running the driver is classified as a file for a known malicious driver.
Malicious driver	knownMaliciousDriver	Boolean	Indicates whether the Cybereason threat intelligence recognizes the driver as malicious.
Malicious tool driver	maliciousToolDriverEvidence	Boolean	Indicates whether there is evidence that the driver is a driver for a known malicious tool.
Driver executed by malicious tool	maliciousToolDriverSuspicion	Boolean	Indicates whether the driver is a driver for a known malicious tool.
Malware driver	malwareDriverEvidence	Boolean	Indicates whether there is evidence the Cybereason threat intelligence service classifies the driver as a driver for malware.
Driver executed by malicious tool	malwareDriverSuspicion	Boolean	Indicates whether the driver is a driver for malware.
New driver	newDriverEvidence	Boolean	Indicates whether there is evidence the driver was detected for the first time in your environment.
New drivers count is above threshold	newDriversAboveThresholdEvidence	Boolean	Indicates whether there is evidence the number of times the new driver appears exceeds an internal threshold (calculated by number of appearances/time period).
Owner machine	ownerMachine	String	The machine to which this driver belongs.
Rare driver	rareDriverEvidence	Boolean	Indicates whether there is evidence the driver shows up significantly less than other drivers in the environment.
Service	service	String	The name of the service that loaded the driver.
Driver for Potentially Unwanted Program (PUP)	unwantedDriverEvidence	Boolean	Indicates whether there is evidence the driver is a driver for a potentially unwanted program (PUP).
Unwanted driver suspicion	unwantedDriverSuspicion	Boolean	Indicates whether the driver is suspected of being a driver for a potentially unwanted program (PUP).

Back to top

Email Address (XDR)

Use these features to filter for the Email Address Element:

UI Name	API Name	Type	Description
Address name	address	String	The email address string.
Address type	type	String	The type of email address. Possible values include: In the UI: Distribution list Mailbox In the API: DISTRIBUTION_LIST MAILBOX
Is an external address	isExternal	Boolean	Indicates whether this email message is a message to an external address.
Receipient addresses for message	messageRecipientAddresses	String	A list of email addresses to whom a message was sent.
Sender address for message	messageSenderAddress	String	The email address of a message sender.
Users	users	Collection	List of all user accounts associated with this email address.
User accounts	userEmailAddresses	Array	A collection of user accounts associated with the email address.

Back to top

Event (XDR)

Use these features to filter for the Event Element:

UI Name	API Name	Type	Description
Action taken	action	Strint	The specific action taken for the event by the product that reported the event. Possible values include: In the UI: Unspecified Allowed Blocked Allowed with modification Quarantine Failed Alert Delete In the API:* UNKNOWN_ACTION ALLOW BLOCK ALLOW_WITH_MODIFICATION QUARANTINE FAIL ALERT DELETE
Alert name	alertName	String	The product-specific name of the alert associated with this event.
Alert/Rule ID	alertId	String	The product-specific alert/rule ID for the event.
ATT&CK sub-technique for event	subTechniques	String	MITRE ATT&CK sub-techniques associated with the event.
ATT&CK tactic for event	tactic	String	MITRE ATT&CK tactics associated with the event.
ATT&CK technique for event	techniques	String	MITRE ATT&CK techniques associated with the event.
Authentication details	authDetails	String	Product defined details for the authentication associated with this event from the source that reported the event.
Authentication mechanism	authMechanism	String	The authentication mechanism used by the event.
Authentication type	userAgent	String	The system type for authentication.
Browser	userAgentBrowser	String	The browser used by the user associated with this event.
Connection	connection	String	Connection associated with this event.
Creation time	creationTime	Long	The time when the event was created in the vendor platform.
Data source category	dataSourceCategory	String	The product/vendor for the event.
Display string	displayString	String	The display name of the event.
Event data source	dataSource	String	The data source for the event, which combines the company name and product name.
Event description	description	String	Description of the event from the event source.
IP address for the event originator	sourceIpAddress	IP address	The IP address for the entity that initiated the event.
Event rule type tag	tagType	String	A product-specific tag added by the product/vendor that generated this event.
Messages	message	Array	A collection of messages associated with the event.
Observer hostname	observerHostname	String	The exact hostname of the observer of the event. This name is a concatenation of vendor name, product name, type and sensor.
Outcome description for event	outcomeDescription	String	The outcome of the event as reported from the product/vendor for the event.
Product-specific action description	actionDetails	String	The unique description for the event from the product that reported the event.
eventId	eventId	String	The product-specific event identifier taken from the source that reported the event.
Product-specific event category	categoryDetails	String	The event category taken from the product/vendor for the event.
Product-specific event severity	severityDetails	String	The unique details for the severity of the event from the product that reported the event.
Product-specific rule ID	ruleId	String	A unique ID from the product that reported the event.
Product-specific rule name	ruleName	String	The unique name for the rule from the product that reported the event.
Product-specific rule type	ruleType	String	The unique type for the rule from the product that reported the event.
Product-specific classification for event	malwareName	String	The unique classification from the product that reported the event.
Product-specific type of event	typeDetails	String	The product-specific name or type of event from the event source.
Resource associated with event target	targetResource	String	The resource associated with the event target.
Security category for event	category	String	The category for the event.
Session ID for user access	accessSessionId	String	The session ID for the event.
Severity of event	severity	String	The unique severity for the event from the product that reported the event.
Software category	softwareCategories	String	The software category that reported the event.
Source file for event	sourceFile	String	The name of the file that is associated with the event.
Source identity	sourceUserIdentity	String	The user identity associated with this event.
Source machine	sourceMachine	String	The machine associated with the event.
Summary of event	summary	String	The unique summary for the event from the product that reported the event.
Target file for event	targetFile	String	The name of the file that is the target of the event.
Target group associated with event	targetGroup	String	The group associated with this event.
Target identity	targetUserIdentity	String	The user identity that was the target for this event.
Target of event	victimHost	String	The target machine for the event.
Victim user in the event	victimUserIdentity	String	The user identity associated with the target of the event.
Timestamp of event	time	Timestamp	The date and time when the event was created.
Type of event	type	String	The event type.
User account associated with event originator	sourceUser	String	The user account associated with the entity that initiated the event.
User account associated with event target	targetUser	String	The user account associated with the target of this event.
User agent for event	authType	String	The system type for authentication.
User initiating the event	performerUserIdentity	String	The user identify associated with the entity that initiated the event.
User performing the event	performerHost	String	The name of the machine that is the original initiator of the event.

Back to top

File and Image file (EDR)

Use these features to filter for File or Image file Elements. Note that there is no name differentiation in the API:

UI Name	API Name	Type	Description
Apps that are not installed through official channels	sideloadedAppEvidence	Boolean	Indicates there is evidence the device has apps not installed through official channels, and are unlikely to have gone through the rigorous quality checks expected of an app store release and therefore may be poorly written or malicious
Apps that are not installed through official channels	sideloadedAppSuspicion	Boolean	Indicates the device has apps not installed through official channels, and are unlikely to have gone through the rigorous quality checks expected of an app store release and therefore may be poorly written or malicious
App-based communication that includes a credit card number in an unencrypted (or easily decrypted) format	creditCardDataLeakEvidence	Boolean	Indicates there is evidence the device has app-based communication that includes credit card numbers in an unencrypted or easily decrypted format
App-based communication that includes a credit card number in an unencrypted (or easily decrypted) format	creditCardDataLeakSuspicion	Boolean	Indicates the device has app-based communication that includes credit card numbers in an unencrypted or easily decrypted format
App-based communication that includes a password in an unencrypted (or easily decrypted) format, significantly increasing the risk of compromise	passwordDataLeakEvidence	Boolean	Indicates there is evidence the device has app-based communication with a password in an unencrypted or easily decrypted format
App-based communication that includes an identifiable service username in an unencrypted (or easily decrypted) formats	userInformationDataLeakEvidence	Boolean	Indicates there is evidence the device has app-based communication with an identifiable service user name in an unencrypted or easily decrypted format
App-based communication that includes the device’s physical geo-location in an unencrypted (or easily decrypted) format	locationDataLeakEvidence	Boolean	Indicates the device has app-based communication with the device physical geo-location in an unencrypted or easily decrypted format
App-based communication transmitted across the Internet that includes an email address in an unencrypted (or easily decrypted) format	exposedEmailEvidence	Boolean	Indicates the device has app-based communication with an email address in an unencrypted or easily decrypted format.
Associated Registry entries	autoruns	Array	All registry keys associated with this file
Benign	indifferentClassificationEvidence	Boolean	Indicates whether there is evidence the Cybereason threat intelligence service identified the file as malicious
Blocklist file	blacklistClassificationEvidence	Boolean	Indicates whether there is evidence the file is a file on the blocklist
File on blocklist	blackListedFileSuspicion	Boolean	Indicates whether the file is a file on the blocklist
Canonized path	canonizedPath	String	The canonized path of the file
Comments	comments	String	Comments in the file metadata
Company name	companyName	String	Company name as noted in the file
Creation quarantine action	fileIsQuarantinedVersion	String	The quarantine action that created the quarantine version of the file
Document contains macro	documentHasMacroEvidence	String	Indicates whether there is evidence the document contains macros
Document contains autorun macro	documentHasAutorunMacroEvidence	String	Indicates whether there is evidence the document contains macros that run automatically when opening the file
Document contains Dynamic Data Exchange (DDE)	documentHasDDEEvidence	Boolean	Indicates whether there is evidence the document uses Dynamic Data Exchange (DDE) technology
Document contains Dynamic Data Exchange (DDE)	documentHasDDESuspicion	Boolean	Indicates whether the document uses Dynamic Data Exchange (DDE) technology and was identified as suspicious
Document contains dropper macro	documentHasDropperMacroSuspicion	Boolean	Indicates whether the document contains a macro that installs malware
Document contains malformed header	documentHasMalformedHeaderEvidence	Boolean	Indicates whether there is evidence the document contains malformed headers that might be exploited to spread malware
Document contains malformed header	documentHasMalformedHeaderSuspicion	Boolean	Indicates whether the document contains malformed headers and is suspected of exploiting this vulnerability to spread malware
Document contains obfuscated macro	documentHasObfuscatedMacroSuspicion	Boolean	Indicates whether the document contains a macro that was deliberately obfuscated
Document contains suspicious embedded object	documentHasSuspiciousEmbeddedObjectEvidence	Boolean	Indicates whether there is evidence the document contains an embedded object that might be suspicious
Document contains suspicious embedded object	documentHasSuspiciousEmbeddedObjectSuspicion	Boolean	Indicates whether the document contains an embedded object that is most likely to be malicious
Downloaded from domain	downloadedFromDomain	String	The domain from which the file was downloaded
Downloaded from Internet	isDownloadedFromInternet	Boolean	Indicates whether the file was originally downloaded from the Internet
Downloaded from IP address	downloadedFromIpAddress	Boolean	Indicates whether the file origin is an IP address from which the file was downloaded
Dual extension on file name	dualExtensionEvidence	Boolean	Indicates whether there is evidence the file has two extensions
Email message ID	downloadedFromEmailMessageId	String	The server’s email message ID
Email subject	downloadedFromEmailSubject	String	The email subject
Executable	isPEFile	Boolean	Indicates whether or not the file is a PE module
Executed by Process	executedByProcessEvidence	Boolean	Indicates whether there is evidence the file was executed as the image file of a process
Extension type	extensionType	String	Type of file extension. Possible values include: In the UI: Application Application Data Archive Audio File Certificate Compressed Archive Configuration File Database Developer File Disk Image Document Executable Image Installer Mail File None Personal Data Plugin Script File System File Text File Video File Web Document Web Executable Windows System File In the API: APPLICATION APPLICATION_DATA ARCHIVE DOCUMENT_AUDIO CERTIFICATE APPLICATION_CONFIG ARCHIVE_COMPRESSED DATABASE DOCUMENT_DEVELOPER ARCHIVE_DISKIMAGE DOCUMENT EXECUTABLE DOCUMENT_IMAGE DOCUMENT_MAIL EXECUTABLE_INSTALLER NONE DOCUMENT_PERSONALINFORMATION EXECUTABLE_PLUGIN EXECUTABLE_SCRIPT SYSTEM DOCUMENT_TEXT DOCUMENT_VIDEO DOCUMENT_WEB EXECUTABLE_WEB EXECUTABLE_WINDOWS SYSTEM_WINDOWS
File description	fileDescription	String	Description of file as noted inside the file
File events	fileAccessEvents	String	File access events
File hash value	fileHash	String	The file hash value for the file.
Unverifiable signature	maliciousSignedUnverifiedSuspicion	Boolean	Indicates whether the file has an unverifiable signature that indicates malicious interference with the image file or the certificate used to sign the image file
File is signed	signedInternalOrExternal	Boolean	Indicates that the file was signed by the sensor or by the Cybereason threat intelligence service
Unsigned version of signed file	unsignedHasSignedVersionEvidence	Boolean	Indicates whether there is evidence the file is signed but not verified, indicating a potentially altered file.
File name	elementDisplayName	String	Full name of the file, including extension
Suspicious or malicious reputation	fileReputationSuspicion	Boolean	Indicates whether the file has a suspicious or malicious reputation
File version	fileVersion	String	File version noted inside the file
Possible camouflaged file	fileVersionSuspicion	Boolean	Indicates whether the file’s version makes it a suspicion that could lead to a Malop
Found in a registry entry	hasAutorun	Boolean	Indicates whether the file was found in one of the machine’s registry entries
Hacking tool	hackingToolClassificationEvidence	Boolean	Indicates whether there is evidence that the Cybereason threat intelligence service identified the file as a hacking tool
Has classification	hasClassification	Boolean	Indicates whether the Cybereason threat intelligence service sources classified this file in some way
Has Malops	hasMalops	Boolean	Indicates whether or not the file is associated with any Malops
Has Suspicions	hasSuspicions	Boolean	Indicates whether or not the file is associated with any Suspicions
Interal/External Signer	signerInternalOrExternal	String	The signer of the file taken from the sensor or from Virus Total
Internal name	internalName	String	Internal name noted inside the file
Is installer	isInstallerProperties	Boolean	Indicates whether or not the file is a known installer
Is suspicious	isSuspicious	Boolean	Indicates whether or not the file is suspicious
Legal copyright	legalCopyright	String	Legal copyright noted inside the file
Legal trademarks	legalTrademarks	String	Legal trademarks noted inside the file
Legitimate classification	hasLegitClassificationEvidence	Boolean	Indicates whether there is evidence the file has a legitimate classification
Located on removable device	isFromRemovableDevice	Boolean	Indicates whether the file is located on a removable device
Machine	ownerMachine	String	The machine on which this file is found
Malformed elf file	malformedElfFileEvidence	Boolean	Indicates whether there is evidence thie file is a malformed ELF binary
Malicious application that demonstrates harmful behavior and disrupts the device	appMaliciousEvidence	Boolean	Indicates there is evidence the device has a malicious application demonstrating harmful behavior that disrupts the device.
Malicious application that demonstrates harmful behavior and disrupts the device	appMaliciousSuspicion	Boolean	Indicates the device has a malicious application demonstrating harmful behavior that disrupts the device.
Detected by Anti-Malware	reportedByAntiMalwareSuspicion	Boolean	Indicates whether Cybereason Anti-Malware identified this file as malicious
Detected by Anti-Malware evidence	reportedByAntiMalwareEvidence	Boolean	Indicates whether there is evidence Cybereason Anti-Malware identified this file as malicious
Malicious file by Anti-Malware	reportedAsMaliciousByAVSuspicion	Boolean	Indicates whether Anti-Malware Signatures analysis detected this file as malicious
Malicious file by Anti-Malware evidence	reportedAsMaliciousByAVEvidence	Boolean	Indicates whether there is evidence Anti-Malware Signatures analysis detected this file as malicious
Malicious tool	maliciousToolClassificationEvidence	Boolean	Indicates whether there is evidence the Cybereason threat intelligence service identified the file as a malicious tool
Malware	malwareClassificationEvidence	Boolean	Indicates whether there is evidence the Cybereason threat intelligence service identified the file as malware
Malware that aggressively displays ads, negatively affecting user productivity and device performance	maliciousPupAppEvidence	Boolean	Indicates there is evidence the device has malware that is aggressively displaying ads which affects the user productivity and device performance
Malware that aggressively displays ads, negatively affecting user productivity and device performance	maliciousPupAppSuspicion	Boolean	Indicates the device has malware that is aggressively displaying ads which affects the user productivity and device performance
Malware that attempts to obtain escalated system privileges	adminAppEvidence	Boolean	Indicates there is evidence the device has malware which attempts to obtain administrative privileges.
Malware that attempts to obtain escalated system privileges	adminAppSuspicion	Boolean	Indicates the device has an app that attempts to gain higher privileges.
Malware that attempts to obtain escalated system privileges	privEscAppMaliciousEvidence	Boolean	Indicates there is evidence the device has an app that attempts to gain higher privileges.
Malware that attempts to obtain escalated system privileges	privEscAppMaliciousSuspicion	Boolean	Indicates the device has an app that attempts to gain higher privileges.
Malware that blocks access to a device until a ransom is paid	maliciousRansomwareAppEvidence	Boolean	Indicates there is evidence the device has malware that blocks the access to the device until the device owner pays a ransom.
Malware that blocks access to a device until a ransom is paid	maliciousRansomwareAppSuspicion	Boolean	Indicates the device has malware that blocks the access to the device until the device owner pays a ransom.
Malware that causes SMS related charges	maliciousSMSAppEvidence	Boolean	Indicates there is evidence the device has malware that results in SMS-related charges for the device.
Malware that causes SMS related charges	maliciousSMSAppSuspicion	Boolean	Indicates the device has malware that results in SMS-related charges for the device.
Malware that is monitoring and collecting information about a user and the device	maliciousSpywareAppEvidence	Boolean	Indicates there is evidence the device has malware that monitors and collects information abou the device and the device user.
Malware that is monitoring and collecting information about a user and the device	maliciousSpywareAppSuspicion	Boolean	Indicates the device has malware that monitors and collects information abou the device and the device user.
Malware that obtains unauthorized access to the person’s mobile device	maliciousTrojanAppEvidence	Boolean	Indicates there is evidence the device has malware that obtains unauthorized access to a device.
Malware that obtains unauthorized access to the person’s mobile device	maliciousTrojanAppSuspicion	Boolean	Indicates the device has malware that obtains unauthorized access to a device.
Malware that steals bank credentials	maliciousBankerAppEvidence	Boolean	Indicates there is evidence the device has malware that steals bank credentials.
Malware that steals bank credentials	maliciousBankerAppSuspicion	Boolean	Indicates the device has malware that steals bank credentials.
Marked for prevention	classificationBlocking	Boolean	Indicates whether the file is marked for prevention
File masquerading as video	masqueradingAsMovieEvidence	Boolean	Indicates whether there is evidence the file is masquerading as a video file
MD5 signature	md5String	String	The file’s MD5 signature
MIME filt type	extensionType	String	The MIME type for the file, such as PE, PDF, or PowerShell script
Mimikatz resemblance evidence	mimikatzResourceEvidence	Boolean	Indicates whether there is evidence a file displays Mimikatz characteristics
Mimikatz resemblance	mimikatzSuspicion	Boolean	Indicates whether the file contains suspicions triggered by Mimikatz resources
Mount point	mount	String	The file’s mount point
Mounted as	mountedAs	String	What the file is mounted as
Multiple company names	multipleCompanyNamesEvidence	Boolean	Indicates whether there is evidence the file properties contain multiple company names
Multiple hashes for same file path and PE information	multipleHashForUnsignedPeInfoEvidence	Boolean	Indicates whether there is evidence the system identified multiple hashes for files with the same path and PE information
Non-legitimate classification	hasNonLegitClassificationEvidence	Boolean	Indicates whether there is evidence the file has a classification that is not legitimate
File obscuring file extension	hiddenFileExtensionEvidence	Boolean	Indicates whether there is evidence there was an attempt to hide the file extension from the user
Original file	originalVersion	String	The original version of this quarantined file
Original file name	originalFileName	String	The name with which the file first appeared
Path	correctedPath	String	Path to this file
Path	path	String	Path to this file
Potentially unwanted program	unwantedClassificationEvidence	Boolean	Indicates whether there is evidence Cybereason identified the file as a potentially unwanted program
Private build marker	privateBuild	String	The private build marker noted inside the file
Attempt to execute malicious file	attemptExecutionProcessEvidence	Boolean	Indicates whether there evidence there is evidence that the process attempted to execute a malicious file
Process(es) attempted to execute malicious file	attemptExecutionProcessSuspicion	Boolean	Indicates whether there is suspicion that the process attempted to execute a malicious file
Product name	productName	String	The product name noted inside the file
Product title	productTitle	String	The product title associated with this file
Product type	productType	String	The product type associated with this file. Possible values include: In the UI Adobe Antivirus Browser Csrss (deprecated) Explorer IT Tools (deprecated) Lsass Mail Microsoft Office Not specific OS process Peer to Peer Remote Desktop RunAs RunDll SVC Host Scheduled task Security tool Sharing Shell Tor Unrecognized VPN Virtualization Wininit WsmProvHost In the API: ADOBE ANTI-VIRUS BROWSER CSRSS (deprecated) EXPLORER IT_TOOLS (deprecated) MAIL LSASS MS_OFFICE NONE OS_PROCESS P2P REMOTE_DESKTOP_CONTROL RUNAS RUNDLL SVCHOST SCHEDULED_TASK SECURITY_TOOL SHARING SHELL TOR UNRECOGNIZED VPN VIRTUALIZATION WININIT WSMPROVHOST
Product version	productVersion	String	The product version noted inside the file metadata.
Quarantine actions	fileIsQuarantined	Array	A collection of quarantine actions applied on the original version of the file.
Quarantined file	quarantineVersion	String	The quarantined version of this file.
Ransomware	ransomwareClassificationEvidence	Boolean	Indicates whether there is evidence the Cybereason threat intelligence service classified the file as ransomware.
Recognized product	identifiedProductEvidence	Boolean	Indicates whether there is evidence that the Cybereason threat intelligence servic noted the file is associated with a recognized application.
Registry key	autorun	String	Collection of registry keys associated with this file.
Related to Malop	relatedToMalop	Boolean	Indicates whether or not the file is related to a Malop.
Meterpreter executable	meterpreterX86executableEvidence	Boolean	Indicates whether there is evidence the Cybereason threat intelligence service identified remote malicious tool resources.
Reputation type	maliciousClassificationType	Enum	The reputation of the file based on Cybereason intelligence feeds and user classification. Possible values include: In the UI: Blocklisted Detected by Anti-Malware Hacking Tool Malicious tool Malware Neutral None found Ransomware Sinkholed domain Suspicious Unknown Unresolved domain Unwanted program Allowlisted In the API: blocklist av_detected hacktool maltool malware indifferent no_type_found ransomware sinkholed suspicious unknown unresolved unwanted whitelist
Used Windows RTL vulnerability evidence	rightToLeftFileExtensionEvidence	Boolean	Indicates whether there is evidence there was an attempt to hide the file extension using windows RTL vulnerability
Second extension type	secondExtensionType	Enum	Type of file extension for the second extension. Possible values include: In the UI: Application Application Data Archive Audio File Certificate Compressed Archive Configuration File Database Developer File Disk Image Document Executable Image Installer Mail File None Personal Data Plugin Script File System File Text File Video File Web Document Web Executable Windows System File In the API: APPLICATION APPLICATION_DATA ARCHIVE DOCUMENT_AUDIO CERTIFICATE APPLICATION_CONFIG ARCHIVE_COMPRESSED DATABASE DOCUMENT_DEVELOPER ARCHIVE_DISKIMAGE DOCUMENT EXECUTABLE DOCUMENT_IMAGE DOCUMENT_MAIL EXECUTABLE_INSTALLER NONE DOCUMENT_PERSONALINFORMATION EXECUTABLE_PLUGIN EXECUTABLE_SCRIPT SYSTEM DOCUMENT_TEXT DOCUMENT_VIDEO DOCUMENT_WEB EXECUTABLE_WEB EXECUTABLE_WINDOWS SYSTEM_WINDOWS
Sender email address	downloadedFromEmailFrom	String	The email address of the sender who sent the email from which this file was downloaded
SHA1 Signature	sha1String	Long	The file’s SHA1 signature
SHA256 Signature	sha256String	Long	The file’s SHA-256 signature
Broken link in chain of trust	signatureVerificationStatusBadChainOfTrustEvidence	Boolean	Indicates whether there is evidence of one of the following issues during the chain of trust verification: chain of trust could not be established to a root certificate, chain of trust was built to a root certificate which is not known or recognized as trusted on the local machine, broken chain of trust
Unverified signature by technical failure	signatureVerificationStatusTechnicalFailureEvidence	Boolean	Indicates whether there is evidence of a technical failure that prohibited completion of the verification process
Expired signature	signatureVerificationStatusExpiredEvidence	Boolean	Indicates whether there is evidence that any of the signing certificates in the chain of trust has expired
Revoked signature	signatureVerificationStatusExplicitlyRevokedEvidence	Boolean	Indicates whether there is evidence that any of the signing certificates in the chain of trust has been explicitly revoked
Mismatched signature	signatureVerificationStatusHashMismatchEvidence	Boolean	Indicates whether there is evidence the file signature hash does not matches the file contents
Misused signature	signatureVerificationStatusMisuseEvidence	Boolean	Indicates whether there is evidence the certificate has been misused
Unknown root certificate	signatureVerificationStatusUnrecognizedRootEvidence	Boolean	Indicates whether there is evidence that the root certificate is unknown, even if the chain of trust is verified
User distrust	signatureVerificationStatusUserDistrustEvidence	Boolean	Indicates whether there is evidence the user did not trust the certificate during an interactive session
Signature verified	signatureVerified	Boolean	Indicates whether the file signature was positively verified
Signature verified	signatureVerifiedInternalOrExternal	Boolean	Indicates whether the signature was verified in PROV or in Virus Total
Signed	isSigned	Boolean	Indicates whether or not the file is security signed
Signer	signer	String	The signer of the file
Signed by Apple	signedByApple	Boolean	Indicates whether the file is signed by Apple
Signed by Cybereason	signedByCybereason	Boolean	Indicates whether the file is signed by Cybereason
Signed by Linux	signedByLinux	Boolean	Indicates whether the file is signed by Linux
Signed by Microsoft	signedByMicrosoft	Boolean	Indicates whether the file is signed by Microsoft
Signed by Operation System	signedByOperatingSystem	Boolean	Indicates whether the file is signed by the operating system
Size	size	Long	The file’s size
Special build	specialBuild	String	The special build marker noted inside the file
Suspicious screen saver	suspiciousClassificationEvidence	Boolean	Indicates whether there is evidence the file is a screen-saver that Cybereason identified as suspicious
Suspicious screen saver	suspiciousScreenSaver	Boolean	Indicates whether the file is located in a temporary folder
Temporary folder	temporaryFolderEvidence	Boolean	Indicates whether there is evidence the file is located in a temporary folder
The file’s origin URL	downloadedFromUrlReferrer	String	URL from which the file originated
The file’s referral URL	downloadedFromUrlReferrer	String	URL referring to the file’s URL
Third party application stores are applications that can download and install other applications and they might distribute malicious applications because those apps are not diligently tested against malicious behavior	appDownloadedFromThirdPartyStoreEvidence	Boolean	Indicates there is evidence the device has an app download from a third party app store
Third party application stores are applications that can download and install other applications and they might distribute malicious applications because those apps are not diligently tested against malicious behavior	appDownloadedFromThirdPartyStoreSuspicion	Boolean	Indicates the device has an app download from a third party app store
Third party application stores are applications that can download and install other applications and they might distribute malicious applications because those apps are not diligently tested against malicious behavior	thirdPartyAppStoreEvidence	Boolean	Indicates there is evidence the device has an app that is from a third-party app store instead of the official device app store
Unknown and unclassified	unknownClassificationEvidence	Boolean	Indicates whether there is evidence the file is found in the platform’s software databases
Unsigned	signatureVerificationStatusNotSignedEvidence	Boolean	Indicates whether there is evidence the file is signed
Unsigned file	unknownUnsignedEvidence	Boolean	Indicates whether there is evidence the file is signed
Unsigned file with a known signed version	unsignedHasSignedVersion	Boolean	Indicates whether the file is signed even though a signed version exists
Unsigned file with a known signed version	unsignedPeFileEvidence	Boolean	Indicates whether there is evidence the file is signed even though a signed version exists
Unverified	unsignedScreenSaver	Boolean	Indicates whether the file is signed even though its signer is not verified
Unverified signature	unverifiedPeFileEvidence	Boolean	Indicates whether there is evidence the image file of this process is signed by a trusted signer
Allowlist	whitelistClassificationEvidence	Boolean	Indicates whether there is evidence the file is on the allowlist
Vulnerable App Installed	vulnerableProgramEvidence	Boolean	Indicates there is evidence the device has a vulnerable app installed on the device
WMI Persistent Objects	wmiPersistentObjects	Collection	A list of WMI persistent objects related to this file. This Feature is available from version 21.2.43 and higher

Back to top

File Event (EDR)

Use these features to filter for File Event Elements:

UI Name	Feature API Name Name	Type	Description
Event type	fileEventType	Enum	The type of file event. Possible values include: In the UI: Create Delete Rename Unknown In the API: FET_CREATE FET_DELETE FET_RENAME FET_UNKNOWN
File access events	fileAccessEvents	Array	A collection of the file events for a file.
File event instance name	elementDisplayName	String	The name of the file event including the process and file name involved with the file event.
File information	fileInfo	String	The information on the file.
First instance timestamp	firstAccessTime	Integer	The time (in epoch) when file was the first collected by the Cybereason platform.
File path	path	String	The path to the file associated with the file event.
Has Malops	hasMalops	Boolean	Indicates if the file event is associated with any Malops.
Has suspicions	hasSuspicions	Boolean	Indicates if the file event is associated with any Suspicions.
Is hidden	isHidden	Boolean	Indicates if the file associated with the file event is marked as hidden in the file properties.
New path after rename event	newPath	String	The new path to the file after a file rename event.
Owner machine	ownerMachine	String	The machine name of the machine on which the file event happened.
Owner process	ownerProcess	String	The process that caused the file event.
Owner user	ownerUser	String	The user logged into the machine on which the file event occured.
Process file events	fileAccessEvents	Array	A collection of file events for a process.
Related to Malop	relatedToMalop	Boolean	Indicates if this file event is associated with a Malop.

Back to top

Forensics Artifact (EDR)

Use these features to filter for Forensic Artifact Elements:

UI Name	API Name	Type	Description
Associated with Malops	hasMalops	Boolean	Indicates whether the forensic artifact was associated with any Malops.
Associated with suspicions	hasSuspicions	Boolean	Indicates whether the forensic artifact was associated with any suspicions.
Collector details	collectorMetadata	String	The name of the tool package that collected the data for the forensic artifact.
Collection time	collectionTime	Long	The time (in milliseconds) when the data was collected.
File name	executableFileName	String	The file name of an executable file.
File path	executableFullPath	String	The path to an executable file.
First run time	firstRuntime	Long	The time (in milliseconds) when the file was first run.
Forensic artifact	elementDisplayName	String	The name of a forensic artifact.
Latest run time	lastRuntime	Long	The last time an executable file was run.
Number of runs	numberOfRuns	Integer	The number of times the file was run.
N/A	sourceFileName	String	A source file.
Owner process	process	String	The process associated with the forensic artifact.
N/A	lastRuntimes	Array	A collection of the run times of the file in the forensic artifact.
Source file path	sourceFullPath	String	The file path to a source file.
Type	type	Enum	The type of forensic artifact. In the UI: Prefetch Unknown In the API: UNKNOWN PREFETCH

Back to top

Function Details (EDR)

Use these features to filter for Function Details Elements.

UI Name	API Name	Type	Description
Exporting module	exportingFile	String	The name of the module that exported the function.
Function Details	elementDisplayName	String	Details for the function.
Hooked module	hookedModule	String	The target module to which the function added the hook.
Hooking module	hookingModule	String	The origin module from which the function created the hook.
Type	type	Enum	The type of function. Possible values include In the UI: Anonymous inline hook IAT hook Microsoft Detours hook No hook Trampoline hook Unknown WM hook Windows hook In the API: HOOKTYPE_INLINE_ANONYMOUS HOOKTYPE_IAT_HOOK HOOKTYPE_MICROSOFT_DETOURS HOOKTYPE_NO_HOOK HOOKTYPE_TRAMPOLINE HOOKTYPE_UNKNOWN HOOKTYPE_WM_HOOK HOOKTYPE_WINDOWS_HOOK HOOKTYPE_INLINE_ANONYMOUS

Back to top

Group (XDR)

Use these features to filter for the Group Element.

UI Name	API Name	Type	Description
Email addresses of group	emailAddresses	Collection	A collection of email addresses included in the group.
Events related with group	relatedEvents	Collection	A collection of events associated with this group.
Group name	name	String	The displayed name for the group.
Product-specific group ID	id	String	A product-specific unique identifier, such as an LDAP Object identifier.

Back to top

Hosts File (EDR)

Use these features to filter for Hosts File Elements.

UI Name	API Name	Type	Description
Domain to domain	domainToDomain	Array	Collection of domain to domain DNS queries associated with this hosts file.
DNS entries	domainToIp	Array	Collection of domain to IP DNS queries associated with this hosts file.
File	file	String	The file name for this hosts file.
File name	elementDisplayName	String	The displayed name of the hosts file.
Machine	ownerMachine	String	The machine on which this hosts file is found.

Back to top

IP Address (EDR and XDR)

Use these features to filter for IP Address Elements:

UI Name	API Name	Type	Description
Address on blocklist	blackListIPSuspicion	Boolean	Indicates whether the IP address the customer classification or the Cybereason threat intelligence service classifies the IP address as an IP address on the blocklist.
Address type	version	String	The IP version for the IP address.
City name	city	String	The city associated with the geographic location for the IP address.
Classification comment	classificationComment	String	The comment added to a classificiation assigned for this IP address.
Classification user	classificationUser	String	The user who classified the IP address.
Country code	countryCode	String	The country code associated with the geographic location of the IP address.
Country name	countryNameOrNotExternalType	String	The name of the country for the geographic location for the IP address.
Gateway	isGateway	Boolean	Indicates whether the IP address is the address for a gateway.
Has Suspicions	hasSuspicions	Boolean	Indicates whether the IP address is associated with any suspicions.
Indifferent address	isIndifferentIpAddressEvidence	Boolean	Indicates whether there is evidence that the Cybereason threat intelligence service classified the IP address as indifferent.
IP address	elementDisplayName	String	The IP address name.
Is DHCP	isDhcpServer	Boolean	Indicates whether the IP address is the address of a DHCP server.
Latitude	latitude	Float	The latitude for the geographic location of the IP address.
Longitude	longitude	Float	The longitude for the geographic location of IP address.
Machine	ownerMachine	String	The machine to which this address belongs.
Malicious address	maliciousAddress	Boolean	Indicates whether the Cybereason threat intelligence service classified this IP address as malicious.
Malicious by Cybereason block list	maliciousByCybereasonBlackList	Boolean	Indicates whether this IP address is blocked due to the address classification by the Cybereason threat intelligence service.
Malicious by Tor list	maliciousByTorBlockList	Boolean	Indicates whether this address is classified as malicious due to the address being part of the TOR network.
Classified as malicious	ipAddressReputationSuspicion	Boolean	Indicates whether the Cybereason threat intelligence sources determined that the IP address has a bad reputation.
Region	region	String	The region associated with the geographic location of the IP address.
Reputation	addressReputation	Enum	The reputation classification for the IP address.
Reputation source	ipReputationSource	String	The reputation information source used to determine the reputation of the address.
Related to Malop	relatedToMalop	Boolean	Indicates whether or not the address is related to a Malop.
Safe address	isGoodIpAddressEvidence	Boolean	Indicates whether there is evidence that the Cybereason threat intelligence service recognizes the address as safe.
Suspicious address	isSuspiciousIpAddressEvidence	Boolean	Indicates whether there is evidence the Cybereason threat intelligence service classified this IP address as suspicious.
Unknown address	isUnknownIpAddressEvidence	Boolean	Indicates whether there is evidence the address is not known by the Cybereason threat intelligence service.
Used by malware	accessedByMalwaresOnly	Boolean	Indicates whether the address is known to only be used by malware.
Version	version	String	The IP protocol version used by the IP address.

Back to top

IP Range Scan (EDR)

Use these features to filter for IP Range Scan Elements:

UI Name	API Name	Type	Description
Creation time	creationTime	Integer	The time of the IP range scan with the format Month, day at hh:00 (in the UI) or in epoch (in the API).
Has Malops	hasMalops	Boolean	Indicates whether or not the IP range scan is associated with any Malops.
Has Suspicions	hasSuspicions	Boolean	Indicates whether or not the IP range scan is associated with any Suspicions.
IP range scan	elementDisplayName	String	The name of the IP range scan.
Owner process	ownerProcess	String	The process that performed the scan.

Back to top

Listening Connection (EDR)

Use these features to filter for Listening Connection Elements:

UI Name	API Name	Type	Description
Address type	addressLocation	Enum	The type of address for the listening connection. Possible values include In the UI: Dynamic configuration External Internal Local Proxy In the API: DYNAMIC_CONFIGURATION EXTERNAL LOCAL INTERNAL PROXY
Connections	connections	Array	Collection of the connections associated by this listening socket.
Has Suspicions	hasSuspicions	Boolean	Indicates whether or not the listening connection is associated with any Suspicions.
Listening connection end time	endTime	Long	The time the listening connection ended in the format Month day, at hh:00 (in the UI) or in epoch (in the API).
Local address	localAddress	String	The local IP address used by this listening connection.
Local address and port	elementDisplayName	String	The local address and port of the listening connection.
Local port	localPort	Integer	The port used by the listening connection.
Owner machine	ownerMachine	String	The machine on which this listening socket is found.
Owner process	ownerProcess	String	The process creating the listening socket connection.
Service	ownerService	String	The service which opened the listening connection.
Transport protocol	transportProtocol	Enum	The IP protocol used to establish the connection. Possible values include In the UI: ICMP TCP UDP Other In the API: ICMP TCP UDP OTHER

Back to top

Local Network (Mac and Linux machines only) (EDR)

Use these features to filter for Local Network Elements:

UI Name	API Name	Type	Description
Connected SSIDs	wifiSsid	String	The Wifi SSID string associated with this local network. This information is relevant for Mac machines only.
DHCP server address	dhcpServer	String	IP address of the DHCP server of the local network.
DNS server address	dnsServer	String	Address of the DNS server associated with the local network.
LAN name	elementDisplayName	String	The name of the local network.
Local network’s default search domain	searchDomain	String	The default search domain for the local network.
MAC address of the network’s gateway	gatewayMac	String	The MAC address of the local network gateway.
Network interfaces	networkInterfaces	Array	Collection of the network interfaces for the local network.

Back to top

Logon Session (EDR)

Use these features to filter for Logon Session Elements:

UI Name	API Name	Type	Description
Client remote session	clientRemoteSession	Array	Collection of all remote sessions connected from this logon session.
Empty or null work station evidence	emptyOrNullWorkStationEvidence	Boolean	Indicates whether there is evidence there is empty or null data regarding the work station data in the Windows logon details.
Has Malops	hasMalops	Boolean	Indicates whether or not the logon session is associated with any Malops.
Has Suspicions	hasSuspicions	Boolean	Indicates whether or not the logon session is associated with any Suspicions.
Logon application type	logonApplication	Enum	The application type for the logon session. Possible values include In the UI: Local terminal SCP SMB SSH Telnet Unknown VNC Window display In the API: LOGON_APPLICATION_LOCAL_TERMINAL LOGON_APPLICATION_SCP LOGON_APPLICATION_SMB LOGON_APPLICATION_SSH LOGON_APPLICATION_UNKNOWN LOGON_APPLICATION_TELNET LOGON_APPLICATION_VNC LOGON_APPLICATION_WINDOW_DISPLAY
Logon session name	elementDisplayName	String	The Display name of the logon session.
Logon type	logonType	Enum	The type of logon session. Possible values include In the UI: Batch Cached interactive Cached remote interacive Cached unlock Interactive Network Network clear text New credentials Proxy Remote interactive Service Unknown type Unlock In the API: SLT_Batch SLT_CachedInteractive SLT_CachedRemoteInteractive SLT_CachedUnlock SLT_Interactive SLT_Network SLT_NewCredentials SLT_NetworkCleartext SLT_Proxy SLT_RemoteInteractive SLT_Service SLT_UnknownSecurityLogonType SLT_Unlock
LUID	LUID	String	The logon session user ID.
Owner machine	ownerMachine	String	The machine on which this logon session originated.
Pass the hash	passTheHashMalop	Boolean	Indicates whether the Cybereason platform detected a pass the hash attack using this logon session.
Pass the ticket	passTheTicketMalop	Boolean	Indicates whether the logon session loaded a stolen ticket into the Kerberos tray in order to perform a Pass The Ticket attack.
Pass the ticket remote sessions	passTheTicketRemoteSessionEvidence	Boolean	Indicates whether there is evidence that the logon session loaded a stolen ticket into the Kerberos tray during this logon session.
Processes	processes	Array	Collection of processes created in the context of this logon session.
Proxies	proxies	Array	Collection of the proxies associated with this logon session.
Related to Malop	relatedToMalop	Boolean	Indicates whether or not the logon session was involved in the triggering of any Malops.
Remote machine	remoteMachine	String	Name of the remote machine associated with this logon session.
Remote network machine	remoteNetworkMachine	String	Name of the remote network machine associated with this logon session.
Server remote session	serverRemoteSession	Array	Collection of all remote sessions connected to this logon session.
Session with credentials mismatch	passTheTicketSuspicion	Boolean	Indicates whether the Cybereason platform detected the logon session obtaining an unauthorized Kerberos ticket.
Source IP	sourceIp	String	The source IP address for the logon session.
Pass the Hash with stolen credentials	passTheHashSuspicion	Boolean	Indicates whether the logon session used stolen credentials as part of a Pass the Hash attack.
Unexpected key length evidence	unexpectedKeyLengthEvidence	Boolean	Indicates whether there is evidence the session received a key with a length different from 128 in the Windows logon details.
Unexpected NTLM key evidence	zeroKeyLengthEvidence	Boolean	Indicates whether there is evidence the NTLM key has an unexpected value.
User	user	String	The user for this logon session.
Windows logon details	winLogonDetails	String	Details about the logon/logoff category in the Windows security log file.

Back to top

Machine (EDR and XDR)

Use these features to filter for the Machine Element:

UI Name	API Name	Type	Description
Active users on asset	activeUsers	Collection	A list of all active users for the asset.
Android Device - Compatibility Not Tested By Google	SafetyNetAttestationCtsProfileMatchFalseEvidence	Boolean	Indicates the Android device compatibility has not been tested by Google and the device is not considered safe.
Asset type	type	Enum	The type of asset (machine). Potential values include (but are not limited to): In the UI: Unspecified Workstation Cloud instance Laptop IOT Network attached storage Printer Scanner Server Tape library Mobile In the API: UNSPECIFIED WORKSTATION CLOUD_INSTANCE LAPTOP IOT NETWORK_ATTACHED_STORAGE PRINTER SCANNER SERVER TAPE_LIBRARY MOBILE
BlueBorn vulnerability evidence	blueborneVulnerabilityEvidence	Boolean	Indicates there is advice the device has the BlueBorne vulnerability.
Canonical name	adCanonicalName	String	The machine’s canonical name according to Active Directory information.
Client interactions	clientInteractions	Array	Collection of interactions in which the machine participates as the client machine.
Company	adCompany	String	The company associated with this machine according to Active Directory information.
CPU core count	cpuCount	Integer	The number of CPU cores for the machine.
Cybereason for Mobile not activated on all profiles fot Android For Work	afwBothProfilesNotActivatedEvidence	Boolean	Indicates that the Cybereason Mobile sensor and associated profile are not activated on all the Android for Work profiles on the device.
Department	adDepartment	String	The department associated with this machine according to Active Directory information.
Description	adDescription	String	The description of the machine according to Active Directory information.
Developer Options enabled	developerOptionsEvidence	Boolean	Indicates there is evidence the device has the Developer Options setting enabled.
Developer mode is enabled sideloading from unknown sources, USB debugging and other configurations that can lead to security risks can be enabled	usbAppVerifyDisabledEvidence	Boolean	Indicates that the device has developer mode enabled, which allows an attacker to sideload apps from unknown sources, use USB debugging and change other configurations.
Device Encryption not set up	encryptionEvidence	Boolean	Indicates the device does not hav encryption set up.
Device model	deviceModel	String	The model of the machine for Mac devices only.
Device Pin	pinEvidence	Boolean	Indicates there is evidence the device has a device PIN.
Display name	adDisplayName	String	The machine display name according to Active Directory information.
DNS change	configDnsEvidence	Boolean	Indicates there is evidence the device has changes made for the device DNS configuration.
DNS host name	adDNSHostName	String	The DNS host according to Active Directory information.
Free disk space	freeDiskSpace	Long	The total available disk space on the machine in bytes.
Free memory	freeMemory	Long	The total available memory on the machine in bytes.
Gateway change	configGatewayEvidence	Boolean	Indicates there is evidence the device has changes made for the device gateway.
Google Play Protect disabled	configGooglePlayProtectDisabledEvidence	Boolean	Indicates that Google Play Protect has been disabled on the device.
Has Malops	hasMalops	Boolean	Indicates whether or not the machine is associated with any Malops.
Has removable device	hasRemovableDevice	Boolean	Indicates whether or not a removable device is connected to the machine.
Has Suspicions	hasSuspicions	Boolean	Indicates whether or not the machine is associated with any Suspicions.
Has suspicious processes	isSuspiciousOrHasSuspiciousProcessOrFile	Boolean	Indicates whether the machine has processes marked as suspicious.
High number of downloaded processes	highNumberOfDownloadedProcessesEvidence	Boolean	Indicates whethe there is evidence that there are multiple processes running on the machine with image files downloaded from the Internet.
High number of new processes	highNumberOfNewProcessesEvidence	Boolean	Indicates whether there is evidence that there are multiple new processes running on the machine.
High users count	highNumberOfUsersEvidence	Boolean	Indicates whether or not there is evidence that the number or users on the machine is significantly high compared to number of users on other machines in the environment.
Host name for this asset	name	String	The host (machine) name for the asset.
Hosts file	hostsFile	String	The hosts file associated with this machine.
Is connected to Cybereason	isActiveProbeConnected	Boolean	Indicates whether the machine has a sensor currently connected to the Cybereason server.
Is isolated	isIsolated	Boolean	Indicates whether the machine is isolated from the network.
Is laptop	isLaptop	Boolean	Indicates whether the machine is a laptop.
Is Linux	isLinux	Boolean	Indicates whether the machine is running a Linux operating system.
Is Mac	isMac	Boolean	Indicates whether the machine is a Mac.
Is Windows	isWindows	Boolean	Indicates whether the machine is running a version of the Windows operating system.
Is Windows desktop	isWindowsDesktop	Boolean	Indicates whether the machine is running a Windows desktop operating system.
Is Windows Server	isWindowsServer	Boolean	Indicates whether the machine is running a Windows Server operating system.
Lock screen is disabled the device encryption is rendered useless against physical attacks	lockScreenDisabledEvidence	Boolean	Indicates there is evidence the device lock screen has been disabled and device encryption is rendered useless against physical attacks.
Machine domain name	domainFqdn	String	The fully qualified domain name (FQDN) of the machine.
Machine name	computerName	String	Name of the computer as reported by the operating system.
Machine name	elementDisplayName	String	The machine name as reported by the operating system.
Machine role	adMachineRole	String	The machine role according to Active Directory information.
Machine timezone	timezoneUTCOffsetMinutes	String	The timezone of the machine as offset from UTC (in minutes).
Malicious processes	hasMaliciousProcessesEvidence	Boolean	Indicates whether there is evidence that the Cybereason platform detected malicious processes on the machine.
MBR Hash	mbrHashString	String	The hash value of the machine Master Boot Record.
Network domain of asset	domainFqdn	String	The network domain of the asset.
Network interfaces	networkInterfaces	Array	Collection of the network interfaces associated with this machine.
Modified build of an operating system that has removed original manufacturer limitations, leaving the device and its data more vulnerable to attack	jailbrokenEvidence	Boolean	Indicates there is evidence the device is running a modified build of the device operating system which makes the device more vulnerable to attack.
Modified build of an operating system that has removed original manufacturer limitations, leaving the device and its data more vulnerable to attack	jailbrokenSuspicion	Boolean	Indicates the device is running a modified build of the device operating system which makes the device more vulnerable to attack.
Network proxy change	configProxyEvidence	Boolean	Indicates there is evidence there was a proxy configuration change on the mobile device that is indicative of sending traffic to a non-intended destination.
Network proxy change	configProxySuspicion	Boolean	Indicates there was a proxy configuration change on the mobile device that is indicative of sending traffic to a non-intended destination.
New administrator tool	newAdminToolforMachineEvidence	Boolean	Indicates whether there is evidence that Cybereason detected a new administrator tool on the machine.
Not verified Android Debug Bridge (ADB) apps installed	adbAppsNotVerifiedEvidence	Boolean	Indicates there is evidence the device has non-verified Android Debug Bridge (ADB) apps installed on the device.
Older version of an OS that is more vulnerable to known security exploits	vulnerableOsMajorVersionEvidence	Boolean	Indicates the device is running an older version of an operating system that is more vulnerable to known security exploits.
Organization	organization	String	The organization associated with this machine accoring to Active Directory information.
Organizational unit (ou)	adOU	String	The organizational unit associated with this machine according to Active Directory information.
OS minor version	osVersionMinor	String	The minor number of the OS version.
OS type	osType	Enum	The general type of the operating system. Values include In the UI: Windows Linux MacOS Android iOS Unknown OS In the API: WINDOWS LINUX OSX ANDROID IOS UNKNOWN_OS
OS version	osVersionType	Enum	The string identifying the operating system. Values include In the UI: Windows 8 Windows 8.1 Windows 7 Windows Vista Windows XP Windows XP Professional x64 Edition Windows 2000 Windows Home Server Windows Server 2003 Windows Server 2003 R2 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2 Windows Server 2016 Windows Server 2019 Windows 10 Windows 20H2 Mavericks 10.9 Yosemite 10.10 El Capitan 10.11 Sierra 10.12 High Sierra 10.13 Mojave 10.14 Catalina 10.15 Big Sur 10.16 CentOS Linux 6 CentOS Linux 7 CentOS Linux 8 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 Ubuntu Linux 12 Ubuntu Linux 14 Ubuntu Linux 16 Ubuntu Linux 17 Ubuntu Linux 18 Oracle Linux Server 6 Oracle Linux Server 7 Suse Linux Enterprise Server 12 Amazon Linux AMI 2011.03 Amazon Linux AMI 2012.03 Amazon Linux AMI 2012.09 Amazon Linux AMI 2013.03 Amazon Linux AMI 2013.09 Amazon Linux AMI 2014.03 Amazon Linux AMI 2014.09 Amazon Linux AMI 2015.03 Amazon Linux AMI 2015.09 Amazon Linux AMI 2016.03 Amazon Linux AMI 2016.09 Amazon Linux AMI 2017.03 Debian 8 Debian 9 iOS 9 iOS 10 iOS 11 iOS 12 iOS 13 Android Ice Cream Sandwich Android Jelly Bean Android KitKat Android Lollipop Android Marshmallow Android Nougat Android Oreo Android Pie Android 10 In the API: Windows_8__1, Windows_8, Windows_7, Windows_Vista, Windows_XP_Professional_x64_Edition, Windows_XP, Windows_2000, Windows_Server_2003, Windows_Server_2003_R2, Windows_Server_2008_R2, Windows_Server_2008, Windows_Server_2012_R2, Windows_Server_2012, Windows_Server_2016, Windows_Server_2019, Windows_Home_Server, Windows_10, Windows_20H2, High_Sierra_10__13, Sierra_10__12, El_Capitan_10__11, Yosemite_10__10, Mavericks_10__9, Mojave_10__14, Catalina_10__15, Big_Sur_10__16, Big_Sur_11, Centos_Linux_6, Centos_Linux_7, Centos_Linux_8, Red_Hat_Enterprise_Linux_6, Red_Hat_Enterprise_Linux_7, Red_Hat_Enterprise_Linux_8, Ubuntu_Linux_12, Ubuntu_Linux_14, Ubuntu_Linux_16, Ubuntu_Linux_17, Ubuntu_Linux_18, Oracle_Linux_6, Oracle_Linux_7, Orache_Linux_8, Suse_Linux_12, Amazon_Linux_2011__09, Amazon_Linux_2012__03, Amazon_Linux_2012__09, Amazon_Linux_2013__03, Amazon_Linux_2013__09, Amazon_Linux_2014__03, Amazon_Linux_2014__09, Amazon_Linux_2015__03, Amazon_Linux_2015__09, Amazon_Linux_2016__03, Amazon_Linux_2016__09, Amazon_Linux_2017__03, Debian_Linux_8, Debian_Linux_9 iOS_9, iOS_10, iOS_11, iOS_12, iOS_13, Android_IceCreamSandwich, Android_JellyBean, Android_KitKat, Android_Lollipop, Android_Marshmallow, Android_Nougat, Android_Oreo, Android_Pie, Android_10
Outdated	isOutdatedEvidence	Boolean	Indicates whether there is evidence the machine has not installed the latest service pack for its operating system.
Over-The-Air (OTA) updates disabled	otaUpdatesDisabledEvidence	Boolean	Indicates there is evidence the device has Over-the-Air updates disabled.
Owner organization	ownerOrganization	String	The organization to which this machine belongs.
Platform architecture	platformArchitecture	Enum	The underlying architecture of the platform of the machine. Values include In the UI: 32 bit AMD 64 bit ARM Itanium Unknown In the API: ARCH_X86 ARCH_AMD64 ARCH_ARM ARCH_IA64 ARCH_UNKNOWN
Pylum ID	pylumId	String	The machine’s Pylum ID (Cybereason sensor ID).
Removable devices	removableDevices	Array	Collection of removable devices connected to the machine.
Running malicious tool	runningMaliciousToolEvidence	Boolean	Indicates whether there is evidence that a malicious tool is running on the machine.
Scanning activity	scanningActivitySuspicion	Boolean	Indicates whether a process on the machine performed a scanning activity to scan internal addresses in the network.
Security identifier (sid)	adSid	String	The immutable identifier of the user according to Active Directory information.
SELinux disabled evidence	selinuxDisabledEvidence	Boolean	Indicates there is evidence a modification to the operating systems security features (SELinux) was detected. SELinux is a core security feature of the operating system and is intended to control access internally and help maintain the integrity of the operating system.
SELinux disabled	selinuxDisabledSuspicion	Boolean	Indicates there is a modification to the operating systems security features (SELinux) was detected. SELinux is a core security feature of the operating system and is intended to control access internally and help maintain the integrity of the operating system.
Sensor group	group	Array	The unique identifier the Cybereason platform uses for the sensor group of the sensor.
Server interactions	serverInteractions	Array	Collection of interactions in which the machine participates as the server machine.
Source machine for event	eventSourceMachine	Array	A collection of machines associated with an event.
Spreading drivers	spreadDrivers	Array	Collection of new drivers whose appearance exceeds an internal threshold (calculated by number of appearances/time period).
SSL/TLS downgrade evidence	sslTlsDowngradeEvidence	Boolean	Indicates there is evidence the SSL/TLS was downgraded to force apps to use old encryption protocols. These protocols may be vulnerable to attacks that allow third parties to view encrypted information
SSL/TLS downgrade	sslTlsDowngradeSuspicion	Boolean	Indicates the SSL/TLS was downgraded to force apps to use old encryption protocols. These protocols may be vulnerable to attacks that allow third parties to view encrypted information
Stagefright vulnerability	mediaserverSfVulnerabilityEvidence	Boolean	Indicates there is evidence that the device contains Stagefright vulnerabilities, which is an OS patch version susceptible to compromise.
Suspicious profile added evidence	profileSuspiciousEvidence	Boolean	Indicates there is evidence that a new suspicious profile was introduced to the environment and is not explicitly trusted or untrusted. It is recommended that the Administrator review the Profile and mark the profile as trusted or untrusted.
Suspicious profile added	profileSuspiciousSuspicion	Boolean	Indicates that a suspicious new profile was introduced to the environment and is not explicitly trusted or untrusted. It is recommended that the Administrator review the Profile and mark the profile as trusted or untrusted.
Time since last communication	timeStampSinceLastConnectionTime	Integer	The last time (in epoch) the machine communicated with the Cybereason server.
Total disk space	totalDiskSpace	Long	The total disk space on the machine in bytes.
Total memory	totalMemory	Long	The total available memory on the machine in bytes.
Unknown download sources enabled evidence	configUnknownSourcesEvidence	Boolean	Indicates there is evidence that app downloads from locations other than the Google Play store are enabled.
Unknown download sources enabled	configUnknownSourcesSuspicion	Boolean	Indicates that app downloads from locations other than the Google Play store are enabled.
Uptime	uptime	Long	The time (in epoch) since the machine was last restarted in #days, hh:mm:ss.
USB Debugging mode enabled	usbDebuggingEvidence	Boolean	Indicates that USB Debugging (an advanced configuration option intended for development purposes only) was enabled. By enabling USB Debugging, your device can accept commands from a computer when plugged into a USB connection.
User identity associated with this asset	users	Collection	List of user identities associated with this asset.
Vulnerable Android version	vulnerableAndroidEvidence	Boolean	Indicates that the Android version installed on your device is not up-to-date. The outdated operating system exposes the device to known vulnerabilities and the threat of being exploited by malicious actors. It is advised to update your operating system immediately.
Vulnerable iOS version	vulnerableIosEvidence	Boolean	Indicates that the iOS version installed on your device is not up-to-date. The outdated operating system exposes the device to known vulnerabilities and the threat of being exploited by malicious actors. It is advised to update your operating system immediately.
Vulnerable, non-upgradeable Android version	vulnerableAndroidNonUpgradeableEvidence	Boolean	Indicates that the device is running a vulnerable Android version. However, the device is not eligible for an operating system upgrade at this time.
Vulnerable,non-upgradeable iOS version	vulnerableIosNonUpgradeableEvidence	Boolean	Indicates that the device is running a vulnerable Android version. However, the device is not eligible for an operating system upgrade at this time.
Web shell detected	machineWebShellEvidence	Boolean	Indicates whether there is evidence that the Cybereason platform detected a web shell running on this machine.
Zero ARP entries above threshold	zeroArpEntriesAboveThreshold	Boolean	Indicates whether the ARP table was filled with a high number of zero-entries, which is an indication that scanning activity was performed on the machine.

Back to top

Message (XDR)

Use these features to filter for the Message Element:

UI Name	API Name	Type	Description
Attachments	attachments	Collection	A list of attachments for the message.
Events related with message	relatedEvents	Array	A collection of events associated with this message.
Links	links	Collection	Collection of domain links for the message.
Message ID	messageId	String	The unique message ID for the message.
Message type	type	String	The type of the message. Possible values include: In the UI: Email Chat In the API: EMAIL CHAT
Origin address of message	senderAddress	String	The email address of the sender of the message.
Recipient addresses of message	receipientAddresses	Collection	A list of the email addresses for the recipients of the message.
Subject line of message	subject	String	The subject line in the message.

Back to top

Machines Interaction (XDR)

Use these features to filter for Machine Interaction Elements:

UI Name	API Name	Type	Description
IP address of client machine for attacker	attackerClientMachineIP	IP address	The IP address of the client machine for the attacker in this interaction as seen from the attacker machine perspective. Note that this property may be different than the IP address for the attacker machine as determined from the victim side of an attack. For example, say you have a network with the following 2 network segments: 127.16.0.x and 192.168.0.x. The attacker is in the 127.16.0.100 segment and the victim in the 192.168.0.200 segment. You also have a proxy or NAC in between that with the following segments - 127.16.0.77 and 192.168.0.81. This property will be displayed as follows: * attackerClientMachineIP - 127.16.0.100 * attackerServerMachineIP - 127.16.0.81 * victimClientMachineIP - 192.168.0.77 * victimServerMachineIP - 192.168.0.200
IP address of server machine for attacker	attackerServerMachineIP	IP address	The IP address of the server machine for the attacker in this interaction as seen from the attacker machine perspective. Note that this property may be different than the IP address for the attacker machine as determined from the victim side of an attack. For example, if you have a network with 2 network segments: 127.16.0.x and 192.168.0.x. The attacker is in the 127.16.0.100 segment and the victim in the 192.168.0.200 segment. You also have a proxy or NAC in between that with the following segments - 127.16.0.77 and 192.168.0.81. This property will be displayed as follows: attackerClientMachineIP - 127.16.0.100 attackerServerMachineIP - 127.16.0.81 victimClientMachineIP - 192.168.0.77 victimServerMachineIP - 192.168.0.200
First time detected on attacker machine	attackerTimestamp	Integer	The timestamp of the first time the attacker machine detected the interaction event.
Client machine	clientMachine	String	The machine name of the machine identified as the client in this interaction.
IP address of client machine	clientMachineIp	IP address	The IP address for the machine identified as the client machine in this interaction.
Port on client machine	clientMachinePort	Integer	The port used by the machine identified as the client machine in this interaction.
Process initiating interaction	clientProcess	String	The name of the process that initiated the interaction between machines.
User on client machine	clientUser	String	The user on the client machine associated with the interaction.
Interaction description	elementDisplayName	String	The description of the interaction.
Interaction protocol	interactionProtocol	Enum	The communication protocol used by the machines in the interaction. Possible values include: SMB DCERPC
Machine role in interaction	interactionRole	Enum	The role of the machine in the interaction. Possible values include: ATTACKER VICTIM
Interaction type	interactionType	Enum	The type of interaction. Use PASS_THE_HASH.
Associated with Malops	malops	Boolean	Indicates whether the interaction operation is associated with any Malops.
Receiver machine for Pass the Hash evidence	passTheHashReceiverEvidence	Boolean	Indicates whether there is evidence that the machine is the receiving machine for a Pass the Hash attack.
Pass the Hash receiver machine	passTheHashReceiverSuspicion	Boolean	Indicates whether the machine is the receiving machine for a Pass the Hash attack.
Sender machine for Pass the Hash evidence	passTheHashSenderEvidence	Boolean	Indicates whether there is evidence that the machine is the sending machine for a Pass the Hash attack.
Pass the Hash sender machine	passTheHashSenderSuspicion	Boolean	Indicates whether the machine is the sending machine for a Pass the Hash attack.
Related to Malop	relatedToMalop	Boolean	Indicates whether the interaction operation is related to a Malop.
Server machine	serverMachine	String	The name of the machine identified as the server in this interaction operation.
Server machine IP	serverMachineIp	IP address	The IP address for the machine identified as the server machine in this interaction operation.
Server machine port	serverMachinePort	Integer	The port used by the machine identified as the server machine in this interaction.
Process initiating interaction on the server machine	ServerProcess	String	The name of the process initiating the interaction operation on the server machine.
Server user	serverUser	String	”The user on the server machine associated with the interaction.
Compromised user	user	String	The name of the user with the compromised credentials that were used as part of the interaction operation.
IP address for victim client machine	victimClientMachineIp	IP address	The IP address of the machine identified as the client machine which was also the victim in this interaction as seen from the victim machine perspective. Note that this property may be different than the IP address for the attacker machine as determined from the victim side of an attack. For example, if you have a network with 2 network segments: 127.16.0.x and 192.168.0.x. The attacker is in the 127.16.0.100 segment and the victim in the 192.168.0.200 segment. You also have a proxy or NAC in between that with the following segments - 127.16.0.77 and 192.168.0.81. This property will be displayed as follows: attackerClientMachineIP - 127.16.0.100 attackerServerMachineIP - 127.16.0.81 victimClientMachineIP - 192.168.0.77 victimServerMachineIP - 192.168.0.200
IP address for victim server machine	victimServerMachineIp	IP address	The IP address of the machine identified as the server machine which was also the victim in this interaction as seen from the victim machine perspective. Note that this property may be different than the IP address for the attacker machine as determined from the victim side of an attack. For example, if you have a network with 2 network segments: 127.16.0.x and 192.168.0.x. The attacker is in the 127.16.0.100 segment and the victim in the 192.168.0.200 segment. You also have a proxy or NAC in between that with the following segments - 127.16.0.77 and 192.168.0.81. This property will be displayed as follows: attackerClientMachineIP - 127.16.0.100 attackerServerMachineIP - 127.16.0.81 victimClientMachineIP - 192.168.0.77 victimServerMachineIP - 192.168.0.200
First time detected on victim machine	victimTimestamp	Integer	The timestamp of the first time the victim machine detected the interaction event.

Back to top

Malop Logon Session (EDR)

Use these features to filter for Malop Logon Session Elements:

UI Name	API Name	Type	Description
Affected machines	affectedMachines	Array	Collection of machines affected by this Malop
Affected users	affectedUsers	Array	Collection of users affected by this Malop.
Detection type	detectionType	Enum	The type of detection for the Malop. Possible values include: In the UI: Blocklist Command and Control Compromised User Credential Theft Custom Rule Data Transmission Volume Elevated Access Extension Manipulation Injected Process Known Malware Known Malware Lateral Movement Malicious process Malicious tool PUP Persistence Phishing Potentially Unwanted Program Process Injection Ransomware Reconnaissance Unauthorized authentication Unknown In the API: BLACKLIST CNC UNAUTHORIZED_USER CREDENTIAL_THEFT DATA_TRANSMISSION_VOLUME ELEVATED_ACCESS EXTENSION_MANIPULATION HIJACKED_PROCESS KNOWN_MALWARE MALWARE_PROCESS MALICIOUS_PROCESS MALICIOUS_TOOL_PROCESS PUP PERSISTENCE PHISHING UNWANTED_PROCESS RANSOMWARE RECONNAISSANCE UNAUTHORIZED_AUTH UNKNOWN
Has Suspicions	hasSuspicions	Boolean	Indicates whether or not the element has any suspicions.
Malicious activity type	elementDisplayName	String	Type of malicious activity that triggered the Malop.
Malop activity type	malopActivityTypes	String	Type of activity detected.
Primary Malop type	primaryMalopType	Enum	The primary type of activity detected. Possible values include In the UI: C&C Data Theft Infection Lateral movement Privilege Escalation Ransomware Scanning Stolen credentials Persistence In the API: CNC_COMMUNICATION DATA_THEFT MALICIOUS_INFECTION LATERAL_MOVEMENT PRIVILEGE_ESCALATION RANSOMWARE SCANNING STOLEN_CREDENTIALS PERSISTENCE
Root cause elements	rootCauseElements	String	The Elements identified as the root cause of the Malop.
Suspects	suspects	Array	Collection of suspect processes associated with this Malop.

Back to top

Malop Process (EDR)

Use these features to filter for Malop Process Elements:

UI Name	API Name	Type	Description
Has Ransomware processes suspended	hasRansomwareSuspendedProcesses	Boolean	Indicates whether or not any of the Malop’s suspicious processes are currently suspended due to ransomware activity.
Has Suspicions	hasSuspicions	Boolean	Indicates whether or not the process associated with the Malop is associated with any Suspicions.
Malicious activity type	elementDisplayName	String	Type of activity detected.
Malop activity types	malopActivityTypes	String	Type of activity detected
Malop has suspended processes	allRansomwareProcessesSuspended	Boolean	Indicates whether or not the Malop has malicious processes which are suspended.
Marked for prevention	isBlocked	Boolean	Indicates whether or not the Malop has malicious processes that are marked for prevention.
Root cause element hashes	rootCauseElementHashes	String	Hash value of the Element that triggered the Malop.
Root cause element names	rootCauseElementNames	String	Name of the Element that triggered the Malop.
Root cause element types	rootCauseElementTypes	String	Type of Element that triggered the Malop.
Root cause elements	rootCauseElements	String	The Element that triggered the Malop.
Root cause elements company and product	rootCauseElementCompanyProduct	String	The company and product associated with the Element that triggered the Malop, represented as company:product.
Root cause type	detectionType	Enum	The root cause for the Malop. Possible values include: In the UI: Blocklist Command and Control Compromised User Credential Theft Custom Rule Data Transmission Volume Elevated Access Extension Manipulation Injected Process Known Malware Known Malware Lateral Movement Malicious process Malicious tool PUP Persistence Phishing Potentially Unwanted Program Process Injection Ransomware Reconnaissance Unauthorized authentication Unknown In the API: BLACKLIST CNC UNAUTHORIZED_USER CREDENTIAL_THEFT DATA_TRANSMISSION_VOLUME ELEVATED_ACCESS EXTENSION_MANIPULATION HIJACKED_PROCESS KNOWN_MALWARE MALWARE_PROCESS MALICIOUS_PROCESS MALICIOUS_TOOL_PROCESS PUP PERSISTENCE PHISHING UNWANTED_PROCESS RANSOMWARE RECONNAISSANCE UNAUTHORIZED_AUTH UNKNOWN
Primary Malop type	primaryMalopType	Enum	The type of the primary Malop. Possible values include In the UI: C&C Data Theft Infection Lateral movement Privilege Escalation Ransomware Scanning Stolen credentials Persistence In the API: CNC_COMMUNICATION DATA_THEFT MALICIOUS_INFECTION LATERAL_MOVEMENT PRIVILEGE_ESCALATION RANSOMWARE SCANNING STOLEN_CREDENTIALS PERSISTENCE
Suspects host processes	suspectsHostProcesses	Array	Collection of suspect processes associated with this Malop process that are host processes.
Suspects injecting processes	suspectsInjectingProcessses	Array	Collection of suspect processes associated with this Malop process that are injecting processes.
Suspects processes	suspectsProcesses	Array	Collection of suspect processes associated with this Malop process.
Total number of incoming connections	totalNumberOfIncomingConnections	Integer	Total number of incoming connections associated with the malicious process.
Total number of outgoing connections	totalNumberOfOutgoingConnections	Integer	Total number of outgoing connections associated with the malicious process.
Total received bytes	totalReceivedBytes	Long	Total bytes received by the malicious process.
Total transmitted bytes	totalTransmittedBytes	Long	Total bytes transmitted by the malicious process.

Back to top

Module (EDR)

Use these features to filter for Module Elements:

UI Name	API Name	Type	Description
Address (in Decimal)	address	Long	The address to which the module was loaded.
Allocated Protection	exeAllocatedProtection	Enum	The level of protection allocated to this module. Possible values include In the UI: Execute Execute write copy No access Read Rad execute Read write Read write execute Unknown Write copy In the API: MEMORYPROTECTION_EXECUTE MEMORYPROTECTION_EXECUTE_WRITECOPY MEMORYPROTECTION_NOACCESS MEMORYPROTECTION_READ MEMORYPROTECTION_READ_EXECUTE MEMORYPROTECTION_READ_WRITE MEMORYPROTECTION_READ_WRITE_EXECUTE MEMORYPROTECTION_UNKNOWN MEMORYPROTECTION_WRITECOPY
Blocklisted module	blackListClassificationEvidence	Boolean	Indicates whether there is evidence that the module’s file is on the blocklist.
File for module on blocklist	blackListedModuleSuspicion	Boolean	Indicates whether the module’s file is on the blocklist.
Export name	exportName	String	The export name for the module.
Fake OWAAuth	fakeOwaAuthEvidence	Boolean	Indicates whetherthere is evidence that the Cybereason platform identified the module as a fake OWAAuth module.
Fake OWA Auth module	fakeOwaAuthSuspicion	Boolean	Indicates whether the Cybereason platform identified the module as a fake OWAAuth module.
File	file	String	The file from which the module is loaded.
File From Temp	isFileFromTempEvidence	Boolean	Indicates whether there is evidence the module’s file is located in a temporary folder.
Hacking Tool	hackingToolClassificationEvidence	Boolean	Indicates whether there is evidence that the Cybereason platform identified the module’s as a module for hacking tool.
Header protection	exeHeaderProtection	Enum	Level of protection for the module header. Possible values include In the UI: Execute Execute write copy No access Read Rad execute Read write Read write execute Unknown Write copy In the API: MEMORYPROTECTION_EXECUTE MEMORYPROTECTION_EXECUTE_WRITECOPY MEMORYPROTECTION_READ MEMORYPROTECTION_NOACCESS MEMORYPROTECTION_READ_EXECUTE MEMORYPROTECTION_READ_WRITE MEMORYPROTECTION_READ_WRITE_EXECUTE MEMORYPROTECTION_UNKNOWN MEMORYPROTECTION_WRITECOPY
Has Malops	hasMalops	Boolean	Indicates whether or not the module is associated with any Malops.
Has registry entry	hasAutorun	Boolean	Indicates whether the module has a registry entry that can load the module.
Has Suspicions	hasSuspicions	Boolean	Indicates whether the module is associated with any Suspicions.
Is ever in loader DB	isEverInLoaderDb	Boolean	Indicates whether the module was ever loaded by the standard loader.
Is floating code	isFloating	Boolean	Indicates whether the module was loaded by writing to memory without going through the Windows loader.
Machine	ownerMachine	String	The machine in which this module is executing.
Malformed Executable Header	exeHeaderMalformed	Boolean	Indicates whether this module has a malformed executable header.
File for module classified as malicious	moduleReputationSuspicion	Boolean	Indicates whether the module’s file has a malicious reputation.
Malicious module prevented by App Control	executionPreventedEvidence	Boolean	Indicates whether there is evidence that this module was prevented by the Cybereason Application Control service.s
Process prevented by Cybereason	executionPreventedSuspicion	Boolean	Indicates whether this module was prevented by the Cybereason Application Control service.
Malicious Tool	maliciousToolClassificationEvidence	Boolean	Indicates whether the Cybereason threat intelligence service identified the module as a malicious tool.
Malware	malwareClassificationEvidence	Boolean	Indicates whether there is evidence the Cybereason threat intelligence service classified the module as malware.
Marked for prevention	markedForPrevention	Boolean	Indicates whether or not the module’s file is prevented from executing.
Module name	elementDisplayName	String	The name of the module.
Not in loader DB	notInLoaderDbEvidence	Boolean	Indicates whether there is evidence the module was not loaded by a standard loader.
Pe header allocated size	peHeaderAllocatedSize	String	The size of memory section in which the PE header resides.
Potentially unwanted program	unwantedClassificationEvidence	Boolean	Indicates whether there is evidence the Cybereason threat intelligence service classified the module as a potentially unwanted program (PUP).
Prevent execution file hash	blockedFileHash	Array	Collection of file hashes that were prevented during module execution.
Prevented successfully	isBlocked	Boolean	Indicates whether or not the module execution was prevented.
Ransomware	ransomwareClassificationEvidence	Boolean	Indicates whether there is evidence the Cybereason threat intelligence service classified the module as ransomware.
Reputation	maliciousClassification	String	The reputation of the module according to intelligence feeds and user classification.
Unsigned or unverified	unsignedOrUnverifiedFileEvidence	Boolean	Indicates whether there is evidence the module’s file is not signed by a trusted signer.
Unsigned with a signed version	fileUnsignedHasSignedVersionEvidence	Boolean	Indicates whether there is evidence the fact that the module’s file is unsigned even though a signed version exists.
Unsigned with a signed version	unsignedWithSignedVersion	Boolean	Indicates whether the module’s file is unsigned even though a signed version exists.

Back to top

Mount Point (EDR)

Use these features to filter for Mount Point Elements:

UI Name	API Name	Type	Description
Active removable device	isActiveRemovableDeviceEvidence	Boolean	Indicates whether there is evidence the mount point is an active removable device.
Device name	deviceName	String	The name of the removable device.
Has Suspicions	hasSuspicions	Boolean	Indicates whether the mount point is associated with any suspicions.
Inactive removable device	isInactiveRemovableDeviceEvidence	Boolean	Indicates whether there is evidence the mount point is an inactive removable device.
Media type	mediaType	Enum	The mount point’s media type. Possible values include In the UI: CDDrive Image Fixed Invalid NetworkShare Ramdisk Removable Unknown In the API: CDDrive Image Fixed Invalid NetworkShare Ramdisk Removable Unknown
Mount point name	elementDisplayName	String	The name of the mount point.
Name	name	String	The display identification name of the mount point.
Owner machine	ownerMachine	String	The machine on which the the mount point is located.
Removable device	isRemovableDevice	Boolean	Indicates whether the mount point is a removable device.
Unusual removable device	rareRemovableDeviceEvidence	Boolean	Indicates whether there is evidence that the mount point is an unusual removable device.
Volume name	volumeName	String	The volume name identifier assigned to the mount point.

Back to top

MS-RPC (EDR)

Use these Features to filter for MS-RPC Elements:

UI Name	API Name	Type	Description
Authentication Level	authLevelName	Enum	The authentication level used by the remote procedure call operation. Possible values include: In the UI: Call Connect Default None Pkt Pkt Integrity Pkt Privacy In the API: MAL_CALL MAL_CONNECT MAL_DEFAULT MAL_NONE MAL_PKT MAL_INTEGRITY MAL_PRIVACY
Authentication Service	aufhServiceName	Enum	The name of the service that provided authentication for the remote procedure call. Possible values include: In the UI: Kerberos Kernel Negotiate NTLM Other SChannel In the API: MAS_KERBEROS MAS_KERNEL MAS_NEGOTIATE MAS_NTLM MAS_OTHER MAS_SCHANNEL
Creation timestamp	creationTimestamp	Integer	The time when the remote procedure call operation was initiated.
Msrpc Name	elementDisplayName	String	The name of the remote procedure call.
Endpoint	endoint	String	The target for the remote procedure call information. The value for this field is related to the value of the protocolName Feature: If the protocolName Feature value is TCP/MP_TCP or RPC over HTTP/MP_RPC_HTTP, this Feature shows the target TCP port. If the protocolName Feature value is LRPC/MP_LRPC or Named Pipe/MP_NamedPipe, this Feature displays the MS-RPC server endpoint name.
Event counter	eventCounter	Integer	The number of remote procedure call events.
Event source	eventSoruce	Enum	The source of the remote procedure call events. Possible values include: In the UI: Client Server Unknown In the API: MSRPC_EVENT_SOURCE_CLIENT MSRPC_EVENT_SOURCE_SERVER MSRPC_EVENT_SOURCE_UNKNOWN
Impersonation level	impersonationLevelName	Enum	The type of impersonation the remote procedure call performs. Possible values include: In the UI: Anonymous Default Delegate Identity Impersonate In the API: MIL_ANONYMOUS MIL_DEFAULT MIL_DELEGATE MIL_IDENTITY MIL_IMPERSONATE
Interface Name	interfaceName	String	The name of the interface that initiated the remote procedure Call.
Interface UUID	interfaceUUID	String	The unique identifier for the interface that initiated the remote procedure call.
Last seen timestamp	lastSeenTimeStamp	Integer	The last time the Cybereason Platform detected the remote procedure call operation.
Network address	networkAddress	IP address	The network address to which the remote procedure call is targeted. The value for this field is related to the value of the protocolName Feature: If the protocolName Feature value is LRPC/MS_LRPC, this Feature has a null value. If the protocolName Feature value is TCP/MP_TCP, RPC over HTTP/MP_RPC_HTTP, or NamedPipe/MS_NamedPipe, this Feature contains the target MS-RPC server address in an IP address or FQDN format.
Operation Number	opNum	Integer	The unique operation number for the remote procedure call.
Operation Name	operationName	String	The name for the remote procedure call operation that was requested.
Options	options	String	The options used by the remote procedure call.
Owner machine	ownerMachine	String	The name of the machine on which the remote procedure call was initiated.
Process	process	String	The name of the process that sent the remote procedure Call.
Protocol	protocolName	Enum	The protocol used by the remote procedure call. Possible values include: In the UI: LRPC Named Pipe RPC over HTTP TCP Unknown In the API: MP_LRPC MP_NamedPipe MP_RPC_HTTP MP_TCP MP_UNKNOWN
Status	statusName	Enum	The status for the Remote Procedure Call operation. Possible values include: In the UI: Failure No Data Success In the API: MS_FAILURE MS_NODATA MS_SUCCESS

Back to top

Network Interface (EDR)

Use these features to filter for Network Interface Elements:

UI Name	API Name	Type	Description
Description	description	String	The description of the network interface.
DHCP server address	dhcpServer	String	The IP address of the DHCP server for this network interface.
DNS server address	dnsServer	String	The IP address of the DNS server for this network interface.
Gateway address	gateway	String	The IP address of the gateway for this network interface.
Hardware address (MAC)	macAddressFormat	String	The network interface’s hardware (MAC) address.
Identifier	id	String	The network interface identifier.
Ip address	IpAddress	String	The IP address of this network interface.
Local networks the network interface is registered on	localNetworks	Array	Collection of local networks on which this network interface is registered.
Name	name	String	The name of the network interface.
Network interface name	elementDisplayName	String	The display name of the network interface.
Owner machine	ownerMachine	String	The machine to which this network interface belongs.
Proxies	proxies	Array	Collection of the proxies associated with this network interface.

Back to top

Network Machine (EDR)

Use these features to filter for Network Machine Elements:

UI Name	API Name	Type	Description
Has suspicions	hasSuspicions	Boolean	Indicated whether or not this network machine is associated with Suspicions.
Machine name	elementDisplayName	String	The Name of the network machine as reported by the operating system.

Back to top

Process (EDR)

Use these features to filter for Process Elements:

UI Name	API Name	Type	Description
Abnormal number of RWX sections count by machine	abnormalRwxSectionsCountByMachineEvidence	Boolean	Indicates whether there is evidence the process has an abnormal number of RWX sections per machine.
Abnormal process activity on device	abnormalProcessActivityEvidence	Boolean	Indicates whether there is evidence of any detected abnormal activity.
Abnormal Process Activity Suspicion	abnormalProcessActivitySuspicion	Boolean	Indicates there is detected abnormal activity
Abnormal process invocation using DCOM	abnormalDCOMServerSuspicion	Boolean	Indicates whether there was an abnormal process invocation using DCOM.
Abnormal RWX section count	abnormalRwxSectionsCountEvidence	Boolean	Indicates whether there is evidence the process has an abnormal number of RWX sections.
Abuse of cmstp.exe	uncommonUseOfCmstpSuspicion	Boolean	Indicates whether the cmstp.exe process was abused to execute arbitrary code.
Abuse of cmstp.exe evidence	uncommonUseOfCMSTPEvidence	Boolean	Indicates whether there is evidence the cmstp.exe process loaded the scrobj.dll module.
Access to password store files	passwordsFileAccessByTextEditorEvidence	Boolean	Indicates whether there is evidence the process attempted to access a Linux password store file.
Accessibility feature abuse	accessibilityFeaturePersistenceSuspicion	Boolean	Indicates whether this process is masquerading as one of the Windows accessibility features.
Accessibility feature abuse evidence	accessibilityFeaturePersistenceEvidence	Boolean	Indicates whether there is evidence that this process is masquerading as one of the Windows accessibility features.
Accessibility feature abuse through registry modification	accessibilityFeaturesAbuseByRegistrySuspicion	Boolean	Indicates whether this process modifies the registry to abuse Windows accessibility features.
Accessibility feature abuse through registry modification evidence	accessibilityFeaturesAbuseByRegistryEvidence	Boolean	Indicates whether there is evidence this process modifies the registry to abuse Windows accessibility features.
Accessibility feature binary file swap	accessibilityFeatureBinarySwapSuspicion	Boolean	Indicates whether an Accessibility Feature binary file was swapped for a different executable.
Accessibility feature binary file swap evidence	accessibilityFeatureBinarySwapEvidence	Boolean	Indicates whether there is evidence an accessibility feature binary was swapped for another executable.
Account discovery evidence	accountDiscoveryEvidence	Boolean	Indicates whether there is evidence that the process is involved in an account discovery attempt.
Accounts discovery	accountsDiscoveryEvidence	Boolean	Indicates there is evidence the process is engaged in accounts discovery.
Add firewall rule in command line	commandLineContainsAddFirewallRule	Boolean	Indicates whether the command line of the process includes adding a firewall rule.
Associated file	file	String	The file associated with this process.
Hiding files using Alternate Data Stream	alternativeDataStreamHidingEvidence	Boolean	Indicates whether the process is hiding executable files with Alternate Data Stream.
Always-on VPN app set	alwaysOnVpnAppSuspicion	Boolean	Indicates that an app has been configured as an always-on VPN on this device. The app may monitor all communications the device makes to the Internet.
Android device possible tampering suspicion	SafetyNetAttestationBasicIntegrityFalseSuspicion	Boolean	Indicates the Android device has been tampered with. The device is not certified by Google, and may have been additionally compromised, such as a rooted device.
Anti-Malware detection suspicion	maliciousNGAVDetectionOfPowershellSuspicion	Boolean	Indicates whether this process is classified as malicious or suspicious due to detection by the Cybereason Anti-Malware service.
Anti-Malware suspended	antiVirusSuspendedSuspicion	Boolean	Indicates whether the process is an anti-virus process that is suspended.
Antivirus suspended	suspendedAntiVirusEvidence	Boolean	Indicates whether there is evidence the process is an anti-virus process that is suspended.
App performs privilege elevation on device	processEopEvidence	Boolean	Indicates there is evidence of elevation of privileges on the mobile device by a process, which allows the attacker to take full control of the device
App set as Always-on VPN	alwaysOnVpnAppEvidence	Boolean	Indicates there is evidence that an app has been configured as an always-on VPN on this device. The app may monitor all communications the device makes to the Internet.
App tampering evidence	appTamperingEvidence	Boolean	Indicates there is evidence of existing application libraries that may have been modified or a foreign library may have been injected.
App tampering suspicion	appTamperingSuspicion	Boolean	Indicates there is evidence of existing application libraries that may have been modified or a foreign library may have been injected.
Application Control prevented malicious command	maliciousNGAVPreventedOfPowershellSuspicion	Boolean	Indicates whether this process is classified as malicious or suspicious due to prevention by the Cybereason Anti-Malware service.
AppLocker bypass via regsrv32	maliciousUseOfRegsvr32Evidence	Boolean	Indicates whether there is evidence this process this process used the regsvr32.exe process to bypass AppLocker.
AppLocker bypass via regsrv32	maliciousUseOfRegsvr32Suspicion	Boolean	Indicates whether this process this process used the regsvr32.exe process to bypass AppLocker.
Architecture	architecture	Enum	The architecture of the machine on which the process is running. Possible values include In the UI: 32 bit 64 bit Unknown Unknown WOW 64 In the API: x86 x64 unknown_arch unknown wow64
ARP reconnaissance scan	scanArpEvidence	Boolean	Indicates there is evidence of a reconnaissance scan using the ARP protocol that is an indicator of a malicious attacker searching for a device vulnerable for a network attack such as MITM.
ARP scan	scanArpSuspicion	Boolean	Indicates there is a reconnaissance scan using the ARP protocol that is an indicator of a malicious attacker searching for a device vulnerable for a network attack such as MITM.
Attempt to stop Cybereason service	stopCybereasonServiceAttemptEvidence	Boolean	Indicates whether there is evidence that the process attempted to stop or disable the Cybereason service.
Attempt to stop Cybereason service	stopCybereasonServiceAttemptSuspicion	Boolean	Indicates whether the process attempted to stop or disable the Cybereason service.
Audit object access	unexpectedAuditObjectAccessEvidence	Boolean	Indicates whether there is evidence the process gained access to the system audit objects where credential information is stored.
Audit object access by loaded module	unexpectedAuditObjectAccessByProcessLoadingPSModuleSuspicion	Boolean	Indicates whether one of Windows credential hashes resources was accessed by a process which loads the PowerShell system.management.automation.dll module.
Audit object access by shell process	unexpectedAuditObjectAccessShellSuspicion	Boolean	Indicates whether one of Windows credential hashes resources was accessed by a shell process.
Audit object access by unknown process	unexpectedAuditObjectAccessUnknownSuspicion	Boolean	Indicates whether one of Windows credential hashes resources was accessed by an unknown process.
Audit object access by unsigned and unknown process	unexpectedAuditObjectAccessUnsignedUnknownSuspicion	Boolean	Indicates whether one of Windows credential hashes resources was accessed by unsigned and unknown process.
Audit object access by unsigned process	unexpectedAuditObjectAccessUnsignedSuspicion	Boolean	Indicates whether one of Windows credential hashes resources was accessed by an unsigned process.
Audit object access NTDS file evidence	unexpectedAuditObjectAccessNtdsFileEvidence	Boolean	Indicates whether there is evidence that the process accessed an audited system resource - NTDS file.
Backup catalog deletion	wbadminDeleteCatalogSuspicion	Boolean	Indicates whether the wbadmin.exe processs deleted the backup catalog.
Backup catalog deletion	wbadminDeleteCatalogMalop	Boolean	Indicates the process caused a Malop due to deletion of the backup catalog with the wbadmin.exe utility.
Backup catalog deletion evidence	wbadminDeleteCatalogEvidence	Boolean	Indicates whether there is evidence that the wbadmin.exe process deleted the backup catalog.
Connection to domain on blocklist	connectionToBlackListDomainSuspicion	Boolean	Indicates whether this process was identified creating a DNS query or a direct connection to a domain classified as malicious by the Cybereason threat intelligence service.
Connection to IP address on the blocklist suspicion	connectingToBlackListAddressSuspicion	Boolean	Indicates whether this process was identified connecting to an IP address on the blocklist.
Blocklisted unresolved domain DNS queries	unresolvedQueryFromBlackListDomain	Array	Collection of the unresolved DNS queries associated with this process that accessed a domain on the blocklist.
Captive portal network usage	captivePortalEvidence	Boolean	Indicates there is evidence the device is using Captive Portal networks to route traffic through a single proxy (portal), potentially opening up the traffic to monitoring.
Certutil.exe downloaded file	certutilDownloadEvidence	Boolean	Indicates whether there is evidence the certutil.exe process downloaded a file.
Certutil.exe downloaded suspicious file	certutilDownloadSuspicion	Boolean	Indicates whether the certutil.exe process downloaded a file.
Client interactions as Pass the Hash	passTheHashClientInteractions	Array	Collection of interactions in which the process participates as the client machine in a Pass the Hash attack.
CMSTPLUA ShellExec method invoked using DCOM	msrpcCMSTPLUAServerEvidence	Boolean	Indicates whether the CMSTPLUA ShellExec method was invoked using DCOM.
COM scriptlet execution with regsrv32	maliciousUseOfRegsvr32ModuleEvidence	Boolean	Indicates whether this process used the regsvr32.exe process to run a COM scriplet.
Command line	commandLine	String	The command line the process uses.
Command line	clearCommandLine	String	The command line that executed this process.
Command line contains hidden environment variable	obfuscatedCommandLineEnvArgsEvidence	Boolean	Indicates whether the command line for the process was obfuscated and contained an environment variable in the command line.
Command line contains hidden keywords	obfuscatedCommandLineKeywordEvidence	Boolean	Indicates whether there is evidence the command line for the process is obfuscated and contains hidden keywords.
Command line parameter points to temporary file location	commandLineContainsTempEvidence	Boolean	Indicates whether there is evidence the command that executed the process contains a parameter pointing to a temporary folder in the file directory.
Compromised device	systemconfigSystemTamperingEvidence	Boolean	Indicates that there is evidence the device is compromised and cannot be trusted. System Tampering is a process of removing security limitations put in by the device manufacturer and indicates that the device is fully compromised and cannot longer be trusted.
Compromised WiFi network nearby	threatMapNearbyEvidence	Boolean	Indicates that the device is near a Wifi network where malicious attacks have been observed.
Connected to domain on the blocklist	hasConnectionToBlackListDomainEvidence	Boolean	Indicates whether there evidence the process has a connection to a domain name on the blocklist.
Connected to IP address on blocklist evidence	hasBlackListConnectionEvidence	Boolean	Indicates whether there is evidence the process has a connection an address on the blocklist.
Connection to blocklisted domain	connectionsToBlackListDomain	Array	Collection of connections associated with this process that connected to a domain on the blocklist.
Blocklisted domain	connectionToBlackListDomainSuspision	Boolean	Indicates whether the process is connected to a domain on the blocklist.
Connection to domain on blocklist evidence	connectionToBlackListDomainEvidence	Boolean	Indicates whether there is evidence the process is connected to a domain on the blocklist.
Connection to external IP discovery service or abuse of legitimate website	ipDiscoverySuspicion	Boolean	Indicates whether the process connected an external IP discovery service or abused a legitimate website.
Connection to external IP discovery service or abuse of legitimate website evidence	ipDiscoveryEvidence	Boolean	Indicates whether there is evidence the process connected an external IP discovery service or abused a legitiamte website.
Connection to internal address	hasInternalConnectionEvidence	Boolean	Indicates whether there is evidence the process connects to an internal address.
Connection to IP address on the blocklist	connectionToBlackListAddressByAddressRootCause	Boolean	Indicates whether the process connects to an IP address on the blocklist.
Blocklisted IP	connectingToBlackListAddressSuspicion	Boolean	Indicates whether the process connects to an IP address on the blocklist.
Connection to malicious address	connectingToBadReputationAddressSuspicion	Boolean	Indicates whether the process connects to an address with a malicious reputation.
Connection to malicious address	connectionToMaliciousAddressByAddressRootCause	Boolean	Indicates whether the process identified as the root cause connected to an address the Cybereason threat intelligence service classified as malicious.
Connection to malicious address	connectionToMaliciousAddress	Boolean	Indicates whether the process connects to a malicious address.
Connection to malicious address	hasMaliciousConnectionEvidence	Boolean	Indicates whether there is evidence the process has a connection to a malicious address
Connection to malicious domain	connectionToMaliciousDomainByDomainRootCause	Boolean	Indicates whether the process identified as the root cause connected to an address the Cybereason threat intelligence service classified as malicious
Connection to malicious domain	connectionToMaliciousDomain	Boolean	Indicates whether the process connects to a malicious domain
Connection to malicious domain	hasConnectionToMaliciousDomainEvidence	Boolean	Indicates whether there is evidence the process created a connection to a malicious domain
Connection to malware address	hasConnectionToMalwareAddressesEvidence	Boolean	Indicates whether there is evidence this process has a connection to an address used by malware
Connection to malware address	maliciousByAccessingAddressUsedByMalwares	Boolean	Indicates whether the process connects to an address used by malware
Connection to rogue WiFi	mitmRogueApEvidence	Boolean	Indicates there is evidence the device was connected to a rogue WiFi. Connection to a rogue access point exposes the device to attack by an unauthorized party to access your network data and/or credentials
Connection to Tor domain	connectiontoTorDomainEvidence	Boolean	Indicates whether there is evidence the process has connections to a Tor domain
Connection to TOR domain by non-browser process	connectionToTorDomainSuspicion	Boolean	Indicates whether a non-browser process has connections to a Tor domain
Connections of host process	connectionsOfHostProcess	String	Collection of the connections performed by the host process of this injected thread
Connections to Malicious domain	connectionsToMaliciousDomain	Array	Collection of connections associated with this processes thatconnected to a domain classified as malicious by the Cybereason threat intelligence service
Connections to malware address	connectionsToMalwareAddresses	Array	Collection of connetions associated with this process that connected to a domain classified as malware by the Cybereason threat intelligence service
Connections	connections	Array	Collection of connections associated with this process
Contains floating portable executable code	hasPeFloatingCodeEvidence	Boolean	Indicates whether there is evidence the process has PE (Portable Executable) code floating in memory (not attached to a module/file)
Runs hidden code	shellcodeInProcessEvidence	Boolean	Indicates whether there is evidence the process is executing hidden code
CPU time	cpuTime	Long	The amount of CPU time the process used
Created children	createdChildren	Array	Collection of child processes the process created
Created scheduled task as SYSTEM	scheduledTaskAsSystemEvidence	Boolean	Indicates whether there is evidence the process created a scheduled task to execute as SYSTEM
Created scheduled task on reboot	scheduledTaskRebootPersistenceEvidence	Boolean	Indicates whether there is evidence the process created a a scheduled task to execute on reboot
Creation of new service	newServiceSuspicion	Boolean	Indicates whether the process created a new service
Creation of new LaunchAgents persistence file	plistBuddyCreatesLaunchAgentsFileEvidence	Boolean	Indicates whether the process plistBuddy created a new file in one of the LaunchAgents persistence paths
Credential repository access from shadow copy	credentialsViaShadowCopyAccessSuspicion	Boolean	Indicates whether the process accessed a sensitive credentials repository via shadow copy volume
Critical process running injected code	injectionToProtectedProcessSuspicion	Boolean	Indicates whether the process is critical and is running code injected to the process by another process
Daemon anomaly activity detected	daemonAnomalyEvidence	Boolean	Daemon Anomaly indicates abnormal system process activities which could indicate that the device has been exploited
Decoded command line	decodedCommandLine	String	Command line with clear text version of an encoded command
Detected by PowerShell Protection	ngavPowershellDetectionEvidence	Boolean	Indicates whether there is evidence that this process was detected by PowerShell Protection
Detected injecting process	detectedInjectingEvidence	Boolean	Indicates whether there is evidence the process is injecting malicious code into another process.
Device configurations that may put corporate and personal data at risk	untrustedProfileByDomainSuspicion	Boolean	Indicates that configurations on the device put the device at risk
Device connected to threat map	threatMapConnectedSuspicion	Boolean	Indicates that the device has connected to a Wifi network where malicious attacks have been observed
Device jailbroken/rooted suspicion	jailbrokenSuspicion	Boolean	Indicates that this device may be jailbroken. Jailbreaking and rooting are the processes of gaining unauthorized access or elevated privileges on a system. Jailbreaking and rooting can potentially open security holes that may have not been readily apparent, or undermine the device built-in security measures
DGA communication with C&C server	maliciousByDgaDetection	Boolean	Indicates whether the process is using a Domain Generation Algorithm to communicate with its Command & Control server
DNS query from suspicious domain	hasDnsQueryFromSuspiciousDomainEvidence	Boolean	Indicates whether there is evidence the process created an A-type DNS request (domain to IP) with a malicious domain
DNS query or connection to domain on blocklist	connectionToBlackListDomainByDomainRootCause	Boolean	Indicates whether the process connects to a domain on the blocklist
DNS query or connection to malicious domain	connectionToMaliciousDomainSuspicion	Boolean	Indicates whether the process connects to a malicious domain
DNS query to suspicious domain	hasDnsQueryToSuspiciousDomainEvidence	Boolean	Indicates whether there is evidence the process created a PTR-type DNS request (IP to Domain) with a malicious domain
DNS request from domain on blocklist	hasDnsQueryFromBlackListDomainEvidence	Boolean	Indicates whether there is evidence the process received a DNS request from a domain on the blocklist
DNS request to domain on blocklist	hasDnsQueryToBlackListDomainEvidence	Boolean	Indicates whether there is evidence the process sent a DNS request to a domain on the blocklist
DNS request to IP address on the blocklist	hasBlackListDnsQueryDomainToDomainEvidence	Boolean	Indicates whether there is evidence the process connects to an IP address on the blocklist
Domain trust relationship reconnaissance	domainTrustRelationshipReconSuspicion	Boolean	Indicates whether the process performed domain trust relationship reconnaissance activities
Domain-to-domain DNS query to suspicious domain	hasSuspiciousDnsQueryDomainToDomainEvidence	Boolean	Indicates whether there is evidence the process created a CNAME-type DNS request (domain to domain) and the Cybereason threat intelligence service identified one of the domains as malicious
Downloaded from Internet	isDownloadedFromInternet	Boolean	Indicates whether the process was downloaded from the Internet
Dumped LSASS process memory	memoryDumpLsassSuspicion	Boolean	Indicates whether the process performed a memory dump of the LSASS process memory
Dumped LSASS process memory evidence	memoryDumpLsassEvidence	Boolean	Indicates whether there is evidence the process performed a memory dump of the LSASS process memory
Elevated privileges command execution	PrivilegeEscalationUsingSudoCommandEvidence	Boolean	Indicates whether there is evidence the process attempted to execute commands with elevated privileges
Elevated privilege level for child process	elevatingPrivilegesToChildEvidence	Boolean	Indicates whether there is evidence the process elevates privileges of its child process
Elevation of Privileges suspicion	processEopSuspicion	Boolean	Indicates there is elevation of privileges on the mobile device by a process, which allows the attacker to take full control of the device
Event log deletion	logDeletionSuspicion	Boolean	Indicates whether this process deleted logs from the machine
Event log deletion evidence	logDeletionEvidence	Boolean	Indicates whether there is evidence this process deleted logs from the machine
Executable image file hash	imageExecutableHash	String	The hash value of the executable image file
Executed file on allowlist	fileWhiteListEvidence	Boolean	Indicates whether there is evidence the process is executing a file on the allowlist
Executed file on blocklist	fileBlackListEvidence	Boolean	Indicates whether there is evidence the process is executing a file on the blocklist
Executed malicious script from unexpected origin	maliciousScriptExecutionEvidence	Boolean	Indicates whether there is evidence the Cybereason platform detected the process executing a potentially malicious script from an unexpected origin
Executes known hacker tool	hasChildKnownHackerToolEvidence	Boolean	Indicates whether there is evidence the process executes a known hacker tool
Executing process	execedBy	String	The name of the process executing this process
Execution of fileless malware	filelessMalware	Boolean	Indicates whether the process executes fileless malware
Execution of fileless malware suspicion	filelessMalwareSuspicion	Boolean	Indicates whether the process ran fileless malware
explorer.exe IP connected to discovery service	explorerIPDiscoverySuspicion	Boolean	Indicates whether the explorer.exe process performed IP discovery activities
Extension type	imageFileExtensionType	Enum	The image file extension type for this process. Possible values include: In the UI: Application Application Data Archive Audio File Certificate Compressed Archive Configuration File Database Developer File Disk Image Document Executable Image Installer Mail File None Personal Data Plugin Script File System File Text File Video File Web Document Web Executable Windows System File In the API: APPLICATION APPLICATION_DATA ARCHIVE DOCUMENT_AUDIO CERTIFICATE APPLICATION_CONFIG ARCHIVE_COMPRESSED DATABASE DOCUMENT_DEVELOPER ARCHIVE_DISKIMAGE DOCUMENT EXECUTABLE DOCUMENT_IMAGE DOCUMENT_MAIL EXECUTABLE_INSTALLER NONE DOCUMENT_PERSONALINFORMATION EXECUTABLE_PLUGIN EXECUTABLE_SCRIPT SYSTEM DOCUMENT_TEXT DOCUMENT_VIDEO DOCUMENT_WEB EXECUTABLE_WEB EXECUTABLE_WINDOWS SYSTEM_WINDOWS
External connection to well-known port	hasExternalConnectionToWellKnownPortEvidence	Boolean	Indicates whether there is evidence your process has at least one external connection using a well-known port (less than 1024)
Failed to access file	failedToAccess	Boolean	Indicates whether Cybereason was able to access the process image file
Fake unsigned module	fakeModuleUnsignedEvidence	Boolean	Indicates whether there is evidence the process loaded a fake module that has the same name as another loaded module but is not signed
File and directory enumeration	fileDirectoryDiscoverySuspicion	Boolean	Indicates whether the process performed activities to learn more about files and directories on a machine
File size mismatch	multipleSizeForHashEvidence	Boolean	Indicates whether there is evidence that multiple files have the same name but different sizes
Firewall hole punching	maliciousFirewallHolePunching	Boolean	Indicates whether the process maliciously modifies the machine firewall configuration
First execution of downloaded process	firstExecutionOfDownloadedProcessEvidence	Boolean	Indicates whether there is evidence the process image file was downloaded from the Internet and this instance is the first execution of the process
Floating code	shellcodeProcess	Boolean	Indicates that the process is running floating code
fsutil.exe deleted Update Sequence Number journal change evidence	fsutilDeleteJournalEvidence	Boolean	Indicates whether there is evidence the fsutil.exe process deleted the Update Sequence Number journal changes made by the process to mask process activities
ftp.exe descendant of suspicious process	ftpDescendantofSuspiciousProcessEvidence	Boolean	Indicates whether this ftp.exe process is a child process of another suspicious process
ftp.exe transmitted data and is child of suspicious process	potentiallyMaliciousFtpSuspicion	Boolean	Indicates whether there is evidence of the process trying to perform password policy discovery
Group Context Modification Evidence	LinuxGroupContextModificationEvidence	Boolean	Indicates whether there is evidence a process attempted to set a file group access rights
Hacking tool with unusual parent	hackingToolOfNonToolRunnerSuspicion	Boolean	Indicates whether a hacking tool was executed by a process that should not execute hacking tools
Hacking tool with unusual parent evidence	hackingToolOfNonToolRunnerEvidence	Boolean	Indicates whether there is evidence the hacking tool was executed by a process that should not execute hacking tools
Has a rare known hacker tool child process	hasRareChildProcessKnownHackerToolEvidence	Boolean	Indicates whether there is evidence the process has a rare child process which is a known hacker tool
Has automatic execution	hasAutomaticExecutionEvidence	Boolean	Indicates whether there is evidence the process has an automatic execution associated with the process.
Has blocked modules	hasBlockedModules	Boolean	Indicates whether the process tried to load blocked modules.
Has children	hasChildren	Boolean	Indicates whether the process has child processes.
Has classification	hasClassification	Boolean	Indicates whether the process has a well known classification.
Has external connection	hasExternalConnection	Boolean	Indicates whether the process has an external connection.
Has incoming connections	hasIncomingConnection	Boolean	Indicates whether the process has incoming connections.
Has injected children	hasInjectedChildren	Boolean	Indicates whether the process has any injected child processes.
Has Injected thread from process with lower privileges	injectedThreadPrivilegeEscalationEvidence	Boolean	Indicates whether there is evidence the process is an injected thread where the injecting process has lower privileges than the host process.
Has internal connection	hasInternalConnection	Boolean	Indicates whether the process has an internal connection.
Has malicious connections	hasMaliciousReputationConnections	Boolean	Indicates whether the process has connections to a known malicious addresses.
Has Malops	hasMalops	Boolean	Indicates whether the process is associated with any Malops.
Has opened socket	hasListeningConnection	Boolean	Indicates whether the process has an opened listening socket.
Has outgoing connections	hasOutgoingConnection	Boolean	Indicates whether the process has outgoing connections.
Has registry entry	hasAutorun	Boolean	Indicates whether the process is associated with a registry entry.
Has Suspicions	hasSuspicions	Boolean	Indicates whether the process is associated with any suspicions.
Has suspicious external connection	hasSuspiciousExternalConnectionEvidence	Boolean	Indicates whether there is evidence the process has an external connection that is marked as suspicious.
Has suspicious internal connection	hasSuspiciousInternalConnectionEvidence	Boolean	Indicates whether there is evidence the process has an internal connection that is marked as suspicious.
Has threads with injected code	hostingInjectedThreadEvidence	Boolean	Indicates whether there is evidence the process contains threads that execute code injected into memory by another process.
Has unresolved DNS queries	hasUnresolvedDnsQueriesFromDomain	Boolean	Indicates whether the process has unresolved DNS queries
Has visible windows	hasVisibleWindows	Boolean	Indicates whether the process has visible windows.
Has windows	hasWindows	Boolean	Indicates whether the process has open windows on the machine.
Hash with multiple names	multipleNameForHashEvidence	Boolean	Indicates whether there is evidence the Cybereason platform found multiple file names for the same hash signature
Hidden by a rootkit	rootkitProcessHide	Boolean	Indicates whether the process is hidden by a rootkit.
Hidden PowerShell payload	ObfuscatedPowershellSuspicion	Boolean	Indicates whether this PowerShell payload has been obfuscated.
Hidden PowerShell payload evidence	ObfuscatedPowershellEvidence	Boolean	Indicates whether there is evidence that this PowerShell payload has been obfuscated.
Hidden process	covertProcessDecisionFeature	Boolean	Indicates whether this process was detected to be attempting to hide itself or its assets.
Hidden process	covertProcessSuspicion	Boolean	Indicates whether a hidden process was detected.
Hiding files using Alternate Data Stream	alternativeDataStreamHidingEvidence	Boolean	Indicates whether the process is hiding executable files with Alternate Data Stream.
High data volume transfer and running injected code	highDataVolumeTransmittedByInjectedProcess	Boolean	Indicates whether the process transmits high volume of data while it is running injected code.
High data volume transfer to malicious address	highDataVolumeTransmittedToMaliciousAddressSuspicion	Boolean	Indicates whether the process transmitted a high data volume to an address marked as malicious.
High data volume transfer to suspicious address	highDataTransmittedSuspicion	Boolean	Indicates whether the process is transferring a high volume of data to a specific address.
High data volume transfer with unrecognized process	highDataVolumeTransmittedByUnknownProcess	Boolean	Indicates whether the process transmits high volume of data while it is not recognized as a legitimate program for such behavior.
High internal outgoing embryonic connection rate	highInternalOutgoingEmbryonicConnectionRateEvidence	Boolean	Indicates whether there is evidence that more than 25% of the internal connections the process creates receive a response (embryonic).
High IP scanning rate	highIpScanRateEvidence	Boolean	Indicates whether there is evidence the process is performing a high rate of IP address scanning.
High number of internal outgoing embryonic connections	absoluteHighNumberOfInternalOutgoingEmbryonicConnectionsEvidence	Boolean	Indicates whether there is evidence that the process creates internal connections which do not receive a response (embryonic).
High unresolved-to-resolved DNS query ratio	highUnresolvedToResolvedRateEvidence	Boolean	Indicates whether there is evidence the process has DNS queries with a high unresolved to resolved ratio.
High volume of transmitted data	maliciousByHighVolumeDataTransmittedByUnknownProcess	Boolean	Indicates whether the process transmits high volumes of data while it is not recognized by the Cybereason threat intelligence service as a legitimate program for such behavior.
Host process and injection process user mismatch	injectedThreadDifferentUserForInjectingAndHostEvidence	Boolean	Indicates whether there is evidence the user of the injecting process is different than the user of the host process.
Hosting injected thread	hostingInjectedThreadSuspicion	Boolean	Indicates whether the process contains threads that execute code injected into memory by another process.
Icon	icon44	Long	The icon of the process image file.
Identified as known malware	knownMalwareSuspicion	Boolean	Indicates whether the Cybereason threat intelligence service classified the process as malware.
Identified as LaZagne reconnaissance tool	laZagneReconToolEvidence	Boolean	Indicates whether there is evidence that this process is using the LaZagne recon tool.
Identified as Potentially Unwanted Program (PUP)	knownUnwantedSuspicion	Boolean	Indicates whether the Cybereason threat intelligence service classified the process as a Potentially Unwanted Program (PUP).
Identified as ransomware	knownRansomwareSuspicion	Boolean	Indicates whether the Cybereason threat intelligence service classified the process as ransomware.
Image file broken link in chain of trust	signatureVerificationStatusBadChainOfTrustEvidence	Boolean	Indicates whether there is evidence the file associated with the process had one of the following issues during the chain of trust verification: chain of trust could not be established to a root certificate, chain of trust was built to a root certificate which is not known or recognized as trusted on the local machine, broken chain of trust.
Image file classified as malicious tool module	maliciousToolModuleEvidence	Boolean	Indicates whether there is evidence the Cybereason threat intelligence service classified the module associated with the process as a malicious tool.
Image file downloaded from Internet	isDownloadedFromInternetEvidence	Boolean	Indicates whether there is evidence the process image file was downloaded from the Internet.
Image file expired signature	signatureVerificationStatusExpiredEvidence	Boolean	Indicates whether there is evidence that any of the process image file signing certificates in the chain of trust has expired.
Image file hash	imageFileHash	String	The hash of the file associated with the process.
Image file is malware	malwareEvidence	Boolean	Indicates whether there is evidence the Cybereason threat intelligence service classified the process image file as malware.
Image file mismatched signaturesignatureVerificationStatusHashMismatchEvidence	Boolean	Indicates whether there is evidence the process image file signed hash does not matches the file contents.
Image file misused signature	signatureVerificationStatusMisuseEvidence	Boolean	Indicates whether there is evidence the process image file certificate was misused.
Image file path	imageFilePath	String	The path to the process image file.
Image file suspicious signature	suspiciousSignedUnverifiedFileSuspicion	Boolean	Indicates whether the process image file has a suspicious signature.
Image file unknown root certificate	signatureVerificationStatusUnrecognizedRootEvidence	Boolean	Indicates whether there is evidence the process image file verified chain of trust has an unknown root certificate.
Image file unsigned	signatureVerificationStatusNotSignedEvidence	Boolean	Indicates whether or not there is evidence the process file is signed.
Image file unverified signature by technical failure	signatureVerificationStatusTechnicalFailureEvidence	Boolean	Indicates whether there is evidence a technical failure prohibited the completion of the process image file verification process.
Image file user distrust	signatureVerificationStatusUserDistrustEvidence	Boolean	Indicates whether there is evidence the user trusted the process image file certificate during an interactive session.
Image file verified	isImageFileVerified	Boolean	Indicates whether the signature for the process image file is verified.
Infected process connection to known malware address	accessToMalwareAddressInfectedProcess	Boolean	Indicates whether the process is benign and connects to an address being used by malware.
Injected code into protected process	detectedInjectingToProtectedProcessEvidence	Boolean	Indicates whether there is evidence the process is injecting code into a protected process.
Injected PowerShell process	injectedPowershellProcessEvidence	Boolean	Indicates whether there is evidence the process is a PowerShell process and was detected as receiving injected code.
Injected shellcode	shellInjectionSuspicion	Boolean	Indicates whether the process is running code injected to the process by a shell process.
Injected shellcode	shellcodeInjectionSuspicion	Boolean	Indicates whether a remote process injected shellcode into the victim process.
Injected shellcode evidence	shellcodeInjectorEvidence	Boolean	Indicates whether there is evidence that a remote process injected shellcode into the victim process.
Injection detected via event monitoring	processInjectionAnonRwxByEtwEvidence	Boolean	Indicates whether there is evidence that process injection was detected via event monitoring.
Injection method	injectionMethod	Enum	The manner of injection for the process. Possible values include In the UI: Anonymous RWX Anonymous RWX (Legacy) Anonymous memory mapping Exploit Load Library Meterpreter Migrate Process memory dump Protected process Shellcode Unknown method In the API: NEW_ANON_RWX ANON_RWX UNMAPPED_MEMORY_SECTION SHELLCODE_EXPLOIT LOAD_LIBRARY SHELLCODE_MIGRATE PROCESS_MEMORY_DUMP PROTECTED_PROCESS SHELLCODE_STAGER UNKNOWN_TECHNIQUE
Injection to protected process	injectingToProtectedProcessSuspicion	Boolean	Indicates whether the process was identified as injecting malicious code into a protected process.
Injector not shell runner	isInjectorNotShellRunner	Boolean	Indicates whether the process is an injected thread that was executed by a process not known to run shell processes.
Injector signed by Microsoft	isInjectorSignedByMicrosoft	Boolean	Indicates whether the process is running an injected thread that was executed by a process signed by Microsoft.
Installer	isInstaller	Boolean	Indicates whether the process is an installer process for an application.
Installer	isInstallerEvidence	Boolean	Indicates whether there is evidence that this process is an installer.
Internal connections	internalConnections	Array	Collection of internal connections associated with this process
Internal Network Access	internalNetworkAccessSuspicion	Boolean	Indicates there is an app connecting to private, internal servers. It is uncommon for public applications to connect to internal servers. Public applications connecting to internal servers is considered suspicious behavior and should be investigated immediately for the possible threat of malware installed on the device and the risk of data leakage.
IP reconnaissance scan	scanIpSuspicion	Boolean	Indicates there is a reconnaissance scan using the IP protocol that is an indicator of a malicious attacker searching for a device vulnerable for a network attack such as MITM.
IP reconnaissance scan	scanningProcessSuspicion	Boolean	Indicates whether the process creates embryonic connections that characterize scanning activity.
IP reconnaissance scan	scanTcpEvidence	Boolean	Indicates there is evidence of a reconnaissance scan using the TCP protocol that is an indicator of a malicious attacker searching for a device vulnerable for a network attack such as MITM.
IP scan evidence	scanIpEvidence	Boolean	Indicates there is evidence of a reconnaissance scan using the IP protocol that is an indicator of a malicious attacker searching for a device vulnerable for a network attack such as MITM.
IP scanned rate 10 seconds	ipScannedRate10Seconds	Integer	The maximum number of IPs scanned by the process in the span of 10 seconds.
IP scanned rate 30 seconds	ipScannedRate30Seconds	Integer	The maximum number of IPs scanned by the process in the span of 30 seconds.
IP scanned rate 60 seconds	ipScannedRate60Seconds	Integer	The maximum number of IPs scanned by the process in the span of 60 seconds.
Is aggregated process	isAggregate	Boolean	Indicates whether the process represents multiple short-lived frequently-running processes.
Is Apple system process	isAppleSystemProcess	Boolean	Indicates whether the process is signed by Apple and is running with local system user privileges.
Is chain of injections	isChainOfInjections	Boolean	Indicates whether the injecting process to the injected thread also has injected code.
Is encoded commandline	isEncodedCommandLine	Boolean	Indicates whether the command line contains encoded text.
Is hidden process	isHidden	Boolean	Indicates whether the process was hidden from the task list.
Is hosting injected thread	isHostingInjectedThread	Boolean	Indicates whether another process injected code to the process.
Is identified product	isIdentifiedProduct	Boolean	Indicates whether the process has a known product category.
Is injected	isInjectedProcess	Boolean	Indicates whether another process injected code in the process.
Is injecting	isInjectingProcess	Boolean	Indicates whether the process is currently injecting code into another process.
Is injector shell	isInjectorShell	Boolean	Indicates whether the process is running an injected thread and was injected by a shell process.
Is live process	isLiveProcess	Boolean	Indicates whether the process is currently running.
Is Microsoft system process	isMicrosoftSystemProcess	Boolean	Indicates whether the process is signed by Microsoft and is running as a local system user.
Is minion host	isMinionhost	Boolean	Indicates whether the process is the Cybereason MinionHost process (part of Cybereason sensor running on the endpoint).
Is operating system process	isOperatingSystemProcess	Boolean	Indicates whether the process is signed by the operating system and is running with local system user privileges.
Is process debugged	isProcessDebugged	Boolean	Indicates whether there is a debugger attached to the process.
Is scheduled task	isScheduledTask	Boolean	Indicates whether the process is a scheduled task.
Is shell process	isShellProcess	Boolean	Indicates whether the process is a known shell program such as cmd, cscript, PowerShell, and so forth.
Is Shinobot RAT	shinobotEvidence	Boolean	Indicates whether there is evidence the process is using the ShinoBOT RAT.
Is suspended	isSuspended	Boolean	Indicates whether the process is currently suspended.
Jailbroken or rooted device	jailbrokenEvidence	Boolean	Indicates there is evidence that this device may be jailbroken. Jailbreaking and rooting are the processes of gaining unauthorized access or elevated privileges on a system. Jailbreaking and rooting can potentially open security holes that may have not been readily apparent, or undermine the device built-in security measures
Java-based RAT malware	jscriptRATMalop	Boolean	Indicates whether this process is exhibiting Java-based RAT (Remote Access Trojan) behaviors.
Large data transfer to malicious address	hasAbsoluteHighVolumeExternalOutgoingConnectionEvidence	Boolean	Indicates whether there is evidence the process has a connection that transferred high volumes of data to an external address.
Large data transfer to or from malicious address	hasAbsoluteHighVolumeConnectionToMaliciousAddressEvidence	Boolean	Indicates whether there is evidence the process has a connection that transferred high volumes of data to or from a malicious address.
Large number of error code 9003 responses	manyUnresolvedRecordNotExistsEvidence	Boolean	Indicates whether there is evidence the process contains more than 100 unresolved DNS queries with a Record-Not-Exists error code (9003).
Large number of external connections	highNumberOfExternalConnectionsSuspicion	Boolean	Indicates whether the process creates a significantly high number of external connections.
Large number of external connections evidence	highNumberOfExternalConnectionsEvidence	Boolean	Indicates whether there is evidence the process has a high number of external connections.
Large number of internal connections	highNumberOfInternalConnectionsSuspicion	Boolean	Indicates whether the process creates a significantly high number of internal connections.
Large number of internal connections evidence	absoluteHighNumberOfInternalConnectionsEvidence	Boolean	Indicates whether there is evidence the process creates a significantly high number of internal connections.
Last minute instances	lastMinuteNumOfInstances	Long	The number of short-lived, frequently running processes started in the last minute that are associated with this process.
Linux Remote System Discovery	LinuxRemoteSystemDiscoveryEvidence	Boolean	Indicates there is evidence the process executed a tool used for remote system discovery.
Loaded a module for ransomware	maliciousByRansomwareModule	Boolean	Indicates whether the process loaded a module classified as known ransomware by the Cybereason threat intelligence service.
Loaded a module with rare registry entry	hasRareModuleAutorunEvidence	Boolean	Indicates whether there is evidence the process is associated with rare module registry entries.
Loaded Cobalt Strike in memory	maliciousCobaltAgent	Boolean	Indicates whether this process loaded the Cobalt Strike agent into memory on a machine.
Loaded executable on the blocklist	reflectivelyLoadedMaliciousPESuspicion	Boolean	Indicates whether the process loaded a malicious module in memory.
Loaded executable on the blocklist evidence	reflectivelyLoadedMaliciousPEEvidence	Boolean	Indicates whether there is evidence the process loaded a suspicious module in memory.
Loaded fake OWA Auth module	fakeOwaAuthSuspicion	Boolean	Indicates whether the process loaded a module that was identified as a fake OWA Auth module.
Loaded fake OWA Auth module evidence	fakeOwaAuthEvidence	Boolean	Indicates whether there is evidence the process loaded a module that was identified as a fake OWA Auth module.
Loaded Meterpreter in memory	maliciousMeterpreterAgent	Boolean	Indicates whether this process loaded the Meterpreter agent into memory on a machine.
Loaded Mimikatz in memory	maliciousMimikatzAgent	Boolean	Indicate whether this process loaded the Mimikatz agent into memory on a machine.
Loaded Mimikatz resources	mimikatzResourceEvidence	Boolean	Indicates whether there is evidence Cybereason identified evidence of Mimikatz resources
Loaded module ciassified as a malicious tool	maliciousToolModuleSuspicion	Boolean	Indicates whether a process module was classified as a malicious tool by the Cybereason threat intelligence service.
Loaded module for malicious tool	maliciousByMaliciousToolModule	Boolean	Indicates whether the process loaded a module classified as a malicious tool by the Cybereason threat intelligence service.
Loaded module for malware	maliciousByMalwareModule	Boolean	Indicates whether the process loaded a module classified as known malware by the Cybereason threat intelligence service.
Loaded module for Potentially Unwanted Program (PUP)	maliciousByUnwantedModule	Boolean	Indicates whether the process loaded a module classified as a Potentially Unwanted Program (PUP) by the Cybereason threat intelligence service.
Loaded module on blocklist	maliciousByBlackListModule	Boolean	Indicates whether the process loaded a module on the blocklist.
Loaded PeddleCheap in memory	maliciousPeddleCheapAgent	Boolean	Indicates whether this process loaded the PeddleCheap agent in memory on a machine.
Loaded PowerShell Empire in memory	maliciousEmpireAgent	Boolean	Indicates whether this process loaded the Empire agent into memory on a machine.
Loaded suspicious unknown DLL	dllSeachOrderEvidence	Boolean	Indicates there is evidence that the process loaded a suspicious and unknown DLL file.
Local account creation	localLinuxAccountCreationEvidence	Boolean	Indicates whether there is evidence the process attempted to create an account on a Linux machine.
Local terminal service status query evidence	remoteDesktopRegistryReconEvidence	Boolean	Indicates whether there is evidence this process is querying the local terminal service status.
Logon script registration	logonScriptSuspicion	Boolean	Indicates whether this process registered a logon script on the machine.
Logon script registration evidence	logonScriptEvidence	Boolean	Indicates whether there is evidence the process registered a logon script on the machine.
Low TTL DNS query	hasLowTtlDnsQueryEvidence	Boolean	Indicates whether there is evidence the process has at least one DNS query with a low time-to-leave (TTL).
LSASS audit object access	unexpectedAuditObjectAccessLsassSuspicion	Boolean	Indicates whether the process accessed an audited system resource.
LSASS audit object access evidence	unexpectedAuditObjectAccessLsassEvidence	Boolean	Indicates whether there is evidence that the process accessed an audited system resource.
LSASS virtual memory read	lsassVMReadEvidence	Boolean	Indicates whether there is evidence this process performed a read operation of the LSASS process virtual memory.
LSASS virtual memory write	lsassVMWriteEvidence	Boolean	Indicates whether there is evidence this process performed a write action for the LSASS process virtual memory.
Malicious activity by PowerShell process	maliciousExecutionOfPowerShell	Boolean	Indicates whether the PowerShell process was executed with malicious parameters.
Malicious application suspicion	appMaliciousSuspicion	Boolean	Indicates a malicious app may have been detected on a device.
Malicious by floating code	maliciousByFloatingCode	Boolean	Indicates whether the Cybereason platform identified the process as malicious due of suspicious PE (Portable Executable) code floating in memory (not attached to a module/file).
Malicious by hash	isMaliciousByHashEvidence	Boolean	Indicates whether there is evidence the Cybereason threat intelligence service classified the process image file as malicious.
Malicious by obscured extension	maliciousByDualExtension	Boolean	Indicates whether the process was determined to be malicious because it obscures the real file extension by using multiple file extensions.
Malicious by opening malicious file	maliciousByOpeningMaliciousFile	Boolean	Indicates whether this process the Cybereason platform classified this file as malicious when it opened a malicious file.
Malicious code injection	maliciousByCodeInjection	Boolean	Indicates whether the process was classified as malicious through detection of instances of malicious code injection.
Malicious code injection into a process	maliciousInjectingCodeSuspicion	Boolean	Indicates whether the process was identified as injecting malicious code into another process.
Malicious execution by PsExec	executedByPsexecSuspicion	Boolean	Indicates whether PsExec service executed the process maliciously.
Malicious execution of shell process	maliciousExecutionOfShellProcess	Boolean	Indicates whether the process is a shell process that was executed in a non standard way and might be used for malicious operations.
Malicious execution with elevated privileges	maliciousPrivilegeEscalation	Boolean	Indicates whether the process was maliciously executed with escalated privileges.
Malicious fake module	maliciousFakeModuleLoaded	Boolean	Indicates whether the process loaded a malicious fake module.
Malicious file execution attempt	processExecutionPreventedByNGAVSuspicion	Boolean	Indicates whether the process attempted to execute a malicious file and process execution was prevented by Cybereason.
Malicious file execution attempt evidence	processExecutionPreventedByNGAVEvidence	Boolean	Indicates whether there is evidence this process attempted to execute a malicious file and process execution was blocked by the Cybereason platform
Malicious file execution prevention	processExecutionPreventedSuspicion	Boolean	Indicates whether the Cybereason platform prevented process execution:
Malicious file execution prevention evidence	processExecutionPreventedEvidence	Boolean	Indicates whether there is evidence the Cybereason platform prevented process execution
Malicious injected code from injected thread host	maliciousInjectionByProcessHostingInjectedCode	Boolean	Indicates whether Cybereason identified malicious injected code originating from a process hosting an injected thread
Malicious PowerShell process uses suspicious parameters	maliciousUseOfPowershellSuspicion	Boolean	Indicates whether there is a suspicion the PowerShell process was executed with malicious parameters
Malicious process	isMaliciousEvidence	Boolean	Indicates whether there is evidence the Cybereason threat intelligence service classified the process image file as malicious
Malicious remote execution	maliciousUseOfPsexec	Boolean	Indicates whether the process was maliciously executed from a remote machine
Malicious resolved domains	maliciousDomainsDnsIpToDomain	Array	Collection of resolved domains in DNS requests that are classified as malicious
Malicious script from unexpected origin	maliciousScriptExecutionSuspicion	Boolean	Indicates whether the Cybereason platform found the process executing a potentially malicious script from an unexpected origin
Malicious system volume information execution path or name	maliciousProcessByPath	Boolean	Indicates whether the process has a system volume information execution path or name classified as malicious
Malicious tool	knownMaliciousToolSuspicion	Boolean	Indicates whether the Cybereason threat intelligence service classified the process as a malicious tool
Malicious tool classification by hash	maliciousToolByHashReputation	Boolean	Indicates whether the Cybereason threat intellgence service classified the process image file as a malicious tool by file hash
Malicious tool loaded in memory	maliciousGenericAgent	Boolean	Indicates whether this process loaded a malicious tool into memory on a machine
Malicious use of operating system process for persistence	maliciousUseOfWinOSProcessSuspicion	Boolean	Indicates whether this process used an operating system process for malicious purposes to achieve persistence on a machine
Malicious use of operating system process for persistence evidence	maliciousUseOfWinOSProcessEvidence	Boolean	Indicates whether there is evidence this process used an operating system process for malicious purposes to achieve persistence on a machine
Malicious web shell	maliciousWebShellExecution	Boolean	Indicates that this process ran a web shell for malicious purposes
Malware module indications	malwareModuleSuspicion	Boolean	Indicates whether the Cybereason threat intelligence service classified a process module as malware.
Malware that aggressively displays ads, negatively affecting user productivity and device performance	maliciousPupAppEvidence	Boolean	Indicates there is evidence of malware that displays ads which negatively affects user productivity and evice performance
Malware that aggressively displays ads, negatively affecting user productivity and device performance	maliciousPupAppSuspicion	Boolean	Indicates there is malware that displays ads which negatively affects user productivity and evice performance
Malware that attempts to obtain escalated system privileges	privEscAppMaliciousSuspicion	Boolean	Indicates there is malware that attempts to obtain escalated system privileges
Malware that blocks access to a device until a ransom is paid	maliciousRansomwareAppSuspicion	Boolean	Indicates there is malware that blocks the access to a device until a ransom is paid
Malware that causes SMS related charges	maliciousSMSAppEvidence	Boolean	indicates there is evidence of malware that causes SMS-related charges
Malware that causes SMS related charges	maliciousSMSAppSuspicion	Boolean	indicates there is malware that causes SMS-related charges
Malware that is monitoring and collecting information about a user and the device	maliciousSpywareAppEvidence	Boolean	Indicates there is evidence there is malware that is monitoring and collecting information about a user and the device like spyware
Malware that is monitoring and collecting information about a user and the device	maliciousSpywareAppSuspicion	Boolean	Indicates there is malware that is monitoring and collecting information about a user and the device like spyware
Malware that obtains unauthorized access to a mobile device	maliciousTrojanAppEvidence	Boolean	Indicates there is evidence of malware that gains unauthorized access to the mobile device
Malware that obtains unauthorized access to a mobile device	maliciousTrojanAppSuspicion	Boolean	Indicates there is evidence of malware that gains unauthorized access to the mobile device
Malware that steals bank credentials	maliciousBankerAppEvidence	Boolean	Indicates there is evidence of malware that steals bank credentials
Malware that steals bank credentials	maliciousBankerAppSuspicion	Boolean	Indicates there is malware that steals bank credentials
Man in the Middle attack	mitmEvidence	Boolean	Indicates there is evidence the communication between a device and a network was intercepted and could be monitored and modified by an unauthorized party. Man-in-the-Middle attack where a malicious attacker can hijack traffic and steal credentials or deliver malware to the device
Man in the Middle attack via ARP	mitmArpEvidence	Boolean	Indicates there is evidence that the device may be involved in a network attack. Communication between the device and a network was intercepted and could be monitored and modified by an unauthorized party. Man-in-the-Middle attack using ARP table poisoning where a malicious attacker can hijack traffic and steal credentials or deliver malware to the device
Man in the Middle attack with fake SSL certificate	mitmSslCertificateEvidence	Boolean	Indicates there is evidence of a Man-in-the-Middle attack using a fake certificate where a malicious attacker can hijack traffic and steal credentials or deliver malware to the device
Man in the Middle attack with ICMP	mitmIcmpEvidence	Boolean	Indicates there is evidence that the device may be involved in a network attack. The communication between the device and a network was intercepted. The attacker can hijack traffic and steal credentials or deliver malware to the device. Man-in-the-Middle attack using ICMP protocol where a malicious attacker can hijack traffic and steal credentials or deliver malware to the device
Man in the Middle attack with SSL stripping	mitmSslStripEvidence	Boolean	Indicates there is evidence that the device may be involved in a network attack through a Man-in-the-Middle attack with SSL stripping that allows a malicious attacker to change HTTPS traffic to HTTP so they can hijack traffic and steal credentials or deliver malware to the device. The communication between the device and a network was intercepted and could allow an unauthorized party to steal credentials or deliver malware to the device
Many internal connections	highNumberOfInternalConnectionsEvidence	Boolean	Indicates whether there is evidence the process has a high number of internal connections
Marked for prevention	markedForPrevention	Boolean	Indicates whether the process executable file is prevented from executing by Application Control
Memory usage	memoryUsage	Long	The amount of memory the process uses
Meterpreter executable detected	meterpreterX86executableSuspicion	Boolean	Indicates whether Cybereason detected remote malicious tool resources
Meterpreter executable detected evidence	meterpreterX86executableEvidence	Boolean	Indicates whether there is evidence that the Cybereason platform identified remote malicious tool resources were identified
Mimikatz execution by shell process	mimikatzByShellSuspicion	Boolean	Indicates whether this process is a shell process executing Mimikatz
Mimikatz execution by shell process evidence	mimikatzExecutedByShellProcessEvidence	Boolean	Indicates whether there is evidence this process is a shell process executing Mimikiatz
Mimikatz execution evidence	mimikatzExecutionEvidence	Boolean	Indicates whether there is evidence of Mimikatz execution
Mimikatz process	mimikatzSuspicion	Boolean	Indicates whether the process has associated Mimikatz suspicions
Mismatch between memory and on-disk code	rareHasPeMismatchEvidence	Boolean	Indicates whether there is evidence the process has a mismatch between the in-memory code and the code on disk
Mismatching memory section	hasSectionMismatchEvidence	Boolean	Indicates whether there is evidence the process has a memory section which does not match the disk image for this section
MITM attack	mitmSuspicion	Boolean	Indicates the communication between a device and a network was intercepted and could be monitored and modified by an unauthorized party. Man-in-the-Middle attack where a malicious attacker can hijack traffic and steal credentials or deliver malware to the device
MITM attack through SSL Strip	mitmSslStripSuspicion	Boolean	Indicates that the device may be involved in a network attack through a Man-in-the-Middle attack with SSL stripping that allows a malicious attacker to change HTTPS traffic to HTTP so they can hijack traffic and steal credentials or deliver malware to the device. The communication between the device and a network was intercepted and could allow an unauthorized party to steal credentials or deliver malware to the device
MITM attack via ARP suspicion	mitmArpSuspicion	Boolean	Indicates that the device may be involved in a network attack. Communication between the device and a network was intercepted and could be monitored and modified by an unauthorized party. Man-in-the-Middle attack using ARP table poisoning where a malicious attacker can hijack traffic and steal credentials or deliver malware to the device
MITM attack via ICMP redirect suspicion	mitmIcmpSuspicion	Boolean	Indicates that the device may be involved in a network attack. The communication between the device and a network was intercepted. The attacker can hijack traffic and steal credentials or deliver malware to the device
MITM attack with fake SSL certificate suspicion	mitmSslCertificateSuspicion	Boolean	Indicates there is a Man-in-the-Middle attack using a fake certificate where a malicious attacker can hijack traffic and steal credentials or deliver malware to the device
Module classified as malware evidence	malwareModuleEvidence	Boolean	Indicates whether there is evidence the Cybereason threat intelligence service classified one of the process modules as malware
Module not in loader database	rareHasUnloadedToDbEvidence	Boolean	Indicates whether there is evidence the process is found to have a module that does not appear in the loader database
Module prevention	processModuleExecutionPreventedEvidence	Boolean	Indicates whether the process loaded a module that was previously prevented by Application Control
Modules loaded from the temporary directory	modulesFromTemp	Array	Collection of modules associated with this process that are loaded from the temporary directory
Modules not in loader DB	modulesNotInLoaderDbList	Array	Collection of modules associated with this process that are not located in the loader database
MS Build as child of suspicious Office process	msbuildChildofMSOfficeSuspicion	Boolean	Indicates whether the this process is an MSBuild process that was executed by an MS office application
MS Exchange application pool exploit attempt	MSExchangeOWAPoolWebshellEvidence	Boolean	Indicates whether there is evidence the process was observed making an attempt to exploit the MS Exchange application pool
MS-RPC request invoked/accessed the process using DCOM	msrpcDCOMServerEvidence	Boolean	Indicates whether an MS-RPC request invoked or accessed the process using a DCOM object
MSBuild in suspicious execution chain	msbuildChildOfSuspiciousEvidence	Boolean	Indicates whether there is evidence this process is an executable process that is suspected of being an descendant of a MS office application
Multiple extensions for image file	dualExtensionNameEvidence	Boolean	Indicates whether there is evidence the process file contains more than one extension.
Multiple extensions obscuring image file extension	hiddenFileExtensionEvidence	Boolean	Indicates whether there is evidence that the process uses an extension disguised from the user by using multiple extensions.
Multiple hashes for unsigned files with same PE information as image file	multipleHashForUnsignedPeInfoEvidence	Boolean	Indicates whether there is evidence the Cybereason platform identified multiple hashes for unsigned files with the same path and PE information as the process image file
N/A	rareInternalConnections	Array	Collection of rare internal connections associated with this process
Connection to rogue WiFi	mitmRogueApNearbyEvidence	Boolean	Indicates there is evidence of a rogue access point which exploits a device vulnerability to connect to a previously known WiFi network by masking preferred/known networks
net.exe add new user to local admin user group	netCreateAdminSuspicion	Boolean	Indicates whether the net.exe process is suspected of attempting to add a user to the local admin user group
net.exe added new local admin user	netAddAdminEvidence	Boolean	Indicates whether there is evidence that the net.exe process attempted to add a user to the local admin user group
net.exe as child process of suspicious process	netDescendantOfSuspiciousProcessEvidence	Boolean	Indicates whether there is evidence the net.exe process is a descendant of a suspicious process
net.exe used to create or add user to group	netAddUserSuspicion	Boolean	Indicates whether the net.exe process is suspected of attempting to add a user to the user group
net.exe used to create or add user to group evidence	netAddUserEvidence	Boolean	Indicates whether there is evidence that the net.exe process attempted to add a user to the user group
Netsh process	isNetshProcess	Boolean	Indicates whether the process is a Netsh process
netsh.exe disabled firewall	netshDisableFirewallSuspicion	Boolean	Indicates whether the netsh.exe process disabled a firewall
netsh.exe disabled firewall evidence	netshDisableFirewallEvidence	Boolean	Indicates whether there is evidence that the netsh.exe process disabled a firewall.
Network handoff to alter routing	arpHandoffEvidence	Boolean	Indicates there is evidence that the device is using network handoff to alter routing on a network, potentially allowing for a Man-in-the-Middle attack.
Network scan while running injected code	maliciousByScanningOfInjectedProcess	Boolean	Indicates whether the process performs network scans while running an injected code
Network scan with elevated privileges	maliciousByScanningOfElevatedProcess	Boolean	Indicates whether the process performs network scans while running with high privileges or escalating a child process to run with high privileges
Network scanner	networkScannerEvidence	Boolean	Indicates whether there is evidence the process is scanning the internal network.
Network share discovery	networkShareDiscoveryEvidence	Boolean	Indicates whether there is evidence the process is involved in network share discovery to obtain details of network share.
New process	newProcessEvidence	Boolean	Indicates whether there is evidence the process is executed for the first time on this machine.
New process	newProcess	Boolean	Indicates whether the process is executed for the first time on this machine
New process created above normal threshold	newProcessesAboveThresholdEvidence	Boolean	Indicates whether there is evidence the process created multiple new processes.
New service	newServiceEvidence	Boolean	Indicates whether there is evidence this process started a new service for malicious purposes.
Non-certified or compromised device	SafetyNetAttestationBasicIntegrityFalseEvidence	Boolean	Indicates there is evidence that the Android device has been tampered with. The device is not certified by Google, and may have been additionally compromised, such as a rooted device.
Non-compliant app	appOutOfComplianceEvidence	Boolean	Indicates that there is evidence of apps marked Out of Compliance are found on the device.
Non-default resolver	nonDefaultResolverSuspicion	Boolean	Indicates whether the resolver of the DNS request is the default resolver set to the machine
Non-mail process connection to mail service	hasMailConnectionForNonMailProcessEvidence	Boolean	Indicates whether there is evidence the process has a connection to a mail service but the process is not a mail client
Not shell runner	isNotShellRunner	Boolean	Indicates whether the process is not known to run shell processes
NTDS audit object access by shadow copy	unexpectedAuditObjectAccessNtdsFileShadowCopyEvidence	Boolean	Indicates whether there is evidence that the process accessed an audited system resource - NTDS file via shadow copy
Number of instances	totalNumOfInstances	Integer	Number of short-lived, frequently-running processes that the process represents.
Number of threads	threadCount	Integer	The Number of the process threads
Obfuscated PowerShell command	powerShellBase64CompressedEvidence	Boolean	Indicates whether there is evidence the Cybereason platform detected encoded and compressed PowerShell commands
Obscured extension for image file	dualExtensionSuspicion	Boolean	Indicates whether the process uses an extension disguised from the user through the use of multiple extensions
Obscured file extension	macHiddenFileExtensionEvidence	Boolean	Indicates whether there is evidence that the image file for this process on a Mac OS machine is hiding the file extension.
Opened files	openedFiles	Array	Collection of opened files associated with this process
Opened potentially malicious files	maliciousOpenedFilesEvidence	Boolean	Indicates whether there is evidence this process opened files classified as malicious.
Original injector process	originInjector	String	The process that first initiated the injection activity
Osascript JavaScript payload	osascriptPayloadSuspicion	Boolean	Indicates whether this process used OSA JavaScript to run a payload
Osascript JavaScript ran payload evidence	osascriptPayloadEvidence	Boolean	Indicates whether there is evidence this process used OSA JavaScript to run a payload.
Outgoing connections of host process	outgoingConnectionsOfHostProcess	Array	Collection of outgoing connections associated with this process that were made by the host of this injection thread
Outgoing connections	outgoingConnections	Array	Collection of outgoing connections associated with this process
Outgoing external connections	outgoingExternalConnections	Array	Collection of outgoing external connections associated with this process
Outgoing internal connections	outgoingInternalConnections	Array	Collection of outgoing internal connections associated with this process
Owner machine	ownerMachine	String	Name of the owner machine for this process
Packed process	packedProcessDecisionFeature	Boolean	Indicates whether this process is a packed process
Packed process	packedProcessSuspicion	Boolean	Indicates whether the process is suspected of running from a packed binary file
Packed process evidence	packedProcessEvidence	Boolean	Indicates whether there is evidence this process is running from a packed binary file
Parent and creator process mismatch	parentCreatorMismatchEvidence	Boolean	Indicates there is evidence that the parent process for this process and the process that created this process are not the same process
Parent from removable device	parentFromRemovableDevice	Boolean	Indicates whether the process parent process was executed from a removable device
Parent of PowerShell process running JavaScript	parentOfPowerShellProcessRunningJavaScriptEvidence	Boolean	Indicates whether there is evidence a PowerShell process parent process is running JavaScript via the command line
Parent process does not match known hierarchy	parentProcessNotMatchHierarchySuspicion	Boolean	Indicates whether the process parent process matches the known process hierarchy of the process
Parent process does not match known hierarchy evidence	parentProcessNotMatchHierarchyEvidence	Boolean	Indicates whether there is evidence the process parent process matches the known process hierarchy of the process
Parent process name	parentProcessName	String	The name of the parent process for this process
Parent process not system process	parentProcessNotSystemUserEvidence	Boolean	Indicates whether there is evidence the process is executed by a system user while its parent process is executed by a user that is not a system user
Parent process run from removable device	parentProcessFromRemovableDeviceEvidence	Boolean	Indicates whether there is evidence the process is executed from a removable device
Parent process was not admin process	parentProcessNotAdminUserEvidence	Boolean	Indicates whether there is evidence the process is executed by a user with administrator privileges while its parent process is executed by a user with lower privileges
Parent process	parentProcess	String	The parent process of this process
Pass the Hash receiver	passTheHashReceiverSuspicion	Boolean	Indicates whether the process is performing a suspicious incoming authentication attempt using Pass the Hash
Pass the Hash sender	passTheHashSenderSuspicion	Boolean	Indicates whether the process is performing a suspicious outgoing authentication attempt using Pass the Hash
Password file Read attempt	credentialDumpingFromLinuxPasswdEvidence	Boolean	Indicates whether there is evidence the process attempted to read from the Passwd file on the machine
Password file search	searchForPasswordFilesSuspicion	Boolean	Indicates whether the process is searching for files containing passwords
Password file search evidence	searchForPasswordFilesEvidence	Boolean	Indicates whether there is evidence that the process is searching for files containing passwords
Password policy discovery	passwordPolicyDiscoverySuspicion	Boolean	Indictes whether this process performed password policy discovery activities
Password policy discovery evidence	passwordPolicyDiscoveryEvidence	Boolean	Indicates whether there is evidence of the process trying to perform password policy discovery
Permission groups discovery	permissionGroupsDiscoveryEvidence	Boolean	Indicates whether there is evidence the process is involved in permission groups discovery
Permission groups discovery	LinuxPermissionGroupsDiscoveryEvidence	Boolean	Indicates whether there is evidence the Process attempted to discover permission groups on the machine
Persistent modifications to device file systems	processFilesystemchangeSuspicion	Boolean	Indicates there are persistent modifications to a device file system
Persistence attempt through launch agents	plistBuddyCreatesLaunchAgentsFileSuspicion	Boolean	Indicates whether the process attempted to gain persistence using the LaunchAgents mechanism
Possibly untrusted profile	profileUntrustedEvidence	Boolean	Indicates there is evidence there may be an untrusted profile on device. This untrusted profile could be used to control devices remotely, monitor and manipulate user activities, and/or hijack a users traffic
Potential network configuration discovery	networkConfigurationDiscoveryEvidence	Boolean	Indicates whether there is evidence of the process is performing a network configuration discovery
Potentially malicious application	appMaliciousEvidence	Boolean	Indicates there is evidence a malicious app may have been detected on a device
Potentially malicious link tapped	siteInsightLinkTappedEvidence	Boolean	Indicates that a potentially malicious URL was tapped on the device
Potentially malicious link visited	siteInsightLinkVisitedSuspicion	Boolean	Indicates that a potentially malicious URL was tapped on the device and the user was warned of the potential danger of visiting the linked site and chose to continue on to the site after the warning
Potentially Unwanted Program (PUP)	unwantedEvidence	Boolean	Indicates whether or not there is evidence the Cybereason threat intelligence service classified the process image file as a Potentially Unwanted Program (PUP)
Potentially unwanted program by hash value	unwantedByHashReputation	Boolean	Indicates whether the Cybereason threat intelligence service classified the process image file as a Potentially Unwanted Program (PUP) due to the file hash
Potentially unwanted program module	unwantedModuleSuspicion	Boolean	Indicates whether the Cybereason threat intelligence service identified a process module as a possibly unwanted program
Potentially unwanted program module evidence	unwantedModuleEvidence	Boolean	Indicates whether there is evidence the Cybereason threat intelligence service classified a module associated with the process as a Potentially Unwanted Program (PUP)
Power shell modules	powerShellModules	Array	Collection of PowerShell modules associated with this process
PowerShell command line with HKCU key	powershellCurrentUserRegistryEvidence	Boolean	Indicates whether there is evidence the Cybereason platform identified the process as a PowerShell process with a HKCU (current user) registry key in its command line
PowerShell command line with HKLM key	powershellLocalMachineRegistryEvidence	Boolean	Indicates whether there is evidence the Cybereason platform identified the process as a PowerShell process with a HKLM (local machine) registry key in its command line
PowerShell command line with IP address	powershellIpAddressEvidence	Boolean	Indicates whether there is evidence the Cybereason platform identified the process as a PowerShell process with a IP address in its command line
PowerShell downloader	powerShellDownloaderSuspcion	Boolean	Indicates whether the PowerShell process is attempting to download a file via command line
PowerShell downloader evidence	powershellDownloaderEvidence	Boolean	Indicates whether there is evidence the PowerShell process is attempting to download a file via command line
PowerShell executed by cmdlet with environment variable	powerShellIesEnvSuspicion	Boolean	Indicates whether PowerShell is suspected of executing with an invoked Cmdlet to execute a value stored as environment variable
PowerShell executed by cmdllet with environment variable evidence	powerShellIexEnvEvidence	Boolean	Indicates whether there is evidence that PowerShell executed with an invoked Cmdlet to execute a value stored as environment variable
PowerShell executed by Word	powershellExecutedByWordEvidence	Boolean	Indicates whether there is evidence this process is a PowerShell process that was executed by a Word document
PowerShell process	isPowerShellProcess	Boolean	Indicates whether the process is a PowerShell process
PowerShell process command line with email address	powershellEmailAddressEvidence	Boolean	Indicates whether there is evidence the Cybereason platform identified the process as a PowerShell process with an email address in its command line
PowerShell run by encoded command	powershellEncodedCommandEvidence	Boolean	Indicates whether there is evidence the PowerShell process was executed with an encoded command
PowerShell uses suspicious parameters	suspiciousUseOfPowershellSuspicion	Boolean	Indicates whether this PowerShell process was executed with suspicious parameters
PowerShell using Invoke-Expression flag	powershellInvokeExpressionEvidence	Boolean	Indicates whether there is evidence the Cybereason platform identified the process as a PowerShell process executing commands using an invoke-expression flag (iex)
Prevent execution file hash	blockedFileHash	String	List of file hashes that were prevented during process execution prevention
Prevented by PowerShell Protection	ngavPowershellPreventedEvidence	Boolean	Indicates whether there is evidence this process was prevented by PowerShell Protection
Privilege escalation to admin	executionPrevented	Boolean	Indicates whether the process elevated its privileges to the administration user level
Process accessed ntds.file from shadow copy	ntdsShadowCopyAccessEvidence	Boolean	Indicates whether there is evidence a process accessed the ntds.dit file from the shadow copy volume
Process accessed SAM file from shadow copy	samShadowCopyAccessEvidence	Boolean	Indicates whether there is evidence that a process accessed the SAM file from the shadow copy volume
Process acting as client	hasClientInteractionEvidence	Boolean	Indicates whether there is evidence this process is involved in a machine interaction as a client machine
Process added firewall rule	addFirewallRuleEvidence	Boolean	Indicates whether there is evidence the process added a firewall rule
Process behaves like Inveigh script	psInveighSuspicion	Boolean	Indicates whether the process exhibits malicious behavior related to the PowerShell Inveigh script
Process behaves like Inveigh script evidence	psInveighEvidence	Boolean	Indicates whether there was evidence the process exhibits suspicious behavior related to the PowerShell Inveigh script
Process creation by remote WMI	wmiRemoteProcessCreationSuspicion	Boolean	Indicates whether the process used WMI to perform remote process creation
Process creation by remote WMI evidence	wmiRemoteProcessCreationEvidence	Boolean	Indicates whether there is evidence the process used WMI to perform remote creation of a process
Process creation with Win32_Product::Install method	createdByWMIWin32ProductEvidence	Boolean	Indicates whether there is evidence the process was created using the Win32Product::Install method
Process deleted parent process	deletedParentProcessEvidence	Boolean	Indicates whether there is evidence the process deleted its parent process
Process discovery	processDiscoverySuspicion	Boolean	Indicates whether this process performed password policy discovery activities
Process discovery evidence	processDiscoveryEvidence	Boolean	Indicates whether there is evidence the process is involved in process discovery
Process execution by PsExec	parentPsexecEvidence	Boolean	Indicates whether there is evidence the process was executed by a PsExec service
Process execution by system user	threatMapConnectedEvidence	Boolean	Indicates that the device has connected to a Wifi network where malicious attacks have been observed
Process execution by system user	systemUserEvidence	Boolean	Indicates whether there is evidence the process is executed by a user with system level privileges
Process execution from Recycle Bin evidence	executedFromRecycleBinEvidence	Boolean	Indicates whether there is evidence the process was run from the Recycle Bin
Process execution from Recycle Bin suspicion	executedFromRecycleBinSuspicion	Boolean	Indicates whether the process was run from the Recycle Bin
Process file extension not used for executable files	nonExecutableExtensionEvidence	Boolean	Indicates whether there is evidence the process extension is normally used for executable files
Process hidden by rootkit	hiddenProcessSuspicion	Boolean	Indicates whether the process is hidden
Process hidden by rootkit evidence	hiddenProcessEvidence	Boolean	Indicates whether there is evidence the process is hidden
Process ID	applicablePid	String	The process identifier (PID)
Process image file hash on blocklist	blackListedFileHash	Boolean	Indicates whether the image file of the process is a file on the blocklist
Process image file on blocklist	blackListFileSuspicion	Boolean	Indicates whether the process is executing a file on the blocklist
Process image file unsigned	unknownUnsignedEvidence	Boolean	Indicates whether there is evidence the process image file is unsigned and the process is not known to reputation services
Process integrity	integrity	Enum	The reputation for the process running on the same user. Possible values include: In the UI: High Low Medium Protected System Untrusted In the API: HIGH LOW MEDIUM PROTECTED SYSTEM UNTRUSTED
Process invoked CMSTPLUA ShellExec method using DCOM	msrpcCMSTPLUAClientEvidence	Boolean	Indicates whether the process invoked the CMSTPLUA ShellExec method using DCOM
Process is child process of Microsoft Office process	executableChildOfMSOfficeEvidence	Boolean	Indicates whether there is evidence the process is a child process of a MS Office process
Process issued an MS-RPC request to enumerate users	msrpcUserEnumerationClientEvidence	Boolean	Indicates whether the process issued an MS-RPC request to enumerate users
Process issued MS-RPC request for group discovery	msrpcGroupDiscoveryClientEvidence	Boolean	Indicates whether the process issued an MS-RPC request for group discovery
Process issued MS-RPC request for NetLogon session challenge and authentication	msrpcNetlogonSessionChallengeClientEvidence	Boolean	Indicates whether the process issued an MS-RPC request for the NetLogon challenge and authentication steps
Process issued MS-RPC request for NetLogon session challenge/authentication steps in ZeroLogon exploitation	msrpcZerologonClientSuspicion	Boolean	Indicates whether the process issued an MS-RPC request for the NetLogon session challenge and authentication steps as found in the ZeroLogon exploitation
Process issued MS-RPC request for service creation	msrpcServiceCreateClientEvidence	Boolean	Indicates whether the process issued an MS-RPC request for service creation
Process issued MS-RPC request to change service config	msrpcServiceChangeClientEvidence	Boolean	Indicates whether the process issued an MS-RPC request to change a service config
Process issued MS-RPC request to create user	msrpcCreateUserClientEvidence	Boolean	Indicates whether the process issued an MS-RPC request to create a user
Process issued MS-RPC request to delete a scheduled task	msrpcDeleteScheduledTaskClientEvidence	Boolean	Indicates whether the process issued an MS-RPC request to delete a scheduled task
Process issued MS-RPC request to delete a service	msrpcServiceDeleteClientEvidence	Boolean	Indicates whether the process issued an MS-RPC request to delete a service
Process issued MS-RPC request to enumerate domain name	msrpcDomainEnumerationClientEvidence	Boolean	Indicates whether the process issued an MS-RPC request to enumerate the domain name
Process issued MS-RPC request to get updated domain object information	msrpcDCGetChangesClientEvidence	Boolean	Indicates whether the process issued an MS-RPC request to get updated domain object information
Process issued MS-RPC request to push domain object information	msrpcDCPushChangesClientEvidence	Boolean	Indicates whether the process issued an MS-RPC request to push domain object information
Process issued MS-RPC request to query current IPv4/IPv6 DHCP lease information	msrpcDhcpQueryClientEvidence	Boolean	Indicates whether the process issued an MS-RPC request that queried the current IPv4 or IPv6 DHCP lease information
Process issued MS-RPC request to query for user information	msrpcWkstUserInfoEnumerationClientEvidence	Boolean	Indicates whether the process issued an MS-RPC request to query user information
Process issued MS-RPC request to query installed network adapters	msrpcDnsAdapterInfoClientEvidence	Boolean	Indicates whether the process issued an MS-RPC request to query for installed network adapters
Process issued MS-RPC request to query terminal name	msrpcTerminalNameClientEvidence	Boolean	Indicates whether the process issued an MS-RPC request to query for the terminal name
Process issued MS-RPC request to register scheduled task	msrpcRegisterScheduledTaskClientEvidence	Boolean	Indicates whether the process issued an MS-RPC request to register a scheduled task
Process issued MS-RPC request to Remote Registry service for HKLM hive handle	msrpcRemoteRegistryHKLMHandleClientEvidence	Boolean	Indicates whether the process issued an MS-RPC request to the Remote Registry service for the HKLM hive handle
Process issued MS-RPC request to Remote Registry service to export Windows registry hive	msrpcRemoteRegistryExportClientEvidence	Boolean	Indicates whether the process issued an MS-RPC request to the Remote Registry service to export a Windows registry hive
Process issued MS-RPC request to Remote Registry service to query Windows registry	msrpcRemoteRegistryQueryClientEvidence	Boolean	Indicates whether the process issued an MS-RPC request to the Remote Registry service to query the Windows registry
Process issued MS-RPC request to run scheduled task	msrpcRunScheduledTaskClientEvidence	Boolean	Indicates whether the process issued an MS-RPC request to run a scheduled task
Process issued MS-RPC request to start a service	msrpcServiceStartClientEvidence	Boolean	Indicates whether the process issued an MS-RPC request to start a service
Process issued MS-RPC request to update user information	msrpcEUpdateUserClientvidence	Boolean	Indicates whether the process issued an MS-RPC request to update user information
Process loaded PowerShell module	powershellModuleLoadedEvidence	Boolean	Indicates whether or not there is evidence the process loaded a PowerShell module
Process loads module on blocklist	blackListModuleSuspicion	Boolean	Indicates whether the process loads a module on the blocklist
Process loads module on blocklist evidence	blackListModuleEvidence	Boolean	Indicates whether there is evidence the process loads a module on the blocklist
Process masquerading as movie	masqueradingAsMovieEvidence	Boolean	Indicates whether there is evidence the process is masquerading as a movie
Process masquerading as operating system process	maliciousUseOfOSProcess	Boolean	Indicates whether this process masqueraded as an operating system process for malicious purposes
Process masquerading as Windows accessibility feature	abusingWindowsAccessibilityFeatures	Boolean	Indicates whether this process is masquerading as one of MS Windows
Process modified device file system	processFilesystemchangeEvidence	Boolean	Indicates there is evidence of persistent modifications to a device file system.
Process module classified as ransomware	ransomwareModuleSuspicion	Boolean	Indicates whether the Cybereason threat intelligence service classified one of the process modules as ransomware
Process module classified as ransomware evidence	ransomwareModuleEvidence	Boolean	Indicates whether there is evidence the Cybereason threat intelligence service classified one of the process modules as ransomware
Process module in temporary folder	hasModuleFromTempEvidence	Boolean	Indicates whether there is evidence the process has a module located in a temporary folder
Process name	calculatedName	String	The calculated name of the process
Process name	elementDisplayName	String	The name of the process
Process name hidden from scanning tools	covertProcessParametersOverrideEvidence	Boolean	Indicates whether there is evidence the process name was hidden from normal scanning tools
Process or image file hash classified as malware	malwareByHashReputation	Boolean	Indicates whether the Cybereason threat intelligence service classified the process image file as malware due to the image file hash.
Process or image file with unverifiable signature	maliciousSignedUnverifiedSuspicion	Boolean	Indicates whether the process image file has an unverifiable signature that indicates malicious interference with the image file or the certificate used to sign the image file
Process partially hidden from scanning API	covertProcessFullyTemperedIterationApiEvidence	Boolean	Indicates whether there is evidence the process was fully hidden from the normal scanning API
Process performed privilege elevation	privilegeEscalationEvidence	Boolean	Indicates whether there is evidence the process elevated its privileges to the local system user level
Process performed privilege elevation to admin	privilegeEscalationToAdminSuspicion	Boolean	Indicates whether the process behaves like a privilege escalation tool
Process performed privilege elevation	privilegeEscalationEvidence	Boolean	Indicates whether there is evidence the process elevated its privileges to the local system user level
Process performed privilege elevation to system	privilegeEscalationSuspicion	Boolean	Indicates whether the process behaves like a privilege escalation tool
Process pushed new domain users/object information to domain controllers	msrpcDCShadowClientSuspicion	Boolean	Indicates whether the process pushed new domain users or object information to domain controllers
Process ran injected code from deleted file	deletedInjectorInjectionSuspicion	Boolean	Indicates whether the process is running code injected by a process whose file is no longer exists
Process received MS-RPC request to Remote Registry service to export Windows registry hive	msrpcRemoteRegistryExportServerEvidence	Boolean	Indicates whether the process received an MS-RPC request to the Remote Registry service to export a Windows registry hive
Process received MS-RPC request to the Remote Registry service for HKLM hive handle	msrpcRemoteRegistryHKLMHandleServerEvidence	Boolean	Indicates whether the process received an MS-RPC request to the Remote Registry service for the HKLM hive handle
Process requested replica of domain users/object information from domain controllers	msrpcDCSyncClientSuspicion	Boolean	Indicates whether the process requested a replica of the the domain users or object information from the domain controllers
Process run on target machine in Pass the Hash attack	executedOnPassTheHashLogonSessionSuspicion	Long	Indicates whether the process is running a Pass the Hash attack on the target machine
Process run on target machine in Pass the Hash attack evidence	executedOnPassTheHashLogonSessionEvidence	Boolean	Indicates whether there is evidence the process is running a Pass the Hash attack on the target machine
Process running malicious web shell	maliciousWebShellSuspicion	Boolean	Indicates whether this process ran a web shell for malicious purposes
Process running web shell	webShellEvidence	Boolean	Indicates whether there is evidence this process is running or related to a web shell
Process used by exploit kit	exploitKitSuspicion	Boolean	Indicates whether the process used an exploit kit
Process used by exploit kit evidence	exploitKitEvidence	Boolean	Indicates whether there is evidence the process uses an exploit kit
Process used FTP data transfer	ftpCommunicationEvidence	Boolean	Indicates whether there is evidence the process used communication through FTP
Process used MS-RPC request to invoke/access a DCOM object	msrpcDCOMClientEvidence	Boolean	Indicates whether the process used an MS-RPC request to invoke or access a DCOM object
Process used rare DNS resolver server	rareHasNonDefaultResolver	Boolean	Indicates whether the process uses a non-default DNS server and this behavior is rare for the process
Product type	productType	Enum	The type of product running the process. Possible values include: In the UI Adobe Antivirus Browser Csrss (deprecated) Explorer IT Tools (deprecated) Lsass Mail Microsoft Office Not specific OS process Peer to Peer Remote Desktop RunAs RunDll SVC Host Scheduled task Security tool Sharing Shell Tor Unrecognized VPN Virtualization Wininit WsmProvHost In the API: ADOBE ANTI-VIRUS BROWSER CSRSS (deprecated) EXPLORER IT_TOOLS (deprecated) MAIL LSASS MS_OFFICE NONE OS_PROCESS P2P REMOTE_DESKTOP_CONTROL RUNAS RUNDLL SVCHOST SCHEDULED_TASK SECURITY_TOOL SHARING SHELL TOR UNRECOGNIZED VPN VIRTUALIZATION WININIT WSMPROVHOST
Protected process running injected code from other process	injectedProtectedProcessSuspicion	Boolean	Indicates whether the process is a protected process and was identified as running code injected to the process by another process
Protected process running injected code from other process evidence	injectedProtectedProcessEvidence	Boolean	Indicates whether there is evidence the process is a protected process and was detected as receiving injected code
Protection type	protectionType	Enum	The type of protection the process has. Possible values include: In the UI: Max None Protected Protected - Light In the API: PsProtectedTypeMax PsProtectedTypeNone PsProtectedTypeProtected PsProtectedTypeProtectedLight
PsExec remote execution process	psexecExecuterEvidence	Boolean	Indicates whether there is evidence the process is a remote execution process (PsExec)
Public app connection to internal network	internalNetworkAccessEvidence	Boolean	Indicates there is evidence of an app connecting to private, internal servers. It is uncommon for public applications to connect to internal servers. Public applications connecting to internal servers is considered suspicious behavior and should be investigated immediately for the possible threat of malware installed on the device and the risk of data leakage
Ran a dropped script	maliciousScriptDropperEvidence	Boolean	Indicates whether there is evidence the process opened a file that executed a potentially malicious script
Ran encoded payload via Python	pythonPayloadSuspicion	Boolean	Indicates whether this process used Python to run an encoded payload
Ran encoded payload via Python evidence	pythonPayloadEvidence	Boolean	Indicates whether there is evidence this process used Python to run an encoded payload.
Ran injected code from compromised legitimate process	legitProcessInjectionSuspicion	Boolean	Indicates whether the process is running code injected by a compromised legitimate process
Ran injected code from other process	detectedInjectedEvidence	Boolean	Indicates whether there is evidence the process is running code that was injected by another process
Ran malicious injected code	suspiciousInjectedCodeSuspicion	Boolean	Indicates whether the Cybereason platform identified the process as running code that was injected by another process
Ran suspicious PowerShell commands	suspiciousCommandsEvidence	Boolean	Indicates whether there is evidence of suspicious PowerShell commands associated with this process
Ransomware auto blocking file hash	ransomwareAutoRemediationBlocked	Boolean	Indicates whether the file associated with the process was automatically blocked due to ransomware detection
Ransomware behavior by shadow copy deletion	maliciousShadowCopyDeletion	Boolean	Indicates whether the process exhibits ransomware behavior by deletion of shadow copies
Ransomware by hash value	ransomwareByHashReputation	Boolean	Indicates whether the Cybereason threat intelligence service classified the process image file as ransomware
Ransomware by hash value evidence	ransomwareEvidence	Boolean	Indicates whether there is evidence the Cybereason threat intelligence service classified the process image file as ransomware
Ransomware classification modules	ransomwareClassificationModules	Array	Collection of modules associated with the process that are classified as ransomware by the Cybereason threat intelligence service
Ransomware file manipulation	ransomwareByCanaryFilesSuspicion	Boolean	Indicates whether the process behaves like ransomware due to file manipulation
Ransomware file manipulation evidence	ransomwareByCanaryFilesEvidence	Boolean	Indicates whether there is evidence the process behaves like ransomware due to file manipulation
Ransomware shadow copy deletion	ransomwareByVssSuspicion	Boolean	Indicates whether the process behaves like ransomware due to shadow copy deletion with the vssadmin.exe utility
Ransomware shadow copy deletion evidence	ransomwareByVssEvidence	Boolean	Indicates whether there is evidence the process behaves like ransomware due to shadow copy deletion with the vssadmin.exe utility
Rare child process	rareChildProcessEvidence	Boolean	Indicates whether there is evidence the process child process appears significantly less than other processes in the environment
Rare execution by local system user	rareLocalSystemUserEvidence	Boolean	Indicates whether there is evidence the process is executed by a local system user
Rare execution by non-local system user	rareNotLocalSystemUserEvidence	Boolean	Indicates whether there is evidence the process is executed by a local system user whose user name appears infrequently within the environment
Rare extension for process	rareExtension	Boolean	Indicates whether the process extension is rare
Rare extension type for process	rareExtensionType	Boolean	Indicates whether the process extension type is rare
Rare external connection	rareExternalConnections	Boolean	Indicates whether the process has rare external connections
Rare floating executable code	rarePeFloatingCodeEvidence	Boolean	Indicates whether there is evidence the process has PE (Portable Executable) code floating in memory (not attached to a module/file) and this behavior is rare for the process
Rare internal connection	hasRareInternalConnectionEvidence	Boolean	Indicates whether there is evidence the process has rare internal connections
Rare internal connection	hasRareInternalConnection	Boolean	Indicates whether there are rare internal connections associated with this process
Rare listening connection	rareListeningConnectionEvidence	Boolean	Indicates whether there is evidence the process has an unusual open listening socket
Rare parent	rareParentEvidence	Boolean	Indicates whether there is evidence the process is a parent process that appears significantly less than other processes in the environment
Rare process	rareProcessEvidence	Boolean	Indicates whether there is evidence the process appears significantly less frequently than other processes in the environment
Rare registry entry execution	rareHasAutorunEvidence	Boolean	Indicates whether there is evidence the associated registry entry for the process appears significantly less frequently than other registry entries in the environment
Rare remote address	hasRareRemoteAddress	Boolean	Indicates whether the process has a remote address that appears significantly less frequently than other addresses in the environment
Rare remote address	hasRareRemoteAddressEvidence	Boolean	Indicates whether there is evidence the process has a rare remote address associated with the process
Rare service for process	rareProcessRunByService	Boolean	Indicates whether the rare process was executed by a service
RAT behavior	maliciousTool	Boolean	Indicates whether this process is classified as a malicious tool due to Remote Access Trojan (RAT) behavior
RDP enabled by registry modification	remoteDesktopRegistryEnabledEvidence	Boolean	Indicates whether there is evidence the process enabled the Remote Desktop Protocol due to registry modification
RDP enabled by service execution	remoteDesktopRegistryReconSuspicion	Boolean	Indicates whether the process is suspected of querying the local terminal service status
RDP started	remoteDesktopProtocolStartedSuspicion	Boolean	Indicates whether the process enabled the Remote Desktop Protocol by registry modification
RDP suspected enabled	rdpEnableSuspicion	Boolean	Indicates whether this process enabled the Remote Desktop Protocol on a machine
Read action on lsasrv.dll	lsassSensitiveReadSuspicion	Boolean	Indicates whether this process performed a read operation on the lsasrv.dll file related to credential information
reg.exe command line with temp	regFromTempSuspicion	Boolean	Indicates whether the reg.exe process command line contains a temporary folder
reg.exe command line with temp evidence	regFromTempEvidence	Boolean	Indicates whether there is evidence that the reg.exe process command line contains a temporary folder
reg.exe performed registry credential dump	regCredentialsDumpSuspicion	Boolean	Indicates whether the reg.exe process was used to dump credentials from memory
reg.exe performed SAM registry dump	regDumpSamEvidence	Boolean	Indicates whether there is evidence the reg.exe process executed a SAM registry dump
reg.exe performed Security registry dump	regDumpSecurityEvidence	Boolean	Indicates whether there is evidence the reg.exe process executed a SECURITY registry dump
reg.exe performed System registry dump	regDumpSystemEvidence	Boolean	Indicates whether there is evidence the reg.exe process executed a SYSTEM registry dump
Regasm library modification	regasmUninstallEvidence	Boolean	Indicates whether there is evidence the Windows Registration Assembly utility (regasm.exe) process tried to uninstall a library
Registry events	registryEvents	Array	Collection of registry events associated with this process
regsvcs.exe performed library modification	regsvcsUninstallEvidence	Boolean	Indicates whether there is evidence the Remote Registry service (regsvcs.exe) process tried to uninstall a library
Related to Malop	relatedToMalop	Boolean	Indicates whether the process is related to a Malop
Remote Desktop Protocol enabled	rdpEnableEvidence	Boolean	Indicates whether there is evidence the process enabled the Remote Desktop Protocol
Remote Desktop Protocol service started	remoteDesktopServiceEnabledEvidence	Boolean	Indicates whether there is evidence the process ennabled the Remote Desktop Protocol by service execution
Remote PowerShell execution	remoteExecutionOfPowershellEvidence	Boolean	Indicates whether there is evidence the process is a remote execution of PowerShell
Remote process creation with Win32_Product::Install method	remotelyCreatedByWMIWin32ProductEvidence	Boolean	Indicates whether there is evidence this process was created remotely with the user of the WMI Win32_Product::Install method
Remote Registry service received MS-RPC request to query Windows registry hive	msrpcRemoteRegistryQueryServerEvidence	Boolean	Indicates whether the Remote Registry service received an MS-RPC request to query a Windows registry hive
Remote service creation with Win32_BaseService::Start method	remotelyCreatedByWMIWin32ServiceEvidence	Boolean	Indicates whether there is evidence a service for this process was remotely created using the WMI Win32_BaseService::Start method
Remote session	remoteSession	Array	Collection of remote sessions associated with this process
Remote system discovery	remoteSystemDiscoveryEvidence	Boolean	Indicates whether there is evidence the process is involved in remote system discovery in an attempt to get a listing of other accessible systems
Renamed well-known executable	renamedWellKnownToolSuspicion	Boolean	Indicates whether this process is renamed to the name of well-known tool
Renamed well-known executable evidence	renamedWellKnownToolEvidence	Boolean	Indicates whether there is evidence this process is renamed to the name of a well-known tool
Resolved DNS queries from domain to domain	resolvedDnsQueriesDomainToDomain	String	List of resolved DNS queries made by this process from domain pointing to another domain name
Resolved DNS queries from domain to IP	resolvedDnsQueriesDomainToIp	Array	Collection of resolved DNS queries doing lookup from domain to the IP address associated with it
Resolved DNS queries from IP to Domain	resolvedDnsQueriesIpToDomain	Array	List of resolved DNS queries made by this process from IP pointing to find its domain name
Rogue Access Point	mitmRogueApSuspicion	Boolean	Indicates the device was connected to a rogue WiFi. Connection to a rogue access point exposes the device to attack by an unauthorized party to access your network data and/or credentials
Running from temporary folder	runningFromTempEvidence	Boolean	Indicates whether there is evidence the process is running from a temporary folder
Running injected code	maliciousInjectedCodeSuspicion	Boolean	Indicates whether the process is running code injected by another process
Running injected code from child of legitimate process	injectorChildOfLegitProcessInjectionSuspicion	Boolean	Indicates whether the process is running code injected by a process that is a child of a legitimate process
Running injected floating code	maliciousPeExecutionSuspicion	Boolean	Indicates whether the process is running floating code injected by another process
Contains shellcode in memory	shellcodeInProcessSuspicion	Boolean	Indicates whether malicious, floating, and position-independent code was found in process memory
SAM file audit object access	unexpectedAuditObjectAccessSamFileEvidence	Boolean	Indicates whether there is evidence that the process accessed an audited system resource - SAM file
SAM key audit object access	unexpectedAuditObjectAccessSamKeyEvidence	Boolean	Indicates whether there is evidence that the process accessed an audited system resource - SAM key
Sandbox process	isSandbox	Boolean	Indicates whether the process is executed in a sandbox mode
UDP scan	scanUdpEvidence	Boolean	Indicates there is evidence of a reconnaissance scan using the UDP protocol that is oftentimes an indicator of a malicious attacker searching for a device vulnerable for a network attack such as MITM
Scheduled task	scheduledTask	String	Scheduled task running this process
Scheduled task creation	linuxScheduledTaskCreationProcessEvidence	Boolean	Indicates whether the process attempted to create a scheduled task
Scheduled tasks discovery	scheduledTaskDiscoverySuspicion	Boolean	Indicates whether this process performed activities to discover information about scheduled tasks on a machine
Scheduled tasks discovery evidence	scheduledTaskDiscoveryEvidence	Boolean	Indicates whether there is evidence the process is performing scheduled tasks discovery to attempt to obtain details of existing scheduled tasks
Screen saver with child processes	screenSaverWithChildrenEvidence	Boolean	Indicates whether there is evidence the process is a screensaver process with child processes
Service creation on remote machine	remoteServiceCreationSuspicion	Boolean	Indicates whether the process created a service on a remote machine.
Service creation on remote machine evidence	remoteServiceCreationEvidence	Boolean	Indicates whether there is evidence this process created a service on a remote machine
Service execution by process	serviceProcessEvidence	Boolean	Indicates whether there is evidence the process was executed by a service
Service host	isServiceHost	Boolean	Indicates whether the process is a service host
Service loaded by non-SCM process	svchostNewProcessParentSuspicion	Boolean	Indicates whether a service was loaded by a new process and not directly by SCM (Service Control Manager)
Service running non-service process	rareServiceRunningProcess	Boolean	Indicates whether the process instance was executed by a service that appears significantly less frequently than other services in the environment
Service start with Win32_BaseService::Start method	createdByWMIWin32ServiceEvidence	Boolean	Indicates whether there is evidence the service related to the process was created by the WMI Win32_BaseService::Start method
Service started evidence	serviceExecutionEvidence	Boolean	Indicates whether there is evidence that the process started a service for malicious purposes
Service without service host	serviceWithoutServiceHost	Boolean	Indicates whether this service was executed by a process that is not service host
Service	service	String	The service associated with this process
Several error code 9003 responses	multipleUnresolvedRecordNotExistsEvidence	Boolean	Indicates whether there is evidence the process contains more than five unresolved DNS queries with a Record-Not-Exists error code (9003)
Shadow copy deletion via VSSAdmin	vssAdminDeleteShadowsEvidence	Boolean	Indicates whether there is evidence the process is the vssadmin.exe process executed to delete shadow copies
Shadow copy deletion via WMIC	wmicShadowCopyDeleteEvidence	Boolean	Indicates whether there is evidence the process is a WMIC process executed to delete shadow copies
Shadow copy deletion with vssadmin.exe	shellWithVssAdminDeleteShadowCopiesEvidence	Boolean	Indicates whether there is evidence the process is a shell process that is executing vssadmin.exe to delete shadow copies
Shadow file Read attempt	credentialDumpingFromLinuxShadowEvidence	Boolean	Indicates whether there is evidence the process attempted to read from the Shadow file on a machine
Shell process connection to remote address	linuxMacReverseShellSuspicion	Boolean	Indicates whether this shell process on a Linux or Mac machine connected to a remote address
Shell process connection to remote address evidence	linuxMacReverseShellEvidence	Boolean	Indicates whether there is evidence this shell process on a Linux or Mac machine connected to a remote address
Shell with elevated privileges	shellWithElevatedPrivilegesSuspicion	Boolean	Indicates whether the process is a shell process that was executed by a local system user with elevated privileges
Shell with elevated privileges evidence	shellWithElevatedPrivilegesEvidence	Boolean	Indicates whether there is evidence the process is a shell process that was executed by a local system user with elevated privileges
Shell with unexpected parent	shellOfNonShellRunnerSuspicion	Boolean	Indicates whether the process is a shell process that was executed by a process that is not supposed to execute shell applications
Shell with unexpected parent evidence	shellOfNonShellRunnerEvidence	Boolean	Indicates whether there is evidence the process is a shell process that was executed by a process that is not supposed to execute shell applications
Shell process connects to a remote address and allows interactive commands	linuxMacReverseShellEvidence	Boolean	Indicates whether there is evidence the shell process connects to a remote address and allows interactive commands
Shell process connects to a remote address and allows interactive commands	linuxMacReverseShellSuspicion	Boolean	Indicates whether a shell process connects to a remote address and allows interactive commands
Sideloaded apps	sideloadedAppSuspicion	Boolean	Indicates there are sideloaded apps that are installed independently of an official app store and can present a security risk
Sideloaded or unofficial apps	sideloadedAppEvidence	Boolean	Indicates there are sideloaded apps that are installed independently of an official app store and can present a security risk
Signature explicitly revoked	signatureVerificationStatusExplicitlyRevokedEvidence	Boolean	Indicates whether there is evidence any of the process image file signing certificates in the chain of trust has been explicitly revoked
Signed and verified	isImageFileSignedAndVerified	Boolean	Indicates whether the process image file is signed and verified
Signed image file	isImageFileSigned	Boolean	Indicates whether the process image file is digitally signed
Signer	protectionSigner	Enum	The authority that signed the protected process. Possible values include: In the UI: Antimalware App Authenticode CodeGen Lsa Max None WinSystem WinTcb Windows In the API: PsProtectedSignerAntimalware PsProtectedSignerApp PsProtectedSignerAuthenticode PsProtectedSignerCodeGen PsProtectedSignerLsa PsProtectedSignerMax PsProtectedSignerNone PsProtectedSignerWinSystem PsProtectedSignerWinTcb PsProtectedSignerWindows
Site designed to deceive the end user into submitting sensitive personal or corporate information through a seemingly trusted web form	maliciousPhishingSuspicion	Boolean	Indicates there is evidence the device visited a site designed (through the use of what appears to be a trusted web from) to deceive the end user to enter and submit sensitive personal or corporate information through a seemingly trusted web form
Site Insight - link visited evidence	siteInsightLinkVisitedEvidence	Boolean	Indicates there is evidence that a potentially malicious URL was tapped on the device and the user was warned of the potential danger of visiting the linked site and chose to continue on to the site after the warning
Suspected fsutil.exe deleted Update Sequence Number journal change	fsutilDeleteJournalSuspicion	Boolean	Indicates whether the process deleted the Update Sequence Number Journal changes in an effort to make process activities
Sudoers file access	sudoersFileModificationEvidence	Boolean	Indicates whether the process attempted to access the Sudoers file
Suspected network configuration discovery	networkConfigurationDiscoverySuspicion	Boolean	Indicates whether this process performed network configuration discovery activities
Suspected RAT process	ratSuspicion	Boolean	Indicates whether the process behavior is known to be used by Remote Access Trojans
Suspended	ransomwareAutoRemediationSuspended	Boolean	Indicates whether the process is suspended
Suspicious	isSuspicious	Boolean	Indicates whether the process is classified as suspicious by the Cybereason threat intelligence service
Suspicious app	ipaMaliciousEvidence	Boolean	Indicates there may be evidence of a malicious app on a device where the app tries to take control of the device in some manner (e.g. elevate privileges, spyware, etc.)
Suspicious Domain-to-Domain DNS queries	suspiciousDnsQueryDomainToDomain	Array	Collection of Domain-to-Domain DNS queries where one of the domains was detected as malicious by the Cybereason threat intelligence service
Suspicious external connection	hasSuspiciousExternalConnectionSuspicion	Boolean	Indicates whether the process has an external connection that is marked as suspicious
Suspicious external connections	suspiciousExternalConnections	Array	Collection of external connections associated with the process that are classified as suspicious by the Cybereason threat intelligence service
Suspicious internal connection	hasSuspiciousInternalConnectionSuspicion	Boolean	Indicates whether the process has an internal connection that is marked as suspicious
Suspicious internal connections	suspiciousInternalConnections	Array	Collection of internal connections associated with the process that are classified as suspicious by the Cybereason threat intelligence service
Suspicious iOS app suspicion	ipaMaliciousSuspicion	Boolean	Indicates there may be a malicious app on a device where the app tries to take control of the device in some manner (e.g. elevate privileges, spyware, etc.)
Suspicious mail connections	suspiciousMailConnections	Boolean	Indicates whether the process creates mail connections while it is not recognized by the Cybereason threat intelligence service as a legitimate program for such behavior
Suspicious MSBuild code behavior	msbuildBehaviourSuspicion	Boolean	Indicates whether the Msbuild process exhibited suspicious behavior related to code execution
Suspicious net.exe activity	netActivitySuspicion	Boolean	Indicates whether the net.exe process is part of a suspicious execution chain
Suspicious scanning activity	maliciousByScanningOfUnknownProcess	Boolean	Indicates whether the process performs network scans while it is not recognized as a legitimate program for such behavior
Suspicious screen saver	suspicionsScreenSaverEvidence	Boolean	Indicates whether there is evidence the process is a suspicious screensaver process.
Suspicious screen saver	suspiciousScreenSaver	Boolean	Indicates whether this process is a suspicious screensaver process
Suspicious shadow copy deletion	shadowCopyDeletionSuspicion	Boolean	Indicates whether the process maliciously deletes shadow copy files
Suspicious System Volume Information path	uncommonExecutionSysVolPathSuspicion	Boolean	Indicates whether the process is using an uncommon System Volume Information execution path or name
Suspicious System Volume Information path evidence	uncommonExecutionSysVolPathEvidence	Boolean	Indicates whether there is evidence that the process is using an uncommon System Volume Information execution path or name
Suspicious Unresolved Domain DNS queries	unresolvedQueryFromSuspiciousDomain	Array	Collection of the unresolved DNS queries associated with this process that accessed a domain that was classified as malicious by the Cybereason threat intelligence service
svchost.exe loaded by non-SCM process	svchostUnexpectedParentEvidence	Boolean	Indicates whether there is evidence the svchost process was loaded directly by Windows SCM (Service Control Manager)
svchost.exe loaded by non-SCM process	svchostUnsignedParentSuspicion	Boolean	Indicates whether a service was loaded by an unsigned parent and not directly by Windows SCM (Service Control Manager)
System information discovery	systemInformationDiscoverySuspicion	Boolean	Indicates wheter this process performed activities to learn information about the system on a machine
System information discovery evidence	systemInformationDiscoveryEvidence	Boolean	Indicates whether there is evidence this process is involved in system information discovery to obtain detailed information about a machine the operating system
System network configuration discovery	systemNetworkConfigurationDiscoveryEvidence	Boolean	Indicates whether there is evidence the process is performing system network configuration discovery to obtain network configuration details and settings
System network connections discovery	systemNetworkConnectionsDiscoverySuspicion	Boolean	Indicates whether the process performed activities to discover information about system network connections
System network connections discovery evidence	systemNetworkConnectionsDiscoveryEvidence	Boolean	Indicates whether there is evidence the process is performing system network connections discovery
System owner or user discovery	systemOwnerOrUserDiscoveryEvidence	Boolean	Indicates whether there is evidence this process is performing system owner or user discovery
System services discovery	servicesDiscoverySuspicion	Boolean	Indicates whether this process performed activities to discover information about services on a machine
System services discovery evidence	servicesDiscoveryEvidence	Boolean	Indicates whether there is evidence the process is performing a system services discovery
System Tampering	systemconfigSystemTamperingSuspicion	Boolean	Indicates that the device is compromised and cannot be trusted. System Tampering is a process of removing security limitations put in by the device manufacturer and indicates that the device is fully compromised and cannot longer be trusted
System time discovery	systemTimeDiscoveryEvidence	Boolean	Indicates whether there is evidence that the process attempted a system time discovery
TCP scan	scanTcpSuspicion	Boolean	Indicates there is a reconnaissance scan using the TCP protocol that is an indicator of a malicious attacker searching for a device vulnerable for a network attack such as MITM
Temporary folder location in process Cscript command line	cscriptFileFromTempSuspicion	Boolean	Indicates that the command line for this process contains a temporary folder location
Temporary folder location in process Cscript command line evidence	cscriptFileFromTempEvidence	Boolean	Indicates there is evidence that the command line for this process contains a temporary folder location
The process contains shellcode	shellcodeInjectonEvidence	Boolean	Indicates whether there is evidence that this process runs injected code
Third party application stores are applications that can download and install other applications and they might distribute malicious applications because those apps are not diligently tested against malicious behavior	appDownloadedFromThirdPartyStoreSuspicion	Boolean	Indicates there are apps from third party application stores. Third party application stores are applications that can download and install other applications and they might distribute malicious applications because those apps are not diligently tested against malicious behavior
This process injected shellcode into the victim process	shellcodeInjectorSuspicion	Boolean	Indicates whether this process injected shellcode into the victim process
Thread ID	tid	Long	The thread id for the process
TOR browser use	TorBrowserEvidence	Boolean	Indicates whether there is evidence this process uses a Tor browser
TOR browser use on non-Windows machine	TorBrowserEvidenceNonWindows	Boolean	Indicates whether this non-Windows process uses a Tor browser
Total number of connections	totalNumberOfConnections	Integer	The total number of connections associated with the process
Total received bytes	totalReceivedBytes	Long	The total amount of data received by the process
Total transmitted bytes	totalTransmittedBytes	Long	The total amount of data transmitted by the process
Transmits high volume of data with injected code	maliciousByHighVolumeDataTransmittedByInjectedProcess	Boolean	Indicates whether the process transmits high volumes of data while it is running an injected code
UDP scan	scanUdpSuspicion	Boolean	Indicates there is a reconnaissance scan using the UDP protocol that is oftentimes an indicator of a malicious attacker searching for a device vulnerable for a network attack such as MITM.
UNC path	uncPath	Boolean	Indicates whether the process path uses the Universal Naming Convention format
UNC path with machine name	uncPathEvidence	Boolean	Indicates whether there is evidence the path in the command line executing the process is a Uniform Naming Convention path that includes the name of the machine on which the process file is located
Unexpected Audit Object Access - SAM file via Shadow Copy	unexpectedAuditObjectAccessSamFileShadowCopyEvidence	Boolean	Indicates whether there is evidence that the process accessed an audited system resource - SAM file via shadow copy
Unexpected service host behavior	unexpectedBehaviourFromServiceHost	Boolean	Indicates whether this service host process has unexpected behavior
Unexpected unsigned file	unknownUnsignedBySigningCompany	Boolean	Indicates whether the process is executed by an unsigned file of company that usually signs its executable files
Unknown process connects to known malware address	accessToMalwareAddressByUnknownProcess	Boolean	Indicates whether the process connects to an address being used by malware
Unknown process reputation	unknownEvidence	Boolean	Indicates whether there is evidence the process is not known to reputation services
Unresolved DNS queries from Non-existent Record	unresolvedRecordNotExist	Array	Collection of DNS queries associated with this process that were not resolved because the record does not exist
Unresolved DNS query to domain on blocklist	hasUnresolvedQueryFromBlackListDomainEvidence	Boolean	Indicates whether is evidence the process received a DNS request that was unresolved from a domain on the blocklist
Unresolved DNS query to malicious domain	hasUnresolvedQueryFromSuspiciousDomainEvidence	Boolean	Indicates whether there is evidence the process created an unresolved DNS request to a malicious domain
Unresolved domain DNS lookups	unresolvedDnsQueriesFromDomain	Array	Collection of unresolved DNS queries associated with this process that failed looking up domain names
Unresolved IP DNS lookups	unresolvedDnsQueriesFromIp	Array	Collection of unresolved DNS queries associated with this process that failed looking up IP addresses
Unsecured WiFi Network	unsecuredWifiEvidence	Boolean	Indicates there is evidence of unsecured Wifi Networks are not protected by encryption or authentication protocols and are open to attackers
Unsecured WiFi network	unsecuredWifiEvidence	Boolean	Indicates that the device connected to an unsecured Wifi network. Unsecured Wifi Networks are not protected by encryption or authentication protocols and are open to attackers
Unsigned and unknown process opened external connections	unknownUnsignedWithWellKnownPortConnections	Long	Indicates whether the unsigned process is recognized by Cybereason and it creates external connections using a well-known port
Unsigned and unknown process with suspicious extension	unknownWithSuspiciousExtension	Boolean	Indicates whether the process is unsigned and has a suspicious extension
Unsigned image file	imageFileUnsignedEvidence	Boolean	Indicates whether the process image file is signed
Unsigned image file despite signed version	imageFileUnsignedHasSignedVersionEvidence	Boolean	Indicates whether there is evidence the process image file is signed and a signed version exists
Unsigned process by company that signs processes	rareUnsignedForCompany	Boolean	Indicates whether the process company name has a rare signature
Unsigned version of signed image file	unsignedWithSignedVersion	Boolean	Indicates whether the process file is unsigned while a signed version exists
Unsigned version of signed module	unsignedWithSignedVersionModule	Boolean	Indicates whether the process has an unsigned module when a signed version of the same module exists
Unsigned with a signed version modules	unsignedWithSignedVersionModules	Array	Collection of unsigned modules that have a signed version
Untrusted profile suspicion	profileUntrustedSuspicion	Boolean	Indicates there may be an untrusted profile on device. This untrusted profile could be used to control devices remotely, monitor and manipulate user activities, and/or hijack a users traffic
Unusual access to password store files	passwordsFileAccessByTextEditorSuspicion	Boolean	Indicates whether the process attempted to access a Linux password store file
Unusual execution of rundll32.exe	uncommonUseOfRundll32Suspicion	Boolean	Indicates whether the rundll32.exe OS process is suspected of being abused to execute a command or arbitrary code
Unusual execution of rundll32.exe evidence	uncommonUseOfRundll32Evidence	Boolean	Indicates whether there is evidence the rundll32.exe OS process was abused to execute a command or arbitrary code
Unusual MSBuild behavior	msbuildUnusualBehaviourEvidence	Boolean	Indicates whether there is evidence that this process is an MSBuild process that is exhibiting unusual behavior
Unusual network connection	toolWithUnusualNetworkEvidence	Boolean	Indicates whether there is evidence that there is an application with unusual network connection
Unusual operating system process location	signedOSProcessUnusualPathSuspicion	Boolean	Indicates whether this process is a signed OS process that is not running from its original location
Unusual OS process location	osProcessUnusualPathSuspicion	Boolean	Indicates whether that this process is an OS process that is not running from its original location
Unusual OS process location evidence	osProcessUnusualPathEvidence	Boolean	Indicates whether there is evidence this process is an OS process and is suspected of not running from its original location
Unusual screen saver execution	screenSaverNotExecutedByExplorerEvidence	Boolean	Indicates whether there is evidence the process is a screensaver process that was not executed by explorer.exe
Unverified signature for image file	imageFileUnverifiedEvidence	Boolean	Indicates whether there is evidence the process image file is not signed by a trusted signer
Unwanted classification modules	unwantedClassificationModules	Array	Collection of modules associated with this process that are classified as unwanted by the Cybereason threat intelligence service
Use of domain generation algorithm	dgaSuspicion	Boolean	Indicates whether the process uses a Domain Generation Algorithm to communicate with its Command & Control server
Use of unsigned module	hasModuleUnsignedWithSignedVersionEvidence	Boolean	Indicates whether a module of the process is not signed while a signed version of the same module exists
Used sticky keys to rename file	stickyKeysFileRenameSuspicion	Boolean	Indicates whether the process used the sticky keys feature to rename a file
Used sticky keys to rename file evidence	stickyKeysFileRenameEvidence	Boolean	Indicates whether there is evidence the process used the sticky keys feature to rename a file
Used Windows RTL vulnerability	rightToLeftFileExtensionEvidence	Boolean	Indicates whether there is evidence the process attempted to hide a file extension by exploiting the Windows right-to-left override vulnerability
User	user	String	The user executing the process
User Context Modification Evidence	LinuxUserContextModificationEvidence	Boolean	Indicates whether there is evidence the process attempted to set a file user access rights
Uses non-default DNS server	hasNonDefaultResolverEvidence	Boolean	Indicates whether there is evidence the resolver of the DNS request is the default resolver set to the machine
Virtual memory read on LSASS encryption keys	lsassEncryptionKeysReadSuspicion	Boolean	Indicates whether this process performed a read operation on the LSASS registry keys for encryption
Well Known Port External Connections	wellKnownPortConnections	Array	Collection of external connections associated with this process that are using a well-known port (lower than 1024)
Windows accessibility feature masquerade	accessibilityFeaturesAbusingSuspicion	Boolean	Indicates whether that the process is masquerading as a Windows accessibility feature
Windows accessibility feature masquerade evidence	accessibilityFeaturesAbusingEvidence	Boolean	Indicates whether there is evidence that the process is masquerading as a Windows accessibility feature
WinRM code execution	winRMCodeExecutionEvidence	Boolean	Indicates whether there is evidence the process is performing code execution using the Windows Remote Management service
WMI Activities	wmiActivities	Array	Collection of WMI activities performed by the process
WMI Queries	wmiQueryStrings	String	List of WMI queries run by this process
Write action on samsrv.dll	lsassSamsrvPatchSuspicion	Boolean	Indicates whether this processs performed a write action for the samsrv.dll file related to credential information
Xcopy runs file from temp folder	xcopyFileFromTempSuspicion	Boolean	Indicates whether XCopy is suspected of running files from a temporary folder which is known to be used by Java-based malware
Xcopy runs file from temp folder evidence	xcopyFileFromTempEvidence	Boolean	Indicates whether there is evidence that the XCopy process is running file from a temporary folder which is known to be used by Java-based malware

Back to top

Proxy (EDR)

Use these features to filter for Proxy Elements:

UI Name	API Name	Type	Description
Discovery type	discoveryType	Enum	The way the proxy was configured. Possible values include In the UI: Auto PAC Static Static PAC Unknown In the API: AUTO_PAC STATIC STATIC_PAC UNKNOWN_PROXY
Has Malops	hasMalops	Boolean	Indicates whether or not the proxy is associated with any Malops.
Has suspicions	hasSuspicions	Boolean	Indicates whether or not the proxy is associated with any Suspicions.
Host	host	String	The host name of the domain for the proxy address.
IP address	ipAddress	String	The IP address of the proxy.
Port	port	Integer	The port of the proxy.
Proxy name	elementDisplayName	String	The name of the proxy.
URL of the PAC	pacUrl	String	The URL of the proxy auto-config file (PAC).

Back to top

Quarantine File (EDR)

Use these features to filter for Quarantine File Elements:

UI Name	API Name	Type	Description
File name	elementDisplayName	String	The name of the quarantined file.
Has Malops	hasMalops	Boolean	Indicates whether or not the quarantined files is associated with any Malops.
Has Suspicions	hasSuspicions	Boolean	Indicates whether or not the quarantined files is associated with any Suspicions.
Machine	ownerMachine	String	The machine where the quarantine action was applied.
MD5 signature	md5String	String	The file’s MD5 signature.
Original file	file	String	The original version of the file that was quarantined.
Quarantined file	quarantineFile	String	The quarantine version of the file created by a quarantine action.
SHA1 Signature	sha1String	String	The file’s SHA1 signature

Back to top

Registry Entry/Autorun (EDR)

Use these features to filter for Registry Entry Elements. Note that the API name for this Element is Autorun.

UI Name	API Name	Type	Description
Autorun JavaScript value	autorunJavascriptValueEvidence	Boolean	Indicates whether there is evidence that the registry entry contains JavaScript.
File	file	String	The file linked to this registry entry.
Is pointing to temporary folder	isPointingToTemp	Boolean	Indicates whether the registry entry points to a temporary folder.
Machine	ownerMachine	String	The machine on which this registry entry is found.
Rare registry key	rareAutorunNameByOsEvidence	Boolean	Indicates whether there is evidence this registry key is rare for this organization.
Registry entry file	dependInFile	String	Name of the file associated with the registry entry.
Registry entry JavaScript value	autorunJavascriptValueSuspicion	Boolean	Indicates whether the registry entry is suspected of containing JavaScript.
Registry events	registryEvents	Array	Collection of registry events performed on this registry entry.
Unusual file name for registry entry by operating system	rareAutorunFileNameByOsEvidence	Boolean	Indicates whether there is evidence that the file name for this registry entry is unusual for machines with the same operating system.
Value	value	String	The value of this registry entry.

Back to top

Registry Event (EDR)

Use these features to filter for the Registry Event Elements

UI Name	API Name	Type	Description
Data for registry entry	data	String	The data in the registry entry associated with the registry event.
Number of times for registry event	detectionTimesNumber	Integer	The number of times this event has been detected by the Cybereason platform.
Registry event	elementDisplayName	String	The name of the registry event
First time event detected	firstTime	Integer (timestamp)	The first time the Cybereason platform detected this event.
Is a CLSID	isCLSID	Boolean	Indicates whether or not the registry entry associated with the registry event is a CLSID. If registry entry is a CLSID, the content displays is the content of the CLSID (the referenced registry entry) with an indication that the registry entry is a CLSID.
Owner machine	ownerMachine	String	The name of the machine on which the registry entry was found.
Data type	registryDataType	Enum	The type of data used in the registry entry associated with the registry event. Possible values include: REG_DATATYPE_NONE: No value type REG_DATATYPE_SZ: Unicode null terminated string REG_DATATYPE_EXPAND_SZ: Unicode null terminated string with environment variable references REG_DATATYPE_BINARY: Free form binary REG_DATATYPE_DWORD: 32-bit number REG_DATATYPE_DWORD_BIG_ENDIAN: 32-bit number REG_DATATYPE_LINK: Symbolic link REG_DATATYPE_MULTI_SZ: Multiple Unicode strings REG_DATATYPE_RESOURCE_LIST: Resource list in the resource map REG_DATATYPE_FULL_RESOURCE_DESCRIPTOR: Resource list in the hardware description REG_DATATYPE_RESOURCE_REQUIREMENTS_LIST: A resource requirements list for the associated resource REG_DATATYPE_QWORD: 64-bit values
Registry entry	registryEntry	String	The registry location of the registry entry associated with this registry event.
Registry entry type	registryEntryType	Enum	The type of registry entry. Possible values include: REG_ENTRY_TYPE_UNKNOWN: The type of registry entry is unknown. REG_ENTRY_TYPE_AUTORUN: This registry entry is a registry entry for an autorun program.
Operation type	registryOperationType	Enum	The type of operation performed on the registry entry associated with this registry event. Possible values include: REG_CREATE: Entry was created REG_DELETE: Entry was deleted REG_MODIFY: Entry was modified
Path to registry entry for event	registryPath	String	The path (registry key and value) to the registry key associated with this registry event.
Process	registryProcess	String	The name of the process associated with this registry event and a link to the process.
Timestamp	timestamp	Integer (timestamp)	The timestamp for the registry event.

Back to top

Remote Session (EDR)

Use these features to filter for Remote Session Elements:

UI Name	API Name	Type	Description
Client	client	String	The client network machine for this remote session.
Client logon session	clientLogonSession	String	The logon session of the client for this remote session.
Client machine	clientMachine	String	The machine name involved in this remote session.
Client user	clientUser	String	The client user for this remote session.
Has Suspicions	hasSuspicions	Boolean	Indicates whether the remote session is associated with any suspicions.
Is pass the ticket	isPassTheTicket	Boolean	Indicates whether Cybereason identified credential passing activity in the remote session.
Pass the ticket	passTheTicketEvidence	Boolean	Indicates whether the remote session was created using a stolen Kerberos ticket.
Resource type	resourceType	String	The authentication protocol resource type used for the remote session.
Server	server	String	The server network machine for this remote session.
Server logon session	serverLogonSession	String	The logon session of the server for this remote session.
Server machine	serverMachine	String	The name of the server machine associated with this remote session.
Unauthorized credential usage	passTheTicketSuspicion	Boolean	Indicates whether the remote session was initialized using a Kerberos ticket that doesn’t belong to its original user.
User	user	String	The user context opening this remote session.
User and remote machine	elementDisplayName	String	The user and remote machine associated with the remote session.

Back to top

Resource (XDR)

Use these features to filter for the Resource Element:

UI Name	API Name	Type	Description
Events related with resource	relatedEvents	Collection	Collection of events associated with the resource.
Product specific resource ID	id	String	The product specific resource ID for the cloud asset.
Resource name	name	String	The name for the cloud asset.
Resource sub-type	subtype	String	The subtype for the resource.
Resource type	type	Enum	The type of resource. Potential values include (but are not limited to): In the UI: Unspecified Mutex Task Named pipe Device Firewall rule Mailbox folder VPC network Virtual machine Storage bucket Storage object Database Data table Cloud project Cloud organization Service account Access policy Cluster Settings Dataset In the API: UNSPECIFIED MUTEX TASK PIPE DEVICE FIREWALL_RULE MAILBOX_FOLDER VPC_NETWORK VIRTUAL_MACHINE STORAGE_BUCKET STORAGE_OBJECT DATABASE TABLE CLOUD_PROJECT CLOUD_ORGANIZATION SERVICE_ACCOUNT ACCESS_POLICY CLUSTER SETTING DATASET APPLICATION
Parent resource	parent	String	The parent resource of this resource.
Privacy level	privacy	String	The privacy level for the cloud asset.

Back to top

Role (XDR)

Use these features to filter for the Resource Element:

UI Name	API Name	Type	Description
Role description	description	String	The description for this system role.
Role name	name	String	The name for this system role.
Role type	type	String	The type of system role.

Back to top

Scheduled Task (EDR)

Use these features to filter for Scheduled Task Elements:

UI Name	API Name	Type	Description
Author	author	String	The user that created this task.
Automatic execution	automaticExecution	String	The automatic execution asssociated with this scheduled task.
Enabled	enabled	Boolean	Indicates whether the scheduled task is enabled.
Files	files	String	The list of files related to this scheduled task.
Has Malops	hasMalops	Boolean	Indicates whether the scheduled task is associated with any Malops.
Has Suspicions	hasSuspicions	Boolean	Indicates whether the scheduled task is associated with any suspicions.
Last modified by	lastUpdatedBy	String	The last user to modify the task.
Machine	ownerMachine	String	The machine from which the scheduled task is executed.
Scheduled task actions	executableActions	Array	Collection of the actions associated with this scheduled task.
Scheduled task name	elementDisplayName	String	The name of the scheduled task.
Task state	state	Enum	The current state of the task. Possible values include In the UI: Disabled Queued Ready Running Unknown In the API: TASK_STATE_DISABLED TASK_STATE_QUEUED TASK_STATE_RUNNING TASK_STATE_READY TASK_STATE_UNKNOWN

Back to top

Scheduled Task Action/Executable Task Action (EDR)

Use these features to filter for Scheduled Task Action Elements. Note the API name for this Element is ExecutableTaskAction.

UI Name	API Feature Name	Type	Description
Action name	elementDisplayName	String	Name of the scheduled task action, including the path and arguments
Arguments	executableArguments	String	The arguments that are used when executing this action.
Executable	fileInfo	String	The name of the executable file associated with this scheduled task action.
Has Malops	hasMalops	Boolean	Indicates whether or not the scheduled task action is associated with any Malops.
Has Suspicions	hasSuspicions	Boolean	Indicates whether the scheduled task action is associated with any suspicions.
Path	executablePath	String	The path to the file that will be executed with this action this action.

Back to top

Service (EDR)

Use these features to filter for Service Elements:

UI Name	API Name	Type	Description
Automatic execution	automaticExecution	Array	Collection of automatic executions associated with this service.
Binary file	binaryFile	String	The binary file associated with this service.
Binary file was changed	binaryFileChangedEvidence	Boolean	Indicates whether there is evidence the binary file associated with this service was changed
Command line arguments	commandLineArguments	String	The command line arguments of the service process execution
Description	description	String	The description of the service
Display name	displayName	String	The name displayed for the service
Driver	driver	String	The driver associated with this service
Has Malops	hasMalops	Boolean	Indicates whether or not the service is associated with any Malops
Has Suspicions	hasSuspicions	Boolean	Indicates whether or not the service is associated with any Suspicions
Is active	isActive	Boolean	Indicates whether the service is active
Is auto restart	isAutoRestartService	Boolean	Indicates whether the service is an auto restart service
Is new server	newService	Boolean	Indicates whether the service is new
Is system process	isSystemProcess	Boolean	Indicates whether the service is associated with a system user
Last binary file	oldBinaryFile	String	The last binary file associated with this service
Last service start user	oldServiceStartName	String	The last account name the service process used to log in when it ran.
Machine	ownerMachine	String	The machine on which this service is running
Microsoft PsExec service	psexecServiceNameEvidence	Boolean	Indicates whether there is evidence the service is a Microsoft PsExec service
New service	newServiceEvidence	Boolean	Indicates whether there is evidence the service is new for the organization
Rare active service	rareActiveServiceEvidence	Boolean	Indicates whether there is evidence the service is active when it is usually disabled
Rare disable service	rareDisableServiceEvidence	Boolean	Indicates whether there is evidence the service is disabled when it is usually active
Rare service	rareServiceEvidence	Boolean	Indicates whether there is evidence the service is unusual in the organization
Rare start type	rareStartTypeEvidence	Boolean	Indicates whether there is evidence the service start type is unusual for the service.
Service name	elementDisplayName	String	The name of the service
Service start name	serviceStartName	String	The account name the service process will use to log in when it runs
Service start name was changed	serviceStartNameChangedEvidence	Boolean	Indicates whether there is evidence that the service process changed the service start name
Service state	serviceState	Enum	The state for the service. Possible values include In the UI: Active Activating Deactivating Failed Inactive Unknown In the API: SERVICE_STATE_ACTIVE SERVICE_STATE_ACTIVATING SERVICE_STATE_DEACTIVATING SERVICE_STATE_FAILED SERVICE_STATE_INACTIVE SERVICE_STATE_UNKNOWN
Service sub-state	serviceSubState	Enum	The sub-state for the service. Possible values include In the UI: Abandoned Active Elapsed Exited Listening Mounted Plugged Running Unknown Waiting In the API: SERVICE_SUBSTATE_ABANDONED SERVICE_SUBSTATE_ACTIVE SERVICE_SUBSTATE_ELAPSED SERVICE_SUBSTATE_EXITED SERVICE_SUBSTATE_LISTENING SERVICE_SUBSTATE_PLUGGED SERVICE_SUBSTATE_MOUNTED SERVICE_SUBSTATE_RUNNING SERVICE_SUBSTATE_UNKNOWN SERVICE_SUBSTATE_WAITING
Service type	serviceType	Enum	The type of service. Possible values include In the UI: Automount Device Mount Path Process Scope Slice Socket Swap Target Timer Unknown In the API: SERVICE_TYPE_AUTOMOUNT SERVICE_TYPE_DEVICE SERVICE_TYPE_MOUNT SERVICE_TYPE_PATH SERVICE_TYPE_PROCESS SERVICE_TYPE_SCOPE SERVICE_TYPE_SLICE SERVICE_TYPE_SOCKET SERVICE_TYPE_SWAP SERVICE_TYPE_TARGET SERVICE_TYPE_TIMER SERVICE_TYPE_UNKNOWN
Start type	startType	Enum	The manner of starting the service. Possible values include In the UI: Auto start Boot start Demand start Disabled Invalid System start In the API: SERVICE_START_TYPE_AUTO_START SERVICE_START_TYPE_BOOT_START SERVICE_START_TYPE_DEMAND_START SERVICE_START_TYPE_DISABLED SERVICE_START_TYPE_SYSTEM_START SERVICE_START_TYPE_INVALID

Back to top

User/User Account (EDR and XDR)

Note

In versions 21.2.84 and later, in the Investigation screen, this Element is renamed User Account.

Use these features to filter for User Account Elements:

UI Name	API Name	Type	Description
Account type	accountType	String	The type of user account. Possible values include: In the UI: Default Domain Local Cloud Service Unknown In the API: DEFAULT_ACCOUNT DOMAIN_ACCOUNT LOCAL_ACCOUNT CLOUD_ACCOUNT SERVICE_ACCOUNT UNKNOWN
Account provider	accountProvider	String	The entity to which the user account belongs
Account status	accountStatus	Enum	The status for this user account. Possible values include: In the UI: Unknown Active Disabled No active credentials Deleted In the API: UNKNOWN_AUTHENTICATION_STATUS ACTIVE SUSPENDED NO_ACTIVE_CREDENTIALS DELETED
Active Directory SID	adSid	String	The SID associated with this user according to Active Directory information
Active Directory text country	adTextCountry	String	Text country associated with this user according to Active Directory information
Assigned user roles	roles	Collection	A list of the roles for this user account
Associated domain	adAssociatedDomain	String	Domain associated with this user according to Active Directory information
Associated email addresses	emailAddresses	Collection	A list of the email addresses associated with this user account
Company	adCompany	String	Company associated with this user according to Active Directory information
Country	adCountry	String	Country associated with this user according to Active Directory information
Department	department	String	The department for the user
Department	adDepartments	Array	A collection of the departments associated with this user account according to Active Directory information
Domain	domain	String	The domain of the user (or the Computer Name if a local user)
DomainUser Name	elementDisplayName	String	Complete user name containing the domain (or local machine) and the user name
Downloaded processes count	downloadedProcessesCount	Integer	The number of processes the user downloaded from the Internet
Email address	adMail	String	User’s email address according to Active Directory information
Employee Number	employeeNumber	String	The employee number for the user associated with this user account
Groups for user	groups	Collection	List of groups to which this account belongs
Has malicious process	hasMaliciousProcess	Boolean	Indicates whether the user executed a malicious process
Has Malops	hasMalops	Boolean	Indicates whether or not the user is associated with any Malops
Has Suspicions	hasSuspicions	Boolean	Indicates whether the user is associated with any Suspicions
Has unusual process with external connections	hasRareProcessWithExternalConnections	Boolean	Indicates whether the user executed an unusual process with external connections
High number of downloaded processes	highNumberOfDownloadedProcessesEvidence	Boolean	Indicates whether the user executed multiple processes that were downloaded from the Internet
High number of machines	highNumberOfMachinesEvidence	Boolean	Indicates whether there is evidence the user was logged in to multiple machines
High number of new processes	highNumberOfNewProcessesEvidence	Boolean	Indicates whether there is evidence the user executed multiple processes for the first time in the organization
Irregular time of day activity	irregularActivityHourEndTimeEvidence	Boolean	Indicates whether there is evidence the user’s end time occurred outside normal working hours
Is admin	isAdmin	Boolean	Indicates whether the user is an administrator
Is domain user	isDomainUser	Boolean	Indicates whether the specified user account is a domain user account
Is suspicious	isSuspicious	Boolean	Indicates whether the user is associated with any suspicions
Is system or root	isSystemOrRoot	Boolean	Indicates whether the user is a local system or root user
Launched suspicious process outside normal hours	hasSuspiciousProcessByUserInIrregularHoursEvidence	Boolean	Indicates whether there is evidence the user ran a malicious process outside normal working hours
Last Machine Logged in to	ownerMachine	String	The last machine to which the user was logged in
Local system	isLocalSystem	Boolean	Indicates whether or not the user is a local system user
Logon name	adLogonName	String	The logon name for this user according to Active Directory information
Member of	adMemberOf	String	Groups this user is a member of according to Active Directory information
New IT tool for user	newAdminToolForUserEvidence	Boolean	Indicates whether there is evidence the user ran a tool with IT characteristics for the first time
New process count	newProcessesCount	Integer	The number of new processes the user executed
Number of machines	numberOfMachines	Integer	The number of machines to which the user logged in
Organization	ownerOrganization	String	The organization to which the user belongs
Organizational unit (OU)	adOU	String	Organization units to which this user is a member according to Active Directory information
Password age in days	passwordAgeDays	Integer	The number of days from the last change in the user’s password according to Active Directory information
Primary group ID	adPrimaryGroupID	String	The id of the user’s primary group according to Active Directory information
Privileges	privileges	Array	The privilege level of the user. Possible values include In the UI: Admin Root Guest User In the API: UserPrivAdmin UserPrivRoot UserPrivGuest UserPrivUser
Product-specific ID for account	sid	String	A product-specific identifier for this user account
Running IT tool	runningPowerToolEvidence	Boolean	Indicates whether there is evidence the user executed a process identified as an IT tool
Running malicious process	runningMaliciousProcessEvidence	Boolean	Indicates whether the user ran a malicious process
Running rare process with external connections	runningRareProcessWithExternalConnectionsEvidence	Boolean	Indicates whether there is evidence the user executed a rare process that connected to an external IP address
Running suspicious process	hasSuspiciousProcess	Boolean	Indicates whether the user ever executed suspicious processes
SAM account name	adSamAccountName	String	The SAM account name associated with this user according to Active Directory information.
Security identifier (SID)	sid	String	The user’s immutable identifier
Source user account for event	eventSourceUser	String	The user account associated with an event
Target user account for event	eventTargetUser	String	The user account that was targeted in an event
Title	adTitle	String	The user’s title according to Active Directory information
Trespassing user by suspicious activity	trespassingUserBySuspiciousActivitySuspicion	Boolean	Indicates whether the user performed suspicious activities during irregular hours and is therefore suspected of trespassing
User authentication status	status	Enum	The authentication status for the user. Potential values include (but are not limited to): UNKNOWN_AUTHENTICATION_STATUS ACTIVE SUSPENDED NO_ACTIVE_CREDENTIALS DELETED
User canonical name	adCanonicalName	String	Canonical name for this user according to Active Directory information
User creation time	adCreated	String	The time the user account was created according to Active Directory data
User display name	adDisplayName	String	Display name for this user according to Active Directory information
User display name	displayName	String	The display name for the user account
User FQDN	fqdn	String	The fully qualified domain name (FQDN) for the user account
User identity name	identity	String	The user identity associated with this user account
User name	username	String	The name of the user
User Phone Numbers	phoneNumbers	String	The phone numbers associated with this user account
User title	title	String	The title for the user associated with this user account.
User to admin	privilegesChangeFromUserToAdmin	Boolean	Indicates whether the user changed their privileges from standard user to administrator
Using power tool	hasPowerTool	Boolean	Indicates whether the user ever executed a power tool

Back to top

User Identity (XDR)

Use these features to filter for User Identity Elements:

UI Name	API Name	Type	Description
Identity aliases	aliases	Array	A collection of aliases associated with this user identity.
Source user identity for event	eventSourceUserIdentity	String	The user identity associated with an event.
Target user identity for event	eventTargetUserIdentity	String	The user identity that was the target of an event.
User accounts	accounts	Collection	A list of the user accounts associated with this user identity.
User ID	id	String	The unique identifier for this user identity.
User names	displayNames	Collection	A list of the user names for this user identity.

Back to top

WMI Persistent Object (EDR)

Use these features to filter for WMI Persistent Object Elements:

UI Name	API Name	Type	Description
Client IP Address	clientIP	Array	Collection of IP addresses of the client that has connected to WMI.
Client Machine	clientMachine	String	The machine of the client that has connected to WMI.
Client Network Machine	clientNetworkMachine	String	The network machine of the client that has connected to WMI.
Client PID	clientPid	Long	The PID of the client process that has connected to WMI. Can be a remote or local process.
Consumer Action	consumerAction	String	The action to perform with the WMI Persistent object when the query is fulfilled.
Consumer File Path	consumerFilePath	String	The path to the file when the Cybereason platform is unable to find the file associated with the consumer action. This Feature is available from version 21.2.43 and higher.
Consumer Image File	consumerImageFile	String	The name of the file associated with the consumer action. This Feature is available from version 21.2.43 and higher.
Consumer Name	consumerName	String	The name of the consumer running the WMI Persistent object.
Creating process	creatingProc	String	The name of the process that created this WMI persistent object.
Filter Name	filterName	String	The name of the filter used for the WMI Persistent object.
Filter Query	fiterQuery	String	The string used in the query for the WMI Persistent object.
Owner machine	ownerMachine	String	The name of the machine on which this WMI persistent object is found.
Persistent type	persistenceType	String	The type of WMI persistent object.
Script engine	scriptEngine	String	The script engine that created the WMI persistent object. This Feature is available from version 21.2.43 and higher.
User	user	String	The user that performed the activity.
WMI Activity	wmiActivity	Array	Collection of WMI activity associated with the WMI Persistent Object.
WMI Persistent Object	elementDisplayName	String	The name of the WMI Persistent object.

Back to top