Query Elements and Features
Queries are comprised of Elements, Features, operators, and values. Elements are components of your Cybereason platform like machines, users, and processes. For each Element, there are a number of Features you can filter by to improve your query requests.
The following tables list Elements and Features available for use in the Cybereason UI and API calls.
In this topic:
Elements
Use these values to represent each Element in a query request:
Note
Some Elements below are relevant only with the Cybereason platform’s XDR module. To use the XDR module, you can add the XDR package to your Cybereason platform for an additional cost. Contact your Customer Success Manager to request access to this package.
Element UI Name |
API Name |
Description |
---|---|---|
Attachments |
attachment |
A file attached to a message. |
Automatic Execution |
AutomaticExecution |
An operation that is run automatically. |
Connection |
Connection |
A connection operation between machines, processes, and so forth. |
Detection Event |
DetectionEvents |
An event on which a detection (evidence, suspicion, or Malop) was generated. |
DNS query resolved Domain to Domain |
DnsQueryResolvedDomainToDomain |
A DNS query from one domain to another that was resolved. |
DNS query resolved Domain to IP |
DnsQueryResolvedDomainToIp |
A DNS query from a Domain to an IP address that was resolved. |
DNS query resolved IP to Domain |
DnsQueryResolvedIpToDomain |
A DNS query from an IP to a Domain that was resolved. |
DNS query unresolved from Domain |
DnsQueryUnresolvedFromDomain |
A DNS query from a domain that is still not resolved. |
DNS query unresolved from IP |
DnsQueryUnresolvedFromIp |
A DNS query from an IP address that is still not resolved. |
Domain Name |
DomainName |
The name of a domain. |
Driver |
Driver |
A driver for a machine, process, and so forth. |
Email address |
emailAddress |
An email address associated with a user. |
Event |
Event |
A security event sent from another security vendor. |
File |
File |
A file involved in an operation. |
File Event |
FileAccessEvent |
Operation performed by a process on a file. |
Forensic Artifacts |
forensicArtifacts |
Data collected from a forensic tool. |
Function Details |
FunctionDetails |
The information about a function running |
Group |
Group |
A group of users for a specific asset. |
Hosts File |
HostsFile |
The file on an operating system that maps host names to IP addresses. |
Image file |
File |
The file from the disk that executes the process. |
IP Address |
IpAddress |
The IP address of an operation. |
IP Range Scan |
IpRangeScan |
An operation that scans the IP addresses in a range. |
Listening connection |
ListeningConnection |
The connection on the machine that listens for incoming connection requests. |
Local network |
LocalNetwork |
A LAN for a specific area. |
Logon session |
LogonSession |
A computing session beginning with successful logon and ending with a user log off operation. |
Machine |
Machine |
The machine involved in an operation. |
Malop Logon session |
MalopLogonSession |
The specific computing session when the user was logged on in which a Malop was created. |
Malop Process |
MalopProcess |
The specific process involved in a Malop. |
Message |
Message |
A message sent from a user. |
Module |
Module |
The module involved in an operation. |
Mount point |
MountPoint |
A directory on which an accessible file system is mounted. |
MS-RPC |
Msrpc |
A Remote Procedure Call (RPC) operation on a machine running Windows. |
Network Interface |
NetworkInterface |
The interface between two items in a computer network. |
Network Machine |
NetworkMachine |
A machine running on a network involved in an operation. |
Process |
Process |
The process involved in an operation. |
Proxy |
Proxy |
The proxy used for a connection. |
QuarantineFile |
QuarantineFile |
The file involved in a quarantine operation. |
Registry Entry |
Autorun |
An item in the computer’s registry. |
Registry Event |
RegistryEvent |
An event performed on a specific registry entry. |
Remote Session |
RemoteSession |
A computing session where a user accesses a machine running in a remote place. |
Resource |
Resource |
A resource on another platform. |
Role |
Role |
A role assigned to a user or group. |
Scheduled task |
ScheduledTask |
A task scheduled to run at a certain time by the operating system’s task scheduler. |
Scheduled task action |
ExecutableTaskAction |
The action that runs when a task runs from the task scheduler. |
Service |
Service |
A service involved in an operation. |
User Account |
User |
The user account for a specific activity. |
User Identity |
UserIdentity |
The unique user in an operation. |
Wmi Persistent Object |
WmiPersistentObject |
An object created when working with the WMI capability of the Windows operating system. |
Feature values per Element
The following tables list Features available per Element. Use the following values in the “UI Name” columns when constructing queries in the Cybereason UI, and use the values in the “API Name” columns in API query requests.
In the tables, Features that are references to another Element are noted in bold. Note that in some cases, the name for the Feature linking to another Element differs from the Element name itself.
Attachments (XDR)
Use these features for Automatic Execution Elements:
UI Name |
API Name |
Type |
Description |
---|---|---|---|
Extension type |
extensionType |
String |
The type of extension for this attachment. |
File name |
name |
String |
The name of the file in the attachment. |
Machines |
machines |
Collect |
A list of the machines on which this attachment was found. |
MD5 signature |
md5 |
String |
The MD-5 file hash value for the attachment. |
Path |
path |
String |
The path to the file for this attachment. |
SHA1 Signature |
sha1 |
String |
The SHA-1 file hash value for the attachment. |
SHA256 Signature |
sha256 |
String |
The SHA-256 file hash value for the attachment. |
Size |
size |
Integer |
The size of the attachment. |
Signer |
signer |
String |
The name of the organization that signed the attachment. |
Automatic Execution (EDR)
Use these features as filters for the Attachment Element:
UI Name |
API Name |
Type |
Description |
---|---|---|---|
Extension type |
extensionType |
String |
The type of extension for this attachment. |
File name |
name |
String |
The name of the file in the attachment. |
Machines |
machines |
Collect |
A list of the machines on which this attachment was found. |
MD5 signature |
md5 |
String |
The MD-5 file hash value for the attachment. |
Path |
path |
String |
The path to the file for this attachment. |
SHA1 Signature |
sha1 |
String |
The SHA-1 file hash value for the attachment. |
SHA256 Signature |
sha256 |
String |
The SHA-256 file hash value for the attachment. |
Size |
size |
Integer |
The size of the attachment. |
Signer |
signer |
String |
The name of the organization that signed the attachment. |
Connection (EDR and XDR)
Use these features as filters for the Connection Element:
UI Name |
API Name |
Type |
Description |
---|---|---|---|
Absolute high transmitted bytes |
absoluteHighTransmittedBytesEvidence |
Boolean |
Indicates whether there is evidence the connection transferred a high volume of data. |
Address accessed by Malware |
accessedByMalwareEvidence |
Boolean |
Indicates whether there is evidence the connection’s remote address is used by malware. |
App-based communication that includes a password in an unencrypted (or easily decrypted) format, significantly increasing the risk of compromise |
passwordDataLeakEvidence |
Boolean |
Indicates there is evidence of app-based communication with a password in an unencrypted or easily decrypted format. |
App-based communication that includes a password in an unencrypted (or easily decrypted) format, significantly increasing the risk of compromise |
passwordDataLeakSuspicion |
Boolean |
Indicates there is evidence of app-based communication with a password in an unencrypted or easily decrypted format. |
App-based communication that includes an identifiable service username in an unencrypted (or easily decrypted) format |
userInformationDataLeakEvidence |
Boolean |
Indicates there is evidence of app-based communication with an identifiable service user name in an unencrypted or easily decrypted format. |
Application |
application |
String |
The name of the application that is the target of the connection. |
Application protocol used |
protocol |
String |
Protocol name used by the application initiating the connection. |
Associated listening socket |
parent |
String |
The local address and port of the parent listening socket. |
Blocklisted URL domain |
blackListUrlDomainEvidence |
Boolean |
Indicates whether or not the connection is communicating with a domain on the blocklist. |
Browser-based communication that includes a credit card number in an unencrypted (or easily decrypted) format |
creditCardDataLeakEvidence |
Boolean |
Indicates there is evidence of browser-based communication in which the communication contains a credit card number that is not encrypted or is easily decrypted. |
Browser-based communication that includes a credit card number in an unencrypted (or easily decrypted) format |
creditCardDataLeakSuspicion |
Boolean |
Indicates there is browser-based communication in which the communication contains a credit card number that is not encrypted or is easily decrypted. |
Browser-based communication that includes the device’s physical geo-location in an unencrypted (or easily decrypted) format |
webLocationDataLeakEvidence |
Boolean |
Indicates there is evidence of browser-based communication in which the communication contains the device’s physical geo-location. |
Browser-based communication transmitted across the Internet that includes an email address in an unencrypted (or easily decrypted) format |
webEmailInformationDataLeakEvidence |
Boolean |
Indicates there is evidence of browser-based communication in which the communication contains an email address in an an unencrypted or easily decrypted format |
Classification type |
remoteAddressMaliciousClassificationType |
Enum |
Classification for the remote address. Possible values include:
|
Connection to domain on blocklist |
blackListDomainSuspicion |
Boolean |
Indicates whether or not the connection is communicating with a domain on the blocklist |
Connection to IP address on the blocklist |
blackListIPSuspicion |
Boolean |
Indicates whether or not the connection is communicating with an IP address on the blocklist |
Connected to FTP port |
ftpPortEvidence |
Boolean |
Indicates whether or not the connection uses an outgoing FTP port |
Connected to IRC port |
ircPortEvidence |
Boolean |
Indicates whether or not the connection uses an outgoing IRC port |
Connected to mail port |
mailPortEvidence |
Boolean |
Indicates whether or not the connection uses an outgoing mail port |
Connected to Tor port |
torPortEvidence |
Boolean |
Indicates whether or not the connection uses an outgoing TOR port |
Connection name |
elementDisplayName |
String |
Source IP address and target IP addresses of the connection |
Duration |
duration |
Long |
The connection duration in nanoseconds |
HTTP method |
httpRequestMethod |
String |
HTTP method used in the communication |
Remote address for connection used by malware |
connectionToAddressUsedByMalwareSuspicion |
Boolean |
Indicates whether the remote address of this connection was used by malware but was not used by legitimate process |
Connection to malicious address |
maliciousConnectionSuspicion |
Boolean |
Indicates whether this connection is directed to an address that was identified as malicious |
Connection to proxy |
isConnectionToProxy |
Boolean |
Indicates whether the connection is targeting a proxy address |
Connection to Tor address |
connectionToTorAddressEvidence |
Boolean |
Indicates whether Cybereason identified the connection’s remote address as an address in the TOR network |
Device configurations that may put corporate and personal data at risk |
untrustedProfileEvidence |
Boolean |
Indicates that there is evidence configurations on the device may put corporate and personal data at risk |
Device configurations that may put corporate and personal data at risk |
untrustedProfileByDomainSuspicion |
Boolean |
Indicates that configurations on the device may put corporate and personal data at risk |
DNS query |
dnsQuery |
Array |
Collection of DNS queries associated with this connection |
Direction |
direction |
Enum |
Direction of the connection. Possible values include: In the UI:
In the API:
|
Domain name |
domainName |
String |
The domain name associated with this connection |
Malicious process opened external connection |
externalConnectionOfMaliciousProcessByHashSuspicion |
Boolean |
Indicates whether this external connection was marked as suspicious since it was executed by a malicious process and may be part of the malicious activity of the process |
External connection to well known port |
externalConnectionToWellKnownPortEvidence |
Boolean |
Indicates whether there is evidence the connection is an external connection and the connection uses a port that is registered (less than 1024) |
Has Malops |
hasMalops |
Boolean |
Indicates whether or not the connection is associated with any Malops |
Has Suspicions |
hasSuspicions |
Boolean |
Indicates whether or not the connection is associated with any suspicions |
High data volume transmission to malicious address |
absoluteHighDataVolumeTransmittedToMaliciousAddressSuspicion |
Boolean |
Indicates whether this connection was identified as transmitting high data volume to an address marked as malicious |
Internal connection of a malicious process |
internalConnectionOfMaliciousProcessByHashSuspicion |
Boolean |
Indicates whether this internal connection was marked as suspicious since it was executed by a malicious process hence may be part of the malicious activity of the process |
IP address for connection destination |
destinationNatIpAddress |
IP address |
IP address of the destination of the connection |
IP address (NAT) for destination |
destinationNatPort |
IP address |
The IP address in NAT form for the destination of the connection |
Irrelevant or unsolicited content that is disseminated for the purposes of advertising, phishing or spreading malware |
unwantedWebContentEvidence |
Boolean |
Indicates the device received irrelevant or unsolicited content sent for advertising or phishing reasons, or for the purposes of spreading malware |
Is external |
isExternalConnection |
Boolean |
Indicates whether or not the connection is an external connection |
Is incoming |
isIncoming |
Boolean |
Indicates whether or not the connection is an incoming connection |
Is live connection |
isLiveConnection |
Boolean |
Indicates whether or not the connection is currently open |
Is live owner process |
isLiveProcess |
Boolean |
Indicates whether or not the connection’s owner process is currently running |
Is proxy connection |
isProxyConnection |
Boolean |
Indicates whether or not the connection is targeting a proxy address |
Is related to Malop |
relatedToMalop |
Boolean |
Indicates whether or not the connection is related to a malicious operation |
Is well known port |
isWellKnownPort |
Boolean |
Indicates whether or not the connection uses a well known port |
Local address |
localAddress |
String |
The local address associated with the connection |
Local port |
localPort |
Integer |
The local port number used by the connection |
Malicious address |
maliciousAddressEvidence |
Boolean |
Indicates whether there is evidence that the Cybereason threat intelligence service identifies the connection’s remote address as malicious |
Malicious domain |
suspiciousDomainEvidence |
Boolean |
Indicates whether there is evidence that Cybereason threat intelligence classified the domain the connection uses as suspicious |
Domain for connection classified as malicious |
domainClassificationSuspicion |
Boolean |
Indicates whether the Cybereason threat intelligence service classified the domain the connection uses as suspicious |
Network access to a web service that is known to demonstrate malicious behavior |
connectionToMaliciousDomainEvidence |
Boolean |
Indicates there is evidence the device has network access to a web service that is known by threat intelligence sources to demonstrate malicious behavior |
Network access to a web service that is known to demonstrate malicious behavior |
connectionToMaliciousDomainSuspicion |
Boolean |
Indicates the device has network access to a web service that is known by threat intelligence sources to demonstrate malicious behavior |
Opened by legitimate process |
isProcessLegit |
Boolean |
Indicates whether or not the process that opened the connection is known to be legitimate |
Opened by malware |
isProcessMalware |
Boolean |
Indicates whether or not the process that opened the connection is known to be malware |
Origin URL for request |
httpRequestReferrer |
String |
The URL from which the connection originated |
Outgoing connection with listening socket |
outgoingWithListeningConnectionEvidence |
Boolean |
Indicates whether there is evidence the connection is an outgoing connection with a listening socket |
Owner machine |
ownerMachine |
String |
Name of the machine from which the the connection originated |
Owner process |
ownerProcess |
String |
The name of the process that created the connection |
Port (NAT) for connection source |
sourceNatPort |
Integer |
The port in NAT form for the origin of the connection |
Port description |
portDescription |
String |
The description of the port used by the connection |
Port type |
portType |
Enum |
The type of service that opened the connection. Possible values include: In the UI:
In the API:
|
Process Malicious by Hash |
isProcessMaliciousByHashEvidence |
Boolean |
Indicates whether there is evidence that the Cybereason threat intelligence service identified the process creating the connection as malicious by its image file’s hash |
Process name |
processName |
String |
The name of the process that created the connection |
Rare address for machine |
rareAddressOnMachineEvidence |
Boolean |
Indicates whether there is evidence the connection’s address is rare for the associated machine |
Rare address for process |
rareAddressByProcessEvidence |
Boolean |
Indicates whether there is evidence the connection’s address is rare for the associated process |
Rare address location by process |
rareAddressInternalExternalLocalByProcessEvidence |
Boolean |
Indicates whether there is evidence the connection’s remote address location (external/ internal/ local) is unusual for the associated process |
Rare connection direction for process |
rareDirectionByProcessEvidence |
Boolean |
Indicates whether there is evidence the connection direction is rare for the associated process |
Rare port for address |
rarePortAddressByProcessEvidence |
Boolean |
Indicates whether there is evidence the port used by the connection is rare for the associated address |
Rare port for process |
rarePortByProcessEvidence |
Boolean |
Indicates whether or not there is evidence the port used by the connection is rare for the associated process |
Rare port type for process |
rarePortTypeByProcessEvidence |
Boolean |
Indicates whether there is evidence the port type of the port used by the connection is rare for the associated process |
Rare remote address country for machine |
rareCountryByMachineEvidence |
Boolean |
Indicates whether there is evidence the country location for the remote address of the connection is rare for the associated machine |
Rare remote address country for process |
rareCountryByProcessEvidence |
Boolean |
Indicates whether there is evidence the country location for the remote address for the connection is rare for the associated process |
Received bytes |
aggregatedReceivedBytesCount |
Long |
The number of bytes received by the connection |
Received bytes count |
receivedBytesCount |
Long |
The amount of data (in bytes) received in this connection |
Remote address |
remoteAddress |
String |
The address for the remote connection |
Remote address location |
remoteAddressCountryName |
String |
The name of the country for the remote address for the connection |
Remote address name |
remoteAddressName |
String |
The name associated with the remote address for the connection |
Remote address type |
remoteAddressInternalExternalLocal |
Enum |
The type of the remote address for the connection. Possible values include: In the UI:
In the API:
|
Remote machine |
remoteMachine |
String |
The name of the machine involved in the connection |
Remote port |
remotePort |
Integer |
The port used on the target machine used to establish the connection |
Request header with requester details |
httpUseragent |
String |
Header details with the request user details for the connection |
Response code for request |
httpResponseCode |
String |
The response code for the request in the connection |
Server address |
serverAddress |
String |
The address for the server side of the connection |
Server port |
serverPort |
Integer |
The port used for the server side of the connection |
Session ID |
sessionId |
String |
Session ID for the connection |
Significantly low ratio of address for machine |
lowAddressByMachineEvidence |
Boolean |
Indicates whether there is evidence the address for the machine associated with the connection shows up significantly less than addresses for other machines in the environment |
Significantly low ratio of address for process |
lowAddressByProcessEvidence |
Boolean |
Indicates whether there is evidence the remote address for the process involved in the connection shows up significantly less than addresses for other processes in the environment |
Significantly low ratio of address for process on machine |
lowAddressOnMachineByProcessRatioEvidence |
Boolean |
Indicates whether there is evidence the address for the connection opened by the process on the machine shows up significantly less than process addresses on other machines in the environment |
Site designed to deceive the end user into submitting sensitive personal or corporate information through a seemingly trusted web form |
maliciousPhishingEvidence |
Boolean |
Indicates there is evidence of the device visiting a site designed (through the use of what appears to be a trusted web form) to deceive the user to enter and submit sensitive information |
Site designed to deceive the end user into submitting sensitive personal or corporate information through a seemingly trusted web form |
maliciousPhishingSuspicion |
Boolean |
Indicates the device visited a site designed (through the use of what appears to be a trusted web form)to deceive the user to enter and submit sensitive information |
Site designed to secretly hijack the target’s device to mine cryptocurrencies |
cryptojackingDomainEvidence |
Boolean |
Indicates there is evidence the device visited a site designed to hijack the device and use the device to mine cryptocurrencies. |
Site designed to secretly hijack the target’s device to mine cryptocurrencies |
cryptojackingDomainSuspicion |
Boolean |
Indicates there is evidence the device visited a site designed to hijack the device and use the device to mine cryptocurrencies. |
Source IP address (NAT) |
sourceNatIpAddress |
IP address |
IP address (in NAT format) for the entity that initiated the connection |
State |
state |
Enum |
The state of the connection. Possible values include: In the UI:
In the API:
|
Suspicious |
isSuspicious |
Boolean |
Indicates whether or not Cybereason detected suspicions associated with this connection. |
Suspicious URL domain |
suspiciousUrlDomainEvidence |
Boolean |
Indicates whether there is evidence that one of the URLs associated with the connection is classified as suspicious. |
Suspicious URL domain |
urlDomainClassificationSuspicion |
Boolean |
Indicates whether one of the URLs associated with the connection is classified as suspicious |
Transmitted bytes |
aggregatedTransmittedBytesCount |
Long |
The number of bytes transmitted by the connection. |
Transport protocol |
transportProtocol |
Enum |
The protocol used to establish the connection. Possible values include: In the UI:
In the API:
|
URL domains |
urlDomains |
String |
Collection of all domains of the URLs that were associated with this connection |
URL for connection destination |
UrlDomain |
String |
Unmodified URL for destination of the connection as reported from the event source. |
Detection Event (EDR)
Use these features as filters for the Detection Event Element:
UI Name |
API Name |
Type |
Description |
---|---|---|---|
Application Control blocked application on blocklist |
applicationControlMalop |
Boolean |
Indicates whether the event is the root cause of the Application Control blocked application on blocklist Malop. |
Known malware detected by Cybereason Anti-Malware |
avDetectionMalop |
Boolean |
Indicates whether the event is the root cause of the Known Malware detected by Cybereason Anti-Malware Malop. |
Connection associated with this event |
connection |
Array |
Collection of connections associated with this event. |
Status |
decisionStatus |
Enum |
The status of the detected event. Possible values include: In the UI:
In the API:
|
Engine |
detectionEngine |
Enum |
The detection method that detected the event. Possible values include: In the UI:
In the API:
|
Detection value |
detectionValue |
String |
The value used in the decision to raise this as a detected event. |
Detection type |
detectionValueType |
Enum |
The method the Cybereason platform used to make the decision to raise this as a detected event. Possible values include: In the UI:
In the API:
|
Domain name associated with this event |
domain |
Array |
Collection of domains associated with this event. |
Detection event |
elementDisplayName |
String |
The name of the detected event. |
Exploitation attempt |
exploitAttemptMalop |
Boolean |
Indicates whether this event is the root cause of the Exploitation attempt Malop. |
File associated with this event |
file |
Array |
Collection of files associated with the detected event. |
Process used Download and Execute |
filelessDownloadAndExecuteMalop |
Boolean |
Indicates whether this event is the root cause of the Process used Download and Execute Malop. |
Download from malicious domain |
filelessDownloadMalop |
Boolean |
Indicates whether the event is the root cause of the Download from malicious domain Malop. |
Process ran malicious command |
filelessMaliciousContentMalop |
Boolean |
Indicates whether the event is the root cause of the Process ran malicious command Malop. |
Malicious floating module |
filelessMaliciousModuleMalop |
Boolean |
Indicates whether the event is the root cause of the Malicious floating module Malop. |
Associated with Malops |
hasMalops |
Boolean |
Indicates whether the event is associated with any Malops. |
Associated with suspicions |
hasSuspicions |
Boolean |
Indicates whether the event is associated with any suspicions. |
Machines associated with the detection event |
machine |
Array |
Collection of machines associated with the event. |
Malicious document detected |
maliciousDocumentMalop |
Boolean |
Indicates whether the event is the root cause of a Malicious document detected Malop. |
Owner machine |
ownerMachine |
String |
The machine on which this event was detected. |
Owner process |
process |
String |
The process with which this event is associated. |
Detection event |
relatedToMalop |
Boolean |
Indicates whether this event is associated with Malops. |
Script engine |
scriptEngine |
Enum |
The scripting engine used to trigger this event. Possible values include: In the UI:
In the API:
|
Malware detection by Anti-Malware Artificial Intelligence classification |
staticAnalysisDetectionMalop |
Boolean |
Indicates whether the event is the root cause of the Malware detection by Anti-Malware Artificial Intelligence classification Malop. |
Connected user |
user |
Array |
Collection of users associated with the event. |
DNS Query Resolved Domain to Domain (EDR)
Use these features to filter for DNS Query Resolved Domain to Domain Elements:
UI Name |
API Name |
Type |
Description |
---|---|---|---|
Blocklisted source domain |
blacklistSourceDomainEvidence |
Boolean |
Indicates whether there is evidence that the source domain for the DNS request is a domain on the blocklist. |
Blocklisted target domain |
blacklistTargetDomainEvidence |
Boolean |
Indicates whether there is evidence the target domain for the DNS request is a domain on the blocklist. |
Malicious source domain |
sourceDomainClassificationSuspicion |
Boolean |
Indicates whether the Cybereason threat intelligence service classified the source domain for the DNS request as malicious. |
Malicious target domain |
targetDomainClassificationSuspicion |
Boolean |
Indicates whether the Cybereason threat intelligence serve classified the target domain for the DNS request as malicious. |
Malware source domain |
malwareSourceDomainEvidence |
Boolean |
Indicates whether there is evidence that the Cybereason threat intelligence service classifies the source domain for the DNS request as malware. |
Malware target domain |
malwareTargetDomainEvidence |
Boolean |
Indicates whether there is evidence the Cybereason threat intelligence service classified the target domain for the DNS request as malware. |
Non-default resolver |
nonDefaultResolverEvidence |
Boolean |
Indicates whether there is evidence that the resolver of this DNS request is the default resolver set to the machine. |
Record type |
recordType |
Enum |
The type of DNS record. Possible values include: In the UI:
In the API:
|
Resolvers |
resolvers |
Array |
A collection of resolvers for this DNS query. |
Sinkhole source domain |
sinkholeSourceDomainEvidence |
Boolean |
Indicates whether there is evidence the Cybereason threat intelligence classified the source domain for the DNS request as a sinkhole domain. |
Sinkhole target domain |
sinkholeTargetDomainEvidence |
Boolean |
Indicates whether there is evidence that the Cybereason threat intelligence service classified the target domain for the DNS request as a sinkhole domain. |
Source domain |
sourceDomain |
String |
The name of the source domain for this DNS request. |
Source and target domain |
elementDisplayName |
String |
The DNS address of the source domain and target domain involved in this DNS request. |
Target domain |
targetDomain |
String |
The name of the target domain in this DNS request. |
TTL range |
ttlRange |
Enum |
The time-to-live (TTL) range for the DNS record. Possible values include: In the UI:
In the API:
|
DNS Query Resolved Domain to IP (EDR)
Use these features to filter for DNS Query Resolved Domain to IP Elements:
UI Name |
API Name |
Type |
Description |
|
---|---|---|---|---|
Blocklist domain |
blacklistDomainEvidence |
Boolean |
Indicates whether there is evidence that the domain in this DNS request is a domain on the blocklist. |
|
Device configurations that may put corporate and personal data at risk |
untrustedProfileEvidence |
Boolean |
Indicates there is evidence that device configurations may put corporate and personal data at risk. |
✓ |
Low max TTL |
lowMaxTtlEvidence |
Boolean |
Indicates whether there is evidence the response time-to-live (TTL) for this DNS request is low. |
|
Domain for DNS request classified as malicious |
domainClassificationSuspicion |
Boolean |
Indicates whether the Cybereason threat intelligence service classified the domain in ths DNS request as malicious. |
|
Malware evidence |
malwareDomainEvidence |
Boolean |
Indicates whether there is evidence that the Cybereason threat intelligence service classified the domain for this DNS request as malware. |
|
Network access to a web service that is known to demonstrate malicious behavior |
connectionToMaliciousDomainEvidence |
Boolean |
Indicates there is evidence the device has network access to a web service known by threat intelligence sources to demonstrate malicious behavior. |
✓ |
Non-default resolver |
nonDefaultResolverEvidence |
Boolean |
Indicates whether or not the resolver server for this DNS request is the default resolver used by the machine. |
|
Record type |
recordType |
Enum |
The type of DNS record. Possible values include: In the UI:
In the API:
|
|
Resolvers |
resolvers |
Array |
Collection of resolvers for this DNS query. |
|
Sinkhole domain |
sinkholeDomainEvidence |
Boolean |
Indicates whether there is evidence that the Cybereason threat intelligence service classified the domain in this DNS request as a sinkhole domain. |
|
Site designed to deceive the end user into submitting sensitive personal or corporate information through a seemingly trusted web form |
maliciousPhishingEvidence |
Boolean |
Indicates there is evidence the device visited a site designed (through the use of what appears to be a trusted web form) to deceive the device user to enter and submit personal or corporate information. |
✓ |
Site designed to secretly hijack the target’s device to mine cryptocurrencies |
cryptojackingDomainEvidence |
Boolean |
Indicates there is evidence the device visited a site designed to hijack the device for purposes of cryptocurrency mining. |
✓ |
Source domain |
sourceDomain |
String |
The domain requested in this request. |
|
Source domain and target IP |
elementDisplayName |
String |
The source domain and target IP address resolved by the request. |
|
Target IP |
targetIpAddress |
String |
The target IP address for this request. |
|
TTL Range |
ttlRange |
Enum |
The time-to-live (TTL) range for the DNS record. Possible values include: In the UI:
In the API:
|
DNS Query Resolved IP to Domain (EDR)
Use these features to filter for DNS Query Resolved IP to Domain Elements:
UI Name |
API Name |
Type |
Description |
---|---|---|---|
Blocklist domain |
blacklistDomainEvidence |
Boolean |
Indicates whether there is evidence that the domain in the DNS request resolution is a domain on the blocklist. |
Has suspicions |
hasSuspicions |
Boolean |
Indicates whether or not the DNS request has any suspicions. |
IP address |
IpAddress |
String |
The IP address associated with the DNS request. |
Domain for DNS request classified as malicious |
domainClassificationSuspicion |
Boolean |
Indicates whether the Cybereason threat intelligence service classified the domain used in this DNS request as malicious. |
Malware domain |
malwareDomainEvidence |
Boolean |
Indicates whether there is evidence the Cybereason threat intelligence servier classified the domain in this DNS request as malware. |
Non Default Resolver |
nonDefaultResolverEvidence |
Boolean |
Indicates whether there is evidence the resolver server for this DNS request is the default resolver used for the machine. |
Record type |
recordType |
Enum |
The type of DNS record. Possible values include: In the UI:
In the API:
|
Resolvers |
resolvers |
Array |
List of resolvers for this DNS record |
Sinkhole domain |
sinkholeDomainEvidence |
Boolean |
Indicates whether there is evidence that the Cybereason threat intelligence server classified the domain used by this DNS request as a sinkhole domain. |
Source domain |
sourceIpAddress |
String |
The source IP address for this DNS request. |
Source IP and target domain |
elementDisplayName |
String |
The source domain and target IP address used by this request. |
Target IP |
targetDomain |
String |
The target domain for this DNS request |
TTL Range |
ttlRange |
Enum |
The time-to-live (TTL) range for the DNS record. Possible values include: In the UI:
In the API:
|
DNS Query Unresolved to Domain (EDR)
Use these features to filter for DNS Query Unresolved to Domain Elements:
UI Name |
API Name |
Type |
Description |
---|---|---|---|
Blocklisted domain |
blacklistDomainEvidence |
Boolean |
Indicates whether there is evidence that the domain in this DNS request is a domain on the blocklist. |
Device configurations that may put corporate and personal data at risk |
untrustedProfileEvidence |
Boolean |
Indicates there is evidence the device has configurations that may put corporate and personal data at risk. |
Device configurations that may put corporate and personal data at risk |
untrustedProfileByDomainSuspicion |
Boolean |
Indicates there is evidence the device has configurations that may put corporate and personal data at risk. |
Domain name |
sourceDomain |
String |
The source domain name for this unresolved DNS request. |
Domain does not exist |
confirmedUnresolvedDomainEvidence |
Boolean |
Indicates whether there is evidence that the DNS request is an unresolved request that reports an error value revealing that the domain does not exist (9003). |
Error code |
errorCode |
Integer |
The error code returned for the unresolved request. |
Has Connection To Malicious Domain |
connectionToMaliciousDomainEvidence |
Boolean |
Indicates the device has a network connection to a malicious domain. |
Has Connection To Malicious Domain |
connectionToMaliciousDomainSuspicion |
Boolean |
Indicates the device has a network connection to a malicious domain. |
Has resolved classification |
hasResolvedClassification |
Boolean |
Indicates whether or not the requested domain in the DNS query has been previously resolved. |
Is internal domain |
isInternalDomain |
Boolean |
Indicates whether or not the source domain in the DNS request is an internal domain. |
Domain for DNS request classified as malicious |
domainClassificationSuspicion |
Boolean |
Indicates whether the Cybereason threat intelligence service classified the unresolved domain in the DNS request as malicious. |
Malware domain |
malwareDomainEvidence |
Boolean |
Indicates whether there is evidence the Cybereason threat intelligence service classified the domain in this DNS request as malware. |
Never seen resolved in organization |
neverSeenResolvedInOrganization |
Boolean |
Indicates whether the requested domain in the DNS request has been resolved in your organization. |
Never seen resolved second level domain in organization |
neverSeenResolvedSecondLevelDomainInOrganization |
Boolean |
Indicates whether or not the second-level domain in the DNS request has ever been resolved in your organization. |
Record type |
recordType |
Enum |
The type of DNS record. Possible values include: In the UI:
In the API:
|
Resolvers |
resolvers |
Array |
A collection of of resolvers used in this DNS query. |
Sinkhole domain |
sinkholeDomainEvidence |
Boolean |
Indicates whether there is evidence the Cybereason threat intelligence service classified the domain in this DNS request as a sinkhole domain. |
Site designed to deceive the end user into submitting sensitive personal or corporate information through a seemingly trusted web form |
maliciousPhishingEvidence |
Boolean |
Indicates there is evidence the device visited a site designed (through the use of what appears to be a trusted web form) to deceive users to enter and submit sensitive personal information. |
Site designed to deceive the end user into submitting sensitive personal or corporate information through a seemingly trusted web form |
maliciousPhishingSuspicion |
Boolean |
Indicates the device visited a site designed (through the use of what appears to be a trusted web form) to deceive users to enter and submit sensitive personal information. |
Site designed to secretly hijack the target’s device to mine cryptocurrencies |
cryptojackingDomainEvidence |
Boolean |
Indicates there is evidence the device visited a site designed to hijack the device for the purpose of cryptocurrency mining. |
Site designed to secretly hijack the target’s device to mine cryptocurrencies |
cryptojackingDomainSuspicion |
Boolean |
Indicates the device visited a site designed to hijack the device for the purpose of cryptocurrency mining. |
Source domain |
elementDisplayName |
String |
Source domain whose query did not have a resolution |
DNS Query Unresolved to IP (EDR)
Use these features to filter for DNS Query Unresolved to IP Elements:
UI Name |
API Name |
Type |
Description |
---|---|---|---|
Error code |
errorCode |
String |
The error code returned for the unresolved DNS request. |
Has Suspicions |
hasSuspicions |
Boolean |
Indicates whether or not the unresolved DNS request for this IP address is associated with any suspicions. |
Record type |
recordType |
Enum |
The type of DNS record. Possible values include: In the UI:
In the API:
|
Resolvers |
resolvers |
Array |
List of resolvers for this unresolved DNS query. |
Source IP |
sourceIPAddress |
String |
The IP address queried in this unresolved DNS request. |
Source IP address |
elementDisplayName |
String |
The IP address name used in this unresolved DNS request. |
Domain Name (EDR)
Use these features to filter for Domain Name Elements:
UI Name |
API Name |
Type |
Description |
---|---|---|---|
Domain on blocklist |
blacklistDomainEvidence |
Boolean |
Indicates whether there is evidence the domain is a domain on the blocklist. |
Blocklisted domain |
blacklistDomainSuspicion |
Boolean |
Indicates whether or not the domain is a domain on the blocklist. |
Classification comment |
classificationComment |
String |
The comment a user added when providing the domain classification. |
Classification link |
classificationLink |
String |
The link to the domain classification source. |
Classification user |
classificationUser |
String |
The user who gave the domain classification. |
Device configurations that may put corporate and personal data at risk |
untrustedProfileEvidence |
Boolean |
Indicates there is evidence the device has configurations that may put corporate and personal data at risk |
Device configurations that may put corporate and personal data at risk |
untrustedProfileSuspicion |
Boolean |
Indicates the device has configurations that may put corporate and personal data at risk |
Domain name |
elementDisplayName |
String |
The name of the domain. |
Ever resolved domain |
everResolvedDomainEvidence |
Boolean |
Indicates whether there is evidence the domain has been resolved in your organization. |
Ever resolved second level domain |
everResolvedSecondLevelDomainEvidence |
Boolean |
Indicates whether there is evidence the second level domain for this domain has been resolved in your organization. |
Good domain |
isGoodDomainEvidence |
Boolean |
Indicates whether there is evidence that the Cybereason threat intelligence service classifies the domain as safe. |
Has resolved classification evidence |
hasResolvedClassificationEvidence |
Boolean |
Indicates whether there is evidence the domain has been previously resolved. |
Has suspicions |
hasSuspicions |
Boolean |
Indicates whether or not the domain is associated with suspicions. |
Indifferent domain |
isIndifferentDomainEvidence |
Boolean |
Indicates whether there is evidence the Cybereason threat intelligence service recognizes this domain as not malicious. |
Is internal domain |
isInternalDomain |
Boolean |
Indicates whether the domain is an internal domain. |
Is internal second level domain |
isInternalSecondLevelDomain |
Boolean |
Indicates whether the domain is directly below the top level domain in the DNS hierarchy. |
Is reverse lookup |
isReverseLookup |
Boolean |
Indicates whether the domain has a reverse lookup. |
Is torrent domain |
isTorrentDomain |
Boolean |
Indicates whether the domain is a torrent domain. |
Malicious domain |
isMaliciousDomainEvidence |
Boolean |
Indicates whether there is evidence the Cybereason threat intelligence service classified the domain as malicious. |
Malicious domain |
malwareClassificationEvidence |
Boolean |
Indicates whether there is evidence the Cybereason threat intelligence service classified the domain as malware. |
Malicious domain |
domainClassificationSuspicion |
Boolean |
Indicates whether the Cybereason threat intelligence service classified the domain as suspicious. |
Malware domain |
domainClassificationSuspicion |
Boolean |
Indicates whether the Cybereason threat intelligence service classified the domain as malware. |
Name |
name |
String |
The name of the domain. |
Network access to a web service that is known to demonstrate malicious behavior |
connectionToMaliciousDomainEvidence |
Boolean |
Indicates there is evidence the device has a network connection to a web service that is known by threat intelligence services to be malicious. |
Network access to a web service that is known to demonstrate malicious behavior |
connectionToMaliciousDomainSuspicion |
Boolean |
Indicates the device has a network connection to a web service that is known by threat intelligence services to be malicious. |
Related to Malop |
relatedToMalop |
Boolean |
Indicates whether or not the domain is associated with a Malop. |
Reputation |
maliciousClassificationType |
Enum |
The reputation for the domain. Possible values include: In the UI:
In the API:
|
Second level domain |
secondLevelDomain |
String |
The name of the second level domain for this domain. |
Sinkhole domain |
sinkholedClassificationEvidence |
Boolean |
Indicates whether there is evidence the Cybereason threat intelligence service classified the domain as a sinkhole domain. |
Site designed to deceive the end user into submitting sensitive personal or corporate information through a seemingly trusted web form |
maliciousPhishingEvidence |
Boolean |
Indicates there is evidence the device visited a site design (through the use of what appears to be a trusted web form) to deceive the device user to enter and submit sensitive personal or corporate information. |
Site designed to deceive the end user into submitting sensitive personal or corporate information through a seemingly trusted web form |
maliciousPhishingSuspicion |
Boolean |
Indicates the device visited a site design (through the use of what appears to be a trusted web form) to deceive the device user to enter and submit sensitive personal or corporate information. |
Site designed to secretly hijack the target’s device to mine cryptocurrencies |
cryptojackingDomainEvidence |
Boolean |
Indicates there is evidence the device visited a site designed to hijack the device for the purpose of cryptocurrency mining. |
Site designed to secretly hijack the target’s device to mine cryptocurrencies |
cryptojackingDomainSuspicion |
Boolean |
Indicates the device visited a site designed to hijack the device for the purpose of cryptocurrency mining. |
Suspicious domain |
isSuspiciousDomainEvidence |
Boolean |
Indicates whether there is evidence that the Cybereason threat intelligence service classified the domain as suspicious. |
Top level domain |
topLevelDomain |
String |
The name of the top level domain (TLD) of this domain. |
Unknown domain |
isUnknownDomainEvidence |
Boolean |
Indicates whether there is evidence the domain is known by the Cybereason threat intelligence service. |
URL for domain name |
url |
String |
URL associated with the domain name |
Was ever resolved |
everResolvedDomain |
Boolean |
Indicates whether the domain was resolved in your organization. |
Was ever resolved as a second level domain |
everResolvedSecondLevelDomain |
Boolean |
Indicates whether the second level domain for this domain has been resolved in your organization. |
Driver (EDR)
Use these features to filter for Driver Elements:
UI Name |
API Name |
Type |
Description |
---|---|---|---|
Driver filename |
name |
String |
The name of the file executing the driver. |
Driver name |
elementDisplayName |
String |
The name of the driver. |
File |
file |
String |
The file that created the driver. |
Has Suspicions |
hasSuspicions |
Boolean |
Indicates whether or not the driver is associated with any Suspicions. |
Known malicious driver |
knownMaliciousDriverFileEvidence |
Boolean |
Indicates whether there is evidence the file running the driver is classified as a file for a known malicious driver. |
Malicious driver |
knownMaliciousDriver |
Boolean |
Indicates whether the Cybereason threat intelligence recognizes the driver as malicious. |
Malicious tool driver |
maliciousToolDriverEvidence |
Boolean |
Indicates whether there is evidence that the driver is a driver for a known malicious tool. |
Driver executed by malicious tool |
maliciousToolDriverSuspicion |
Boolean |
Indicates whether the driver is a driver for a known malicious tool. |
Malware driver |
malwareDriverEvidence |
Boolean |
Indicates whether there is evidence the Cybereason threat intelligence service classifies the driver as a driver for malware. |
Driver executed by malicious tool |
malwareDriverSuspicion |
Boolean |
Indicates whether the driver is a driver for malware. |
New driver |
newDriverEvidence |
Boolean |
Indicates whether there is evidence the driver was detected for the first time in your environment. |
New drivers count is above threshold |
newDriversAboveThresholdEvidence |
Boolean |
Indicates whether there is evidence the number of times the new driver appears exceeds an internal threshold (calculated by number of appearances/time period). |
Owner machine |
ownerMachine |
String |
The machine to which this driver belongs. |
Rare driver |
rareDriverEvidence |
Boolean |
Indicates whether there is evidence the driver shows up significantly less than other drivers in the environment. |
Service |
service |
String |
The name of the service that loaded the driver. |
Driver for Potentially Unwanted Program (PUP) |
unwantedDriverEvidence |
Boolean |
Indicates whether there is evidence the driver is a driver for a potentially unwanted program (PUP). |
Unwanted driver suspicion |
unwantedDriverSuspicion |
Boolean |
Indicates whether the driver is suspected of being a driver for a potentially unwanted program (PUP). |
Email Address (XDR)
Use these features to filter for the Email Address Element:
UI Name |
API Name |
Type |
Description |
---|---|---|---|
Address name |
address |
String |
The email address string. |
Address type |
type |
String |
The type of email address. Possible values include: In the UI:
In the API:
|
Is an external address |
isExternal |
Boolean |
Indicates whether this email message is a message to an external address. |
Receipient addresses for message |
messageRecipientAddresses |
String |
A list of email addresses to whom a message was sent. |
Sender address for message |
messageSenderAddress |
String |
The email address of a message sender. |
Users |
users |
Collection |
List of all user accounts associated with this email address. |
User accounts |
userEmailAddresses |
Array |
A collection of user accounts associated with the email address. |
Event (XDR)
Use these features to filter for the Event Element:
UI Name |
API Name |
Type |
Description |
---|---|---|---|
Action taken |
action |
Strint |
The specific action taken for the event by the product that reported the event. Possible values include: In the UI:
In the API:*
|
Alert name |
alertName |
String |
The product-specific name of the alert associated with this event. |
Alert/Rule ID |
alertId |
String |
The product-specific alert/rule ID for the event. |
ATT&CK sub-technique for event |
subTechniques |
String |
MITRE ATT&CK sub-techniques associated with the event. |
ATT&CK tactic for event |
tactic |
String |
MITRE ATT&CK tactics associated with the event. |
ATT&CK technique for event |
techniques |
String |
MITRE ATT&CK techniques associated with the event. |
Authentication details |
authDetails |
String |
Product defined details for the authentication associated with this event from the source that reported the event. |
Authentication mechanism |
authMechanism |
String |
The authentication mechanism used by the event. |
Authentication type |
userAgent |
String |
The system type for authentication. |
Browser |
userAgentBrowser |
String |
The browser used by the user associated with this event. |
Connection |
connection |
String |
Connection associated with this event. |
Creation time |
creationTime |
Long |
The time when the event was created in the vendor platform. |
Data source category |
dataSourceCategory |
String |
The product/vendor for the event. |
Display string |
displayString |
String |
The display name of the event. |
Event data source |
dataSource |
String |
The data source for the event, which combines the company name and product name. |
Event description |
description |
String |
Description of the event from the event source. |
IP address for the event originator |
sourceIpAddress |
IP address |
The IP address for the entity that initiated the event. |
Event rule type tag |
tagType |
String |
A product-specific tag added by the product/vendor that generated this event. |
Messages |
message |
Array |
A collection of messages associated with the event. |
Observer hostname |
observerHostname |
String |
The exact hostname of the observer of the event. This name is a concatenation of vendor name, product name, type and sensor. |
Outcome description for event |
outcomeDescription |
String |
The outcome of the event as reported from the product/vendor for the event. |
Product-specific action description |
actionDetails |
String |
The unique description for the event from the product that reported the event. |
eventId |
eventId |
String |
The product-specific event identifier taken from the source that reported the event. |
Product-specific event category |
categoryDetails |
String |
The event category taken from the product/vendor for the event. |
Product-specific event severity |
severityDetails |
String |
The unique details for the severity of the event from the product that reported the event. |
Product-specific rule ID |
ruleId |
String |
A unique ID from the product that reported the event. |
Product-specific rule name |
ruleName |
String |
The unique name for the rule from the product that reported the event. |
Product-specific rule type |
ruleType |
String |
The unique type for the rule from the product that reported the event. |
Product-specific classification for event |
malwareName |
String |
The unique classification from the product that reported the event. |
Product-specific type of event |
typeDetails |
String |
The product-specific name or type of event from the event source. |
Resource associated with event target |
targetResource |
String |
The resource associated with the event target. |
Security category for event |
category |
String |
The category for the event. |
Session ID for user access |
accessSessionId |
String |
The session ID for the event. |
Severity of event |
severity |
String |
The unique severity for the event from the product that reported the event. |
Software category |
softwareCategories |
String |
The software category that reported the event. |
Source file for event |
sourceFile |
String |
The name of the file that is associated with the event. |
Source identity |
sourceUserIdentity |
String |
The user identity associated with this event. |
Source machine |
sourceMachine |
String |
The machine associated with the event. |
Summary of event |
summary |
String |
The unique summary for the event from the product that reported the event. |
Target file for event |
targetFile |
String |
The name of the file that is the target of the event. |
Target group associated with event |
targetGroup |
String |
The group associated with this event. |
Target identity |
targetUserIdentity |
String |
The user identity that was the target for this event. |
Target of event |
victimHost |
String |
The target machine for the event. |
Victim user in the event |
victimUserIdentity |
String |
The user identity associated with the target of the event. |
Timestamp of event |
time |
Timestamp |
The date and time when the event was created. |
Type of event |
type |
String |
The event type. |
User account associated with event originator |
sourceUser |
String |
The user account associated with the entity that initiated the event. |
User account associated with event target |
targetUser |
String |
The user account associated with the target of this event. |
User agent for event |
authType |
String |
The system type for authentication. |
User initiating the event |
performerUserIdentity |
String |
The user identify associated with the entity that initiated the event. |
User performing the event |
performerHost |
String |
The name of the machine that is the original initiator of the event. |
File and Image file (EDR)
Use these features to filter for File or Image file Elements. Note that there is no name differentiation in the API:
UI Name |
API Name |
Type |
Description |
---|---|---|---|
Apps that are not installed through official channels |
sideloadedAppEvidence |
Boolean |
Indicates there is evidence the device has apps not installed through official channels, and are unlikely to have gone through the rigorous quality checks expected of an app store release and therefore may be poorly written or malicious |
Apps that are not installed through official channels |
sideloadedAppSuspicion |
Boolean |
Indicates the device has apps not installed through official channels, and are unlikely to have gone through the rigorous quality checks expected of an app store release and therefore may be poorly written or malicious |
App-based communication that includes a credit card number in an unencrypted (or easily decrypted) format |
creditCardDataLeakEvidence |
Boolean |
Indicates there is evidence the device has app-based communication that includes credit card numbers in an unencrypted or easily decrypted format |
App-based communication that includes a credit card number in an unencrypted (or easily decrypted) format |
creditCardDataLeakSuspicion |
Boolean |
Indicates the device has app-based communication that includes credit card numbers in an unencrypted or easily decrypted format |
App-based communication that includes a password in an unencrypted (or easily decrypted) format, significantly increasing the risk of compromise |
passwordDataLeakEvidence |
Boolean |
Indicates there is evidence the device has app-based communication with a password in an unencrypted or easily decrypted format |
App-based communication that includes an identifiable service username in an unencrypted (or easily decrypted) formats |
userInformationDataLeakEvidence |
Boolean |
Indicates there is evidence the device has app-based communication with an identifiable service user name in an unencrypted or easily decrypted format |
App-based communication that includes the device’s physical geo-location in an unencrypted (or easily decrypted) format |
locationDataLeakEvidence |
Boolean |
Indicates the device has app-based communication with the device physical geo-location in an unencrypted or easily decrypted format |
App-based communication transmitted across the Internet that includes an email address in an unencrypted (or easily decrypted) format |
exposedEmailEvidence |
Boolean |
Indicates the device has app-based communication with an email address in an unencrypted or easily decrypted format. |
Associated Registry entries |
autoruns |
Array |
All registry keys associated with this file |
Benign |
indifferentClassificationEvidence |
Boolean |
Indicates whether there is evidence the Cybereason threat intelligence service identified the file as malicious |
Blocklist file |
blacklistClassificationEvidence |
Boolean |
Indicates whether there is evidence the file is a file on the blocklist |
File on blocklist |
blackListedFileSuspicion |
Boolean |
Indicates whether the file is a file on the blocklist |
Canonized path |
canonizedPath |
String |
The canonized path of the file |
Comments |
comments |
String |
Comments in the file metadata |
Company name |
companyName |
String |
Company name as noted in the file |
Creation quarantine action |
fileIsQuarantinedVersion |
String |
The quarantine action that created the quarantine version of the file |
Document contains macro |
documentHasMacroEvidence |
String |
Indicates whether there is evidence the document contains macros |
Document contains autorun macro |
documentHasAutorunMacroEvidence |
String |
Indicates whether there is evidence the document contains macros that run automatically when opening the file |
Document contains Dynamic Data Exchange (DDE) |
documentHasDDEEvidence |
Boolean |
Indicates whether there is evidence the document uses Dynamic Data Exchange (DDE) technology |
Document contains Dynamic Data Exchange (DDE) |
documentHasDDESuspicion |
Boolean |
Indicates whether the document uses Dynamic Data Exchange (DDE) technology and was identified as suspicious |
Document contains dropper macro |
documentHasDropperMacroSuspicion |
Boolean |
Indicates whether the document contains a macro that installs malware |
Document contains malformed header |
documentHasMalformedHeaderEvidence |
Boolean |
Indicates whether there is evidence the document contains malformed headers that might be exploited to spread malware |
Document contains malformed header |
documentHasMalformedHeaderSuspicion |
Boolean |
Indicates whether the document contains malformed headers and is suspected of exploiting this vulnerability to spread malware |
Document contains obfuscated macro |
documentHasObfuscatedMacroSuspicion |
Boolean |
Indicates whether the document contains a macro that was deliberately obfuscated |
Document contains suspicious embedded object |
documentHasSuspiciousEmbeddedObjectEvidence |
Boolean |
Indicates whether there is evidence the document contains an embedded object that might be suspicious |
Document contains suspicious embedded object |
documentHasSuspiciousEmbeddedObjectSuspicion |
Boolean |
Indicates whether the document contains an embedded object that is most likely to be malicious |
Downloaded from domain |
downloadedFromDomain |
String |
The domain from which the file was downloaded |
Downloaded from Internet |
isDownloadedFromInternet |
Boolean |
Indicates whether the file was originally downloaded from the Internet |
Downloaded from IP address |
downloadedFromIpAddress |
Boolean |
Indicates whether the file origin is an IP address from which the file was downloaded |
Dual extension on file name |
dualExtensionEvidence |
Boolean |
Indicates whether there is evidence the file has two extensions |
Email message ID |
downloadedFromEmailMessageId |
String |
The server’s email message ID |
Email subject |
downloadedFromEmailSubject |
String |
The email subject |
Executable |
isPEFile |
Boolean |
Indicates whether or not the file is a PE module |
Executed by Process |
executedByProcessEvidence |
Boolean |
Indicates whether there is evidence the file was executed as the image file of a process |
Extension type |
extensionType |
String |
Type of file extension. Possible values include: In the UI:
In the API:
|
File description |
fileDescription |
String |
Description of file as noted inside the file |
File events |
fileAccessEvents |
String |
File access events |
File hash value |
fileHash |
String |
The file hash value for the file. |
Unverifiable signature |
maliciousSignedUnverifiedSuspicion |
Boolean |
Indicates whether the file has an unverifiable signature that indicates malicious interference with the image file or the certificate used to sign the image file |
File is signed |
signedInternalOrExternal |
Boolean |
Indicates that the file was signed by the sensor or by the Cybereason threat intelligence service |
Unsigned version of signed file |
unsignedHasSignedVersionEvidence |
Boolean |
Indicates whether there is evidence the file is signed but not verified, indicating a potentially altered file. |
File name |
elementDisplayName |
String |
Full name of the file, including extension |
Suspicious or malicious reputation |
fileReputationSuspicion |
Boolean |
Indicates whether the file has a suspicious or malicious reputation |
File version |
fileVersion |
String |
File version noted inside the file |
Possible camouflaged file |
fileVersionSuspicion |
Boolean |
Indicates whether the file’s version makes it a suspicion that could lead to a Malop |
Found in a registry entry |
hasAutorun |
Boolean |
Indicates whether the file was found in one of the machine’s registry entries |
Hacking tool |
hackingToolClassificationEvidence |
Boolean |
Indicates whether there is evidence that the Cybereason threat intelligence service identified the file as a hacking tool |
Has classification |
hasClassification |
Boolean |
Indicates whether the Cybereason threat intelligence service sources classified this file in some way |
Has Malops |
hasMalops |
Boolean |
Indicates whether or not the file is associated with any Malops |
Has Suspicions |
hasSuspicions |
Boolean |
Indicates whether or not the file is associated with any Suspicions |
Interal/External Signer |
signerInternalOrExternal |
String |
The signer of the file taken from the sensor or from Virus Total |
Internal name |
internalName |
String |
Internal name noted inside the file |
Is installer |
isInstallerProperties |
Boolean |
Indicates whether or not the file is a known installer |
Is suspicious |
isSuspicious |
Boolean |
Indicates whether or not the file is suspicious |
Legal copyright |
legalCopyright |
String |
Legal copyright noted inside the file |
Legal trademarks |
legalTrademarks |
String |
Legal trademarks noted inside the file |
Legitimate classification |
hasLegitClassificationEvidence |
Boolean |
Indicates whether there is evidence the file has a legitimate classification |
Located on removable device |
isFromRemovableDevice |
Boolean |
Indicates whether the file is located on a removable device |
Machine |
ownerMachine |
String |
The machine on which this file is found |
Malformed elf file |
malformedElfFileEvidence |
Boolean |
Indicates whether there is evidence thie file is a malformed ELF binary |
Malicious application that demonstrates harmful behavior and disrupts the device |
appMaliciousEvidence |
Boolean |
Indicates there is evidence the device has a malicious application demonstrating harmful behavior that disrupts the device. |
Malicious application that demonstrates harmful behavior and disrupts the device |
appMaliciousSuspicion |
Boolean |
Indicates the device has a malicious application demonstrating harmful behavior that disrupts the device. |
Detected by Anti-Malware |
reportedByAntiMalwareSuspicion |
Boolean |
Indicates whether Cybereason Anti-Malware identified this file as malicious |
Detected by Anti-Malware evidence |
reportedByAntiMalwareEvidence |
Boolean |
Indicates whether there is evidence Cybereason Anti-Malware identified this file as malicious |
Malicious file by Anti-Malware |
reportedAsMaliciousByAVSuspicion |
Boolean |
Indicates whether Anti-Malware Signatures analysis detected this file as malicious |
Malicious file by Anti-Malware evidence |
reportedAsMaliciousByAVEvidence |
Boolean |
Indicates whether there is evidence Anti-Malware Signatures analysis detected this file as malicious |
Malicious tool |
maliciousToolClassificationEvidence |
Boolean |
Indicates whether there is evidence the Cybereason threat intelligence service identified the file as a malicious tool |
Malware |
malwareClassificationEvidence |
Boolean |
Indicates whether there is evidence the Cybereason threat intelligence service identified the file as malware |
Malware that aggressively displays ads, negatively affecting user productivity and device performance |
maliciousPupAppEvidence |
Boolean |
Indicates there is evidence the device has malware that is aggressively displaying ads which affects the user productivity and device performance |
Malware that aggressively displays ads, negatively affecting user productivity and device performance |
maliciousPupAppSuspicion |
Boolean |
Indicates the device has malware that is aggressively displaying ads which affects the user productivity and device performance |
Malware that attempts to obtain escalated system privileges |
adminAppEvidence |
Boolean |
Indicates there is evidence the device has malware which attempts to obtain administrative privileges. |
Malware that attempts to obtain escalated system privileges |
adminAppSuspicion |
Boolean |
Indicates the device has an app that attempts to gain higher privileges. |
Malware that attempts to obtain escalated system privileges |
privEscAppMaliciousEvidence |
Boolean |
Indicates there is evidence the device has an app that attempts to gain higher privileges. |
Malware that attempts to obtain escalated system privileges |
privEscAppMaliciousSuspicion |
Boolean |
Indicates the device has an app that attempts to gain higher privileges. |
Malware that blocks access to a device until a ransom is paid |
maliciousRansomwareAppEvidence |
Boolean |
Indicates there is evidence the device has malware that blocks the access to the device until the device owner pays a ransom. |
Malware that blocks access to a device until a ransom is paid |
maliciousRansomwareAppSuspicion |
Boolean |
Indicates the device has malware that blocks the access to the device until the device owner pays a ransom. |
Malware that causes SMS related charges |
maliciousSMSAppEvidence |
Boolean |
Indicates there is evidence the device has malware that results in SMS-related charges for the device. |
Malware that causes SMS related charges |
maliciousSMSAppSuspicion |
Boolean |
Indicates the device has malware that results in SMS-related charges for the device. |
Malware that is monitoring and collecting information about a user and the device |
maliciousSpywareAppEvidence |
Boolean |
Indicates there is evidence the device has malware that monitors and collects information abou the device and the device user. |
Malware that is monitoring and collecting information about a user and the device |
maliciousSpywareAppSuspicion |
Boolean |
Indicates the device has malware that monitors and collects information abou the device and the device user. |
Malware that obtains unauthorized access to the person’s mobile device |
maliciousTrojanAppEvidence |
Boolean |
Indicates there is evidence the device has malware that obtains unauthorized access to a device. |
Malware that obtains unauthorized access to the person’s mobile device |
maliciousTrojanAppSuspicion |
Boolean |
Indicates the device has malware that obtains unauthorized access to a device. |
Malware that steals bank credentials |
maliciousBankerAppEvidence |
Boolean |
Indicates there is evidence the device has malware that steals bank credentials. |
Malware that steals bank credentials |
maliciousBankerAppSuspicion |
Boolean |
Indicates the device has malware that steals bank credentials. |
Marked for prevention |
classificationBlocking |
Boolean |
Indicates whether the file is marked for prevention |
File masquerading as video |
masqueradingAsMovieEvidence |
Boolean |
Indicates whether there is evidence the file is masquerading as a video file |
MD5 signature |
md5String |
String |
The file’s MD5 signature |
MIME filt type |
extensionType |
String |
The MIME type for the file, such as PE, PDF, or PowerShell script |
Mimikatz resemblance evidence |
mimikatzResourceEvidence |
Boolean |
Indicates whether there is evidence a file displays Mimikatz characteristics |
Mimikatz resemblance |
mimikatzSuspicion |
Boolean |
Indicates whether the file contains suspicions triggered by Mimikatz resources |
Mount point |
mount |
String |
The file’s mount point |
Mounted as |
mountedAs |
String |
What the file is mounted as |
Multiple company names |
multipleCompanyNamesEvidence |
Boolean |
Indicates whether there is evidence the file properties contain multiple company names |
Multiple hashes for same file path and PE information |
multipleHashForUnsignedPeInfoEvidence |
Boolean |
Indicates whether there is evidence the system identified multiple hashes for files with the same path and PE information |
Non-legitimate classification |
hasNonLegitClassificationEvidence |
Boolean |
Indicates whether there is evidence the file has a classification that is not legitimate |
File obscuring file extension |
hiddenFileExtensionEvidence |
Boolean |
Indicates whether there is evidence there was an attempt to hide the file extension from the user |
Original file |
originalVersion |
String |
The original version of this quarantined file |
Original file name |
originalFileName |
String |
The name with which the file first appeared |
Path |
correctedPath |
String |
Path to this file |
Path |
path |
String |
Path to this file |
Potentially unwanted program |
unwantedClassificationEvidence |
Boolean |
Indicates whether there is evidence Cybereason identified the file as a potentially unwanted program |
Private build marker |
privateBuild |
String |
The private build marker noted inside the file |
Attempt to execute malicious file |
attemptExecutionProcessEvidence |
Boolean |
Indicates whether there evidence there is evidence that the process attempted to execute a malicious file |
Process(es) attempted to execute malicious file |
attemptExecutionProcessSuspicion |
Boolean |
Indicates whether there is suspicion that the process attempted to execute a malicious file |
Product name |
productName |
String |
The product name noted inside the file |
Product title |
productTitle |
String |
The product title associated with this file |
Product type |
productType |
String |
The product type associated with this file. Possible values include: In the UI
In the API:
|
Product version |
productVersion |
String |
The product version noted inside the file metadata. |
Quarantine actions |
fileIsQuarantined |
Array |
A collection of quarantine actions applied on the original version of the file. |
Quarantined file |
quarantineVersion |
String |
The quarantined version of this file. |
Ransomware |
ransomwareClassificationEvidence |
Boolean |
Indicates whether there is evidence the Cybereason threat intelligence service classified the file as ransomware. |
Recognized product |
identifiedProductEvidence |
Boolean |
Indicates whether there is evidence that the Cybereason threat intelligence servic noted the file is associated with a recognized application. |
Registry key |
autorun |
String |
Collection of registry keys associated with this file. |
Related to Malop |
relatedToMalop |
Boolean |
Indicates whether or not the file is related to a Malop. |
Meterpreter executable |
meterpreterX86executableEvidence |
Boolean |
Indicates whether there is evidence the Cybereason threat intelligence service identified remote malicious tool resources. |
Reputation type |
maliciousClassificationType |
Enum |
The reputation of the file based on Cybereason intelligence feeds and user classification. Possible values include: In the UI:
In the API:
|
Used Windows RTL vulnerability evidence |
rightToLeftFileExtensionEvidence |
Boolean |
Indicates whether there is evidence there was an attempt to hide the file extension using windows RTL vulnerability |
Second extension type |
secondExtensionType |
Enum |
Type of file extension for the second extension. Possible values include: In the UI:
In the API:
|
Sender email address |
downloadedFromEmailFrom |
String |
The email address of the sender who sent the email from which this file was downloaded |
SHA1 Signature |
sha1String |
Long |
The file’s SHA1 signature |
SHA256 Signature |
sha256String |
Long |
The file’s SHA-256 signature |
Broken link in chain of trust |
signatureVerificationStatusBadChainOfTrustEvidence |
Boolean |
Indicates whether there is evidence of one of the following issues during the chain of trust verification: chain of trust could not be established to a root certificate, chain of trust was built to a root certificate which is not known or recognized as trusted on the local machine, broken chain of trust |
Unverified signature by technical failure |
signatureVerificationStatusTechnicalFailureEvidence |
Boolean |
Indicates whether there is evidence of a technical failure that prohibited completion of the verification process |
Expired signature |
signatureVerificationStatusExpiredEvidence |
Boolean |
Indicates whether there is evidence that any of the signing certificates in the chain of trust has expired |
Revoked signature |
signatureVerificationStatusExplicitlyRevokedEvidence |
Boolean |
Indicates whether there is evidence that any of the signing certificates in the chain of trust has been explicitly revoked |
Mismatched signature |
signatureVerificationStatusHashMismatchEvidence |
Boolean |
Indicates whether there is evidence the file signature hash does not matches the file contents |
Misused signature |
signatureVerificationStatusMisuseEvidence |
Boolean |
Indicates whether there is evidence the certificate has been misused |
Unknown root certificate |
signatureVerificationStatusUnrecognizedRootEvidence |
Boolean |
Indicates whether there is evidence that the root certificate is unknown, even if the chain of trust is verified |
User distrust |
signatureVerificationStatusUserDistrustEvidence |
Boolean |
Indicates whether there is evidence the user did not trust the certificate during an interactive session |
Signature verified |
signatureVerified |
Boolean |
Indicates whether the file signature was positively verified |
Signature verified |
signatureVerifiedInternalOrExternal |
Boolean |
Indicates whether the signature was verified in PROV or in Virus Total |
Signed |
isSigned |
Boolean |
Indicates whether or not the file is security signed |
Signer |
signer |
String |
The signer of the file |
Signed by Apple |
signedByApple |
Boolean |
Indicates whether the file is signed by Apple |
Signed by Cybereason |
signedByCybereason |
Boolean |
Indicates whether the file is signed by Cybereason |
Signed by Linux |
signedByLinux |
Boolean |
Indicates whether the file is signed by Linux |
Signed by Microsoft |
signedByMicrosoft |
Boolean |
Indicates whether the file is signed by Microsoft |
Signed by Operation System |
signedByOperatingSystem |
Boolean |
Indicates whether the file is signed by the operating system |
Size |
size |
Long |
The file’s size |
Special build |
specialBuild |
String |
The special build marker noted inside the file |
Suspicious screen saver |
suspiciousClassificationEvidence |
Boolean |
Indicates whether there is evidence the file is a screen-saver that Cybereason identified as suspicious |
Suspicious screen saver |
suspiciousScreenSaver |
Boolean |
Indicates whether the file is located in a temporary folder |
Temporary folder |
temporaryFolderEvidence |
Boolean |
Indicates whether there is evidence the file is located in a temporary folder |
The file’s origin URL |
downloadedFromUrlReferrer |
String |
URL from which the file originated |
The file’s referral URL |
downloadedFromUrlReferrer |
String |
URL referring to the file’s URL |
Third party application stores are applications that can download and install other applications and they might distribute malicious applications because those apps are not diligently tested against malicious behavior |
appDownloadedFromThirdPartyStoreEvidence |
Boolean |
Indicates there is evidence the device has an app download from a third party app store |
Third party application stores are applications that can download and install other applications and they might distribute malicious applications because those apps are not diligently tested against malicious behavior |
appDownloadedFromThirdPartyStoreSuspicion |
Boolean |
Indicates the device has an app download from a third party app store |
Third party application stores are applications that can download and install other applications and they might distribute malicious applications because those apps are not diligently tested against malicious behavior |
thirdPartyAppStoreEvidence |
Boolean |
Indicates there is evidence the device has an app that is from a third-party app store instead of the official device app store |
Unknown and unclassified |
unknownClassificationEvidence |
Boolean |
Indicates whether there is evidence the file is found in the platform’s software databases |
Unsigned |
signatureVerificationStatusNotSignedEvidence |
Boolean |
Indicates whether there is evidence the file is signed |
Unsigned file |
unknownUnsignedEvidence |
Boolean |
Indicates whether there is evidence the file is signed |
Unsigned file with a known signed version |
unsignedHasSignedVersion |
Boolean |
Indicates whether the file is signed even though a signed version exists |
Unsigned file with a known signed version |
unsignedPeFileEvidence |
Boolean |
Indicates whether there is evidence the file is signed even though a signed version exists |
Unverified |
unsignedScreenSaver |
Boolean |
Indicates whether the file is signed even though its signer is not verified |
Unverified signature |
unverifiedPeFileEvidence |
Boolean |
Indicates whether there is evidence the image file of this process is signed by a trusted signer |
Allowlist |
whitelistClassificationEvidence |
Boolean |
Indicates whether there is evidence the file is on the allowlist |
Vulnerable App Installed |
vulnerableProgramEvidence |
Boolean |
Indicates there is evidence the device has a vulnerable app installed on the device |
WMI Persistent Objects |
wmiPersistentObjects |
Collection |
A list of WMI persistent objects related to this file. This Feature is available from version 21.2.43 and higher |
File Event (EDR)
Use these features to filter for File Event Elements:
UI Name |
Feature API Name Name |
Type |
Description |
---|---|---|---|
Event type |
fileEventType |
Enum |
The type of file event. Possible values include: In the UI:
In the API:
|
File access events |
fileAccessEvents |
Array |
A collection of the file events for a file. |
File event instance name |
elementDisplayName |
String |
The name of the file event including the process and file name involved with the file event. |
File information |
fileInfo |
String |
The information on the file. |
First instance timestamp |
firstAccessTime |
Integer |
The time (in epoch) when file was the first collected by the Cybereason platform. |
File path |
path |
String |
The path to the file associated with the file event. |
Has Malops |
hasMalops |
Boolean |
Indicates if the file event is associated with any Malops. |
Has suspicions |
hasSuspicions |
Boolean |
Indicates if the file event is associated with any Suspicions. |
Is hidden |
isHidden |
Boolean |
Indicates if the file associated with the file event is marked as hidden in the file properties. |
New path after rename event |
newPath |
String |
The new path to the file after a file rename event. |
Owner machine |
ownerMachine |
String |
The machine name of the machine on which the file event happened. |
Owner process |
ownerProcess |
String |
The process that caused the file event. |
Owner user |
ownerUser |
String |
The user logged into the machine on which the file event occured. |
Process file events |
fileAccessEvents |
Array |
A collection of file events for a process. |
Related to Malop |
relatedToMalop |
Boolean |
Indicates if this file event is associated with a Malop. |
Forensics Artifact (EDR)
Use these features to filter for Forensic Artifact Elements:
UI Name |
API Name |
Type |
Description |
---|---|---|---|
Associated with Malops |
hasMalops |
Boolean |
Indicates whether the forensic artifact was associated with any Malops. |
Associated with suspicions |
hasSuspicions |
Boolean |
Indicates whether the forensic artifact was associated with any suspicions. |
Collector details |
collectorMetadata |
String |
The name of the tool package that collected the data for the forensic artifact. |
Collection time |
collectionTime |
Long |
The time (in milliseconds) when the data was collected. |
File name |
executableFileName |
String |
The file name of an executable file. |
File path |
executableFullPath |
String |
The path to an executable file. |
First run time |
firstRuntime |
Long |
The time (in milliseconds) when the file was first run. |
Forensic artifact |
elementDisplayName |
String |
The name of a forensic artifact. |
Latest run time |
lastRuntime |
Long |
The last time an executable file was run. |
Number of runs |
numberOfRuns |
Integer |
The number of times the file was run. |
N/A |
sourceFileName |
String |
A source file. |
Owner process |
process |
String |
The process associated with the forensic artifact. |
N/A |
lastRuntimes |
Array |
A collection of the run times of the file in the forensic artifact. |
Source file path |
sourceFullPath |
String |
The file path to a source file. |
Type |
type |
Enum |
The type of forensic artifact. In the UI:
In the API:
|
Function Details (EDR)
Use these features to filter for Function Details Elements.
UI Name |
API Name |
Type |
Description |
---|---|---|---|
Exporting module |
exportingFile |
String |
The name of the module that exported the function. |
Function Details |
elementDisplayName |
String |
Details for the function. |
Hooked module |
hookedModule |
String |
The target module to which the function added the hook. |
Hooking module |
hookingModule |
String |
The origin module from which the function created the hook. |
Type |
type |
Enum |
The type of function. Possible values include In the UI:
In the API:
|
Group (XDR)
Use these features to filter for the Group Element.
UI Name |
API Name |
Type |
Description |
---|---|---|---|
Email addresses of group |
emailAddresses |
Collection |
A collection of email addresses included in the group. |
Events related with group |
relatedEvents |
Collection |
A collection of events associated with this group. |
Group name |
name |
String |
The displayed name for the group. |
Product-specific group ID |
id |
String |
A product-specific unique identifier, such as an LDAP Object identifier. |
Hosts File (EDR)
Use these features to filter for Hosts File Elements.
UI Name |
API Name |
Type |
Description |
---|---|---|---|
Domain to domain |
domainToDomain |
Array |
Collection of domain to domain DNS queries associated with this hosts file. |
DNS entries |
domainToIp |
Array |
Collection of domain to IP DNS queries associated with this hosts file. |
File |
file |
String |
The file name for this hosts file. |
File name |
elementDisplayName |
String |
The displayed name of the hosts file. |
Machine |
ownerMachine |
String |
The machine on which this hosts file is found. |
IP Address (EDR and XDR)
Use these features to filter for IP Address Elements:
UI Name |
API Name |
Type |
Description |
---|---|---|---|
Address on blocklist |
blackListIPSuspicion |
Boolean |
Indicates whether the IP address the customer classification or the Cybereason threat intelligence service classifies the IP address as an IP address on the blocklist. |
Address type |
version |
String |
The IP version for the IP address. |
City name |
city |
String |
The city associated with the geographic location for the IP address. |
Classification comment |
classificationComment |
String |
The comment added to a classificiation assigned for this IP address. |
Classification user |
classificationUser |
String |
The user who classified the IP address. |
Country code |
countryCode |
String |
The country code associated with the geographic location of the IP address. |
Country name |
countryNameOrNotExternalType |
String |
The name of the country for the geographic location for the IP address. |
Gateway |
isGateway |
Boolean |
Indicates whether the IP address is the address for a gateway. |
Has Suspicions |
hasSuspicions |
Boolean |
Indicates whether the IP address is associated with any suspicions. |
Indifferent address |
isIndifferentIpAddressEvidence |
Boolean |
Indicates whether there is evidence that the Cybereason threat intelligence service classified the IP address as indifferent. |
IP address |
elementDisplayName |
String |
The IP address name. |
Is DHCP |
isDhcpServer |
Boolean |
Indicates whether the IP address is the address of a DHCP server. |
Latitude |
latitude |
Float |
The latitude for the geographic location of the IP address. |
Longitude |
longitude |
Float |
The longitude for the geographic location of IP address. |
Machine |
ownerMachine |
String |
The machine to which this address belongs. |
Malicious address |
maliciousAddress |
Boolean |
Indicates whether the Cybereason threat intelligence service classified this IP address as malicious. |
Malicious by Cybereason block list |
maliciousByCybereasonBlackList |
Boolean |
Indicates whether this IP address is blocked due to the address classification by the Cybereason threat intelligence service. |
Malicious by Tor list |
maliciousByTorBlockList |
Boolean |
Indicates whether this address is classified as malicious due to the address being part of the TOR network. |
Classified as malicious |
ipAddressReputationSuspicion |
Boolean |
Indicates whether the Cybereason threat intelligence sources determined that the IP address has a bad reputation. |
Region |
region |
String |
The region associated with the geographic location of the IP address. |
Reputation |
addressReputation |
Enum |
The reputation classification for the IP address. |
Reputation source |
ipReputationSource |
String |
The reputation information source used to determine the reputation of the address. |
Related to Malop |
relatedToMalop |
Boolean |
Indicates whether or not the address is related to a Malop. |
Safe address |
isGoodIpAddressEvidence |
Boolean |
Indicates whether there is evidence that the Cybereason threat intelligence service recognizes the address as safe. |
Suspicious address |
isSuspiciousIpAddressEvidence |
Boolean |
Indicates whether there is evidence the Cybereason threat intelligence service classified this IP address as suspicious. |
Unknown address |
isUnknownIpAddressEvidence |
Boolean |
Indicates whether there is evidence the address is not known by the Cybereason threat intelligence service. |
Used by malware |
accessedByMalwaresOnly |
Boolean |
Indicates whether the address is known to only be used by malware. |
Version |
version |
String |
The IP protocol version used by the IP address. |
IP Range Scan (EDR)
Use these features to filter for IP Range Scan Elements:
UI Name |
API Name |
Type |
Description |
---|---|---|---|
Creation time |
creationTime |
Integer |
The time of the IP range scan with the format Month, day at hh:00 (in the UI) or in epoch (in the API). |
Has Malops |
hasMalops |
Boolean |
Indicates whether or not the IP range scan is associated with any Malops. |
Has Suspicions |
hasSuspicions |
Boolean |
Indicates whether or not the IP range scan is associated with any Suspicions. |
IP range scan |
elementDisplayName |
String |
The name of the IP range scan. |
Owner process |
ownerProcess |
String |
The process that performed the scan. |
Listening Connection (EDR)
Use these features to filter for Listening Connection Elements:
UI Name |
API Name |
Type |
Description |
---|---|---|---|
Address type |
addressLocation |
Enum |
The type of address for the listening connection. Possible values include In the UI:
In the API:
|
Connections |
connections |
Array |
Collection of the connections associated by this listening socket. |
Has Suspicions |
hasSuspicions |
Boolean |
Indicates whether or not the listening connection is associated with any Suspicions. |
Listening connection end time |
endTime |
Long |
The time the listening connection ended in the format Month day, at hh:00 (in the UI) or in epoch (in the API). |
Local address |
localAddress |
String |
The local IP address used by this listening connection. |
Local address and port |
elementDisplayName |
String |
The local address and port of the listening connection. |
Local port |
localPort |
Integer |
The port used by the listening connection. |
Owner machine |
ownerMachine |
String |
The machine on which this listening socket is found. |
Owner process |
ownerProcess |
String |
The process creating the listening socket connection. |
Service |
ownerService |
String |
The service which opened the listening connection. |
Transport protocol |
transportProtocol |
Enum |
The IP protocol used to establish the connection. Possible values include In the UI:
In the API:
|
Local Network (Mac and Linux machines only) (EDR)
Use these features to filter for Local Network Elements:
UI Name |
API Name |
Type |
Description |
---|---|---|---|
Connected SSIDs |
wifiSsid |
String |
The Wifi SSID string associated with this local network. This information is relevant for Mac machines only. |
DHCP server address |
dhcpServer |
String |
IP address of the DHCP server of the local network. |
DNS server address |
dnsServer |
String |
Address of the DNS server associated with the local network. |
LAN name |
elementDisplayName |
String |
The name of the local network. |
Local network’s default search domain |
searchDomain |
String |
The default search domain for the local network. |
MAC address of the network’s gateway |
gatewayMac |
String |
The MAC address of the local network gateway. |
Network interfaces |
networkInterfaces |
Array |
Collection of the network interfaces for the local network. |
Logon Session (EDR)
Use these features to filter for Logon Session Elements:
UI Name |
API Name |
Type |
Description |
---|---|---|---|
Client remote session |
clientRemoteSession |
Array |
Collection of all remote sessions connected from this logon session. |
Empty or null work station evidence |
emptyOrNullWorkStationEvidence |
Boolean |
Indicates whether there is evidence there is empty or null data regarding the work station data in the Windows logon details. |
Has Malops |
hasMalops |
Boolean |
Indicates whether or not the logon session is associated with any Malops. |
Has Suspicions |
hasSuspicions |
Boolean |
Indicates whether or not the logon session is associated with any Suspicions. |
Logon application type |
logonApplication |
Enum |
The application type for the logon session. Possible values include In the UI:
In the API:
|
Logon session name |
elementDisplayName |
String |
The Display name of the logon session. |
Logon type |
logonType |
Enum |
The type of logon session. Possible values include In the UI:
In the API:
|
LUID |
LUID |
String |
The logon session user ID. |
Owner machine |
ownerMachine |
String |
The machine on which this logon session originated. |
Pass the hash |
passTheHashMalop |
Boolean |
Indicates whether the Cybereason platform detected a pass the hash attack using this logon session. |
Pass the ticket |
passTheTicketMalop |
Boolean |
Indicates whether the logon session loaded a stolen ticket into the Kerberos tray in order to perform a Pass The Ticket attack. |
Pass the ticket remote sessions |
passTheTicketRemoteSessionEvidence |
Boolean |
Indicates whether there is evidence that the logon session loaded a stolen ticket into the Kerberos tray during this logon session. |
Processes |
processes |
Array |
Collection of processes created in the context of this logon session. |
Proxies |
proxies |
Array |
Collection of the proxies associated with this logon session. |
Related to Malop |
relatedToMalop |
Boolean |
Indicates whether or not the logon session was involved in the triggering of any Malops. |
Remote machine |
remoteMachine |
String |
Name of the remote machine associated with this logon session. |
Remote network machine |
remoteNetworkMachine |
String |
Name of the remote network machine associated with this logon session. |
Server remote session |
serverRemoteSession |
Array |
Collection of all remote sessions connected to this logon session. |
Session with credentials mismatch |
passTheTicketSuspicion |
Boolean |
Indicates whether the Cybereason platform detected the logon session obtaining an unauthorized Kerberos ticket. |
Source IP |
sourceIp |
String |
The source IP address for the logon session. |
Pass the Hash with stolen credentials |
passTheHashSuspicion |
Boolean |
Indicates whether the logon session used stolen credentials as part of a Pass the Hash attack. |
Unexpected key length evidence |
unexpectedKeyLengthEvidence |
Boolean |
Indicates whether there is evidence the session received a key with a length different from 128 in the Windows logon details. |
Unexpected NTLM key evidence |
zeroKeyLengthEvidence |
Boolean |
Indicates whether there is evidence the NTLM key has an unexpected value. |
User |
user |
String |
The user for this logon session. |
Windows logon details |
winLogonDetails |
String |
Details about the logon/logoff category in the Windows security log file. |
Machine (EDR and XDR)
Use these features to filter for the Machine Element:
UI Name |
API Name |
Type |
Description |
---|---|---|---|
Active users on asset |
activeUsers |
Collection |
A list of all active users for the asset. |
Android Device - Compatibility Not Tested By Google |
SafetyNetAttestationCtsProfileMatchFalseEvidence |
Boolean |
Indicates the Android device compatibility has not been tested by Google and the device is not considered safe. |
Asset type |
type |
Enum |
The type of asset (machine). Potential values include (but are not limited to): In the UI:
In the API:
|
BlueBorn vulnerability evidence |
blueborneVulnerabilityEvidence |
Boolean |
Indicates there is advice the device has the BlueBorne vulnerability. |
Canonical name |
adCanonicalName |
String |
The machine’s canonical name according to Active Directory information. |
Client interactions |
clientInteractions |
Array |
Collection of interactions in which the machine participates as the client machine. |
Company |
adCompany |
String |
The company associated with this machine according to Active Directory information. |
CPU core count |
cpuCount |
Integer |
The number of CPU cores for the machine. |
Cybereason for Mobile not activated on all profiles fot Android For Work |
afwBothProfilesNotActivatedEvidence |
Boolean |
Indicates that the Cybereason Mobile sensor and associated profile are not activated on all the Android for Work profiles on the device. |
Department |
adDepartment |
String |
The department associated with this machine according to Active Directory information. |
Description |
adDescription |
String |
The description of the machine according to Active Directory information. |
Developer Options enabled |
developerOptionsEvidence |
Boolean |
Indicates there is evidence the device has the Developer Options setting enabled. |
Developer mode is enabled sideloading from unknown sources, USB debugging and other configurations that can lead to security risks can be enabled |
usbAppVerifyDisabledEvidence |
Boolean |
Indicates that the device has developer mode enabled, which allows an attacker to sideload apps from unknown sources, use USB debugging and change other configurations. |
Device Encryption not set up |
encryptionEvidence |
Boolean |
Indicates the device does not hav encryption set up. |
Device model |
deviceModel |
String |
The model of the machine for Mac devices only. |
Device Pin |
pinEvidence |
Boolean |
Indicates there is evidence the device has a device PIN. |
Display name |
adDisplayName |
String |
The machine display name according to Active Directory information. |
DNS change |
configDnsEvidence |
Boolean |
Indicates there is evidence the device has changes made for the device DNS configuration. |
DNS host name |
adDNSHostName |
String |
The DNS host according to Active Directory information. |
Free disk space |
freeDiskSpace |
Long |
The total available disk space on the machine in bytes. |
Free memory |
freeMemory |
Long |
The total available memory on the machine in bytes. |
Gateway change |
configGatewayEvidence |
Boolean |
Indicates there is evidence the device has changes made for the device gateway. |
Google Play Protect disabled |
configGooglePlayProtectDisabledEvidence |
Boolean |
Indicates that Google Play Protect has been disabled on the device. |
Has Malops |
hasMalops |
Boolean |
Indicates whether or not the machine is associated with any Malops. |
Has removable device |
hasRemovableDevice |
Boolean |
Indicates whether or not a removable device is connected to the machine. |
Has Suspicions |
hasSuspicions |
Boolean |
Indicates whether or not the machine is associated with any Suspicions. |
Has suspicious processes |
isSuspiciousOrHasSuspiciousProcessOrFile |
Boolean |
Indicates whether the machine has processes marked as suspicious. |
High number of downloaded processes |
highNumberOfDownloadedProcessesEvidence |
Boolean |
Indicates whethe there is evidence that there are multiple processes running on the machine with image files downloaded from the Internet. |
High number of new processes |
highNumberOfNewProcessesEvidence |
Boolean |
Indicates whether there is evidence that there are multiple new processes running on the machine. |
High users count |
highNumberOfUsersEvidence |
Boolean |
Indicates whether or not there is evidence that the number or users on the machine is significantly high compared to number of users on other machines in the environment. |
Host name for this asset |
name |
String |
The host (machine) name for the asset. |
Hosts file |
hostsFile |
String |
The hosts file associated with this machine. |
Is connected to Cybereason |
isActiveProbeConnected |
Boolean |
Indicates whether the machine has a sensor currently connected to the Cybereason server. |
Is isolated |
isIsolated |
Boolean |
Indicates whether the machine is isolated from the network. |
Is laptop |
isLaptop |
Boolean |
Indicates whether the machine is a laptop. |
Is Linux |
isLinux |
Boolean |
Indicates whether the machine is running a Linux operating system. |
Is Mac |
isMac |
Boolean |
Indicates whether the machine is a Mac. |
Is Windows |
isWindows |
Boolean |
Indicates whether the machine is running a version of the Windows operating system. |
Is Windows desktop |
isWindowsDesktop |
Boolean |
Indicates whether the machine is running a Windows desktop operating system. |
Is Windows Server |
isWindowsServer |
Boolean |
Indicates whether the machine is running a Windows Server operating system. |
Lock screen is disabled the device encryption is rendered useless against physical attacks |
lockScreenDisabledEvidence |
Boolean |
Indicates there is evidence the device lock screen has been disabled and device encryption is rendered useless against physical attacks. |
Machine domain name |
domainFqdn |
String |
The fully qualified domain name (FQDN) of the machine. |
Machine name |
computerName |
String |
Name of the computer as reported by the operating system. |
Machine name |
elementDisplayName |
String |
The machine name as reported by the operating system. |
Machine role |
adMachineRole |
String |
The machine role according to Active Directory information. |
Machine timezone |
timezoneUTCOffsetMinutes |
String |
The timezone of the machine as offset from UTC (in minutes). |
Malicious processes |
hasMaliciousProcessesEvidence |
Boolean |
Indicates whether there is evidence that the Cybereason platform detected malicious processes on the machine. |
MBR Hash |
mbrHashString |
String |
The hash value of the machine Master Boot Record. |
Network domain of asset |
domainFqdn |
String |
The network domain of the asset. |
Network interfaces |
networkInterfaces |
Array |
Collection of the network interfaces associated with this machine. |
Modified build of an operating system that has removed original manufacturer limitations, leaving the device and its data more vulnerable to attack |
jailbrokenEvidence |
Boolean |
Indicates there is evidence the device is running a modified build of the device operating system which makes the device more vulnerable to attack. |
Modified build of an operating system that has removed original manufacturer limitations, leaving the device and its data more vulnerable to attack |
jailbrokenSuspicion |
Boolean |
Indicates the device is running a modified build of the device operating system which makes the device more vulnerable to attack. |
Network proxy change |
configProxyEvidence |
Boolean |
Indicates there is evidence there was a proxy configuration change on the mobile device that is indicative of sending traffic to a non-intended destination. |
Network proxy change |
configProxySuspicion |
Boolean |
Indicates there was a proxy configuration change on the mobile device that is indicative of sending traffic to a non-intended destination. |
New administrator tool |
newAdminToolforMachineEvidence |
Boolean |
Indicates whether there is evidence that Cybereason detected a new administrator tool on the machine. |
Not verified Android Debug Bridge (ADB) apps installed |
adbAppsNotVerifiedEvidence |
Boolean |
Indicates there is evidence the device has non-verified Android Debug Bridge (ADB) apps installed on the device. |
Older version of an OS that is more vulnerable to known security exploits |
vulnerableOsMajorVersionEvidence |
Boolean |
Indicates the device is running an older version of an operating system that is more vulnerable to known security exploits. |
Organization |
organization |
String |
The organization associated with this machine accoring to Active Directory information. |
Organizational unit (ou) |
adOU |
String |
The organizational unit associated with this machine according to Active Directory information. |
OS minor version |
osVersionMinor |
String |
The minor number of the OS version. |
OS type |
osType |
Enum |
The general type of the operating system. Values include In the UI:
In the API:
|
OS version |
osVersionType |
Enum |
The string identifying the operating system. Values include In the UI:
In the API:
|
Outdated |
isOutdatedEvidence |
Boolean |
Indicates whether there is evidence the machine has not installed the latest service pack for its operating system. |
Over-The-Air (OTA) updates disabled |
otaUpdatesDisabledEvidence |
Boolean |
Indicates there is evidence the device has Over-the-Air updates disabled. |
Owner organization |
ownerOrganization |
String |
The organization to which this machine belongs. |
Platform architecture |
platformArchitecture |
Enum |
The underlying architecture of the platform of the machine. Values include In the UI:
In the API:
|
Pylum ID |
pylumId |
String |
The machine’s Pylum ID (Cybereason sensor ID). |
Removable devices |
removableDevices |
Array |
Collection of removable devices connected to the machine. |
Running malicious tool |
runningMaliciousToolEvidence |
Boolean |
Indicates whether there is evidence that a malicious tool is running on the machine. |
Scanning activity |
scanningActivitySuspicion |
Boolean |
Indicates whether a process on the machine performed a scanning activity to scan internal addresses in the network. |
Security identifier (sid) |
adSid |
String |
The immutable identifier of the user according to Active Directory information. |
SELinux disabled evidence |
selinuxDisabledEvidence |
Boolean |
Indicates there is evidence a modification to the operating systems security features (SELinux) was detected. SELinux is a core security feature of the operating system and is intended to control access internally and help maintain the integrity of the operating system. |
SELinux disabled |
selinuxDisabledSuspicion |
Boolean |
Indicates there is a modification to the operating systems security features (SELinux) was detected. SELinux is a core security feature of the operating system and is intended to control access internally and help maintain the integrity of the operating system. |
Sensor group |
group |
Array |
The unique identifier the Cybereason platform uses for the sensor group of the sensor. |
Server interactions |
serverInteractions |
Array |
Collection of interactions in which the machine participates as the server machine. |
Source machine for event |
eventSourceMachine |
Array |
A collection of machines associated with an event. |
Spreading drivers |
spreadDrivers |
Array |
Collection of new drivers whose appearance exceeds an internal threshold (calculated by number of appearances/time period). |
SSL/TLS downgrade evidence |
sslTlsDowngradeEvidence |
Boolean |
Indicates there is evidence the SSL/TLS was downgraded to force apps to use old encryption protocols. These protocols may be vulnerable to attacks that allow third parties to view encrypted information |
SSL/TLS downgrade |
sslTlsDowngradeSuspicion |
Boolean |
Indicates the SSL/TLS was downgraded to force apps to use old encryption protocols. These protocols may be vulnerable to attacks that allow third parties to view encrypted information |
Stagefright vulnerability |
mediaserverSfVulnerabilityEvidence |
Boolean |
Indicates there is evidence that the device contains Stagefright vulnerabilities, which is an OS patch version susceptible to compromise. |
Suspicious profile added evidence |
profileSuspiciousEvidence |
Boolean |
Indicates there is evidence that a new suspicious profile was introduced to the environment and is not explicitly trusted or untrusted. It is recommended that the Administrator review the Profile and mark the profile as trusted or untrusted. |
Suspicious profile added |
profileSuspiciousSuspicion |
Boolean |
Indicates that a suspicious new profile was introduced to the environment and is not explicitly trusted or untrusted. It is recommended that the Administrator review the Profile and mark the profile as trusted or untrusted. |
Time since last communication |
timeStampSinceLastConnectionTime |
Integer |
The last time (in epoch) the machine communicated with the Cybereason server. |
Total disk space |
totalDiskSpace |
Long |
The total disk space on the machine in bytes. |
Total memory |
totalMemory |
Long |
The total available memory on the machine in bytes. |
Unknown download sources enabled evidence |
configUnknownSourcesEvidence |
Boolean |
Indicates there is evidence that app downloads from locations other than the Google Play store are enabled. |
Unknown download sources enabled |
configUnknownSourcesSuspicion |
Boolean |
Indicates that app downloads from locations other than the Google Play store are enabled. |
Uptime |
uptime |
Long |
The time (in epoch) since the machine was last restarted in #days, hh:mm:ss. |
USB Debugging mode enabled |
usbDebuggingEvidence |
Boolean |
Indicates that USB Debugging (an advanced configuration option intended for development purposes only) was enabled. By enabling USB Debugging, your device can accept commands from a computer when plugged into a USB connection. |
User identity associated with this asset |
users |
Collection |
List of user identities associated with this asset. |
Vulnerable Android version |
vulnerableAndroidEvidence |
Boolean |
Indicates that the Android version installed on your device is not up-to-date. The outdated operating system exposes the device to known vulnerabilities and the threat of being exploited by malicious actors. It is advised to update your operating system immediately. |
Vulnerable iOS version |
vulnerableIosEvidence |
Boolean |
Indicates that the iOS version installed on your device is not up-to-date. The outdated operating system exposes the device to known vulnerabilities and the threat of being exploited by malicious actors. It is advised to update your operating system immediately. |
Vulnerable, non-upgradeable Android version |
vulnerableAndroidNonUpgradeableEvidence |
Boolean |
Indicates that the device is running a vulnerable Android version. However, the device is not eligible for an operating system upgrade at this time. |
Vulnerable,non-upgradeable iOS version |
vulnerableIosNonUpgradeableEvidence |
Boolean |
Indicates that the device is running a vulnerable Android version. However, the device is not eligible for an operating system upgrade at this time. |
Web shell detected |
machineWebShellEvidence |
Boolean |
Indicates whether there is evidence that the Cybereason platform detected a web shell running on this machine. |
Zero ARP entries above threshold |
zeroArpEntriesAboveThreshold |
Boolean |
Indicates whether the ARP table was filled with a high number of zero-entries, which is an indication that scanning activity was performed on the machine. |
Message (XDR)
Use these features to filter for the Message Element:
UI Name |
API Name |
Type |
Description |
---|---|---|---|
Attachments |
attachments |
Collection |
A list of attachments for the message. |
Events related with message |
relatedEvents |
Array |
A collection of events associated with this message. |
Links |
links |
Collection |
Collection of domain links for the message. |
Message ID |
messageId |
String |
The unique message ID for the message. |
Message type |
type |
String |
The type of the message. Possible values include: In the UI:
In the API:
|
Origin address of message |
senderAddress |
String |
The email address of the sender of the message. |
Recipient addresses of message |
receipientAddresses |
Collection |
A list of the email addresses for the recipients of the message. |
Subject line of message |
subject |
String |
The subject line in the message. |
Machines Interaction (XDR)
Use these features to filter for Machine Interaction Elements:
UI Name |
API Name |
Type |
Description |
---|---|---|---|
IP address of client machine for attacker |
attackerClientMachineIP |
IP address |
The IP address of the client machine for the attacker in this interaction as seen from the attacker machine perspective. Note that this property may be different than the IP address for the attacker machine as determined from the victim side of an attack. For example, say you have a network with the following 2 network segments: 127.16.0.x and 192.168.0.x. The attacker is in the 127.16.0.100 segment and the victim in the 192.168.0.200 segment. You also have a proxy or NAC in between that with the following segments - 127.16.0.77 and 192.168.0.81. This property will be displayed as follows: * attackerClientMachineIP - 127.16.0.100
* attackerServerMachineIP - 127.16.0.81
* victimClientMachineIP - 192.168.0.77
* victimServerMachineIP - 192.168.0.200
|
IP address of server machine for attacker |
attackerServerMachineIP |
IP address |
The IP address of the server machine for the attacker in this interaction as seen from the attacker machine perspective. Note that this property may be different than the IP address for the attacker machine as determined from the victim side of an attack. For example, if you have a network with 2 network segments: 127.16.0.x and 192.168.0.x. The attacker is in the 127.16.0.100 segment and the victim in the 192.168.0.200 segment. You also have a proxy or NAC in between that with the following segments - 127.16.0.77 and 192.168.0.81. This property will be displayed as follows:
|
First time detected on attacker machine |
attackerTimestamp |
Integer |
The timestamp of the first time the attacker machine detected the interaction event. |
Client machine |
clientMachine |
String |
The machine name of the machine identified as the client in this interaction. |
IP address of client machine |
clientMachineIp |
IP address |
The IP address for the machine identified as the client machine in this interaction. |
Port on client machine |
clientMachinePort |
Integer |
The port used by the machine identified as the client machine in this interaction. |
Process initiating interaction |
clientProcess |
String |
The name of the process that initiated the interaction between machines. |
User on client machine |
clientUser |
String |
The user on the client machine associated with the interaction. |
Interaction description |
elementDisplayName |
String |
The description of the interaction. |
Interaction protocol |
interactionProtocol |
Enum |
The communication protocol used by the machines in the interaction. Possible values include:
|
Machine role in interaction |
interactionRole |
Enum |
The role of the machine in the interaction. Possible values include:
|
Interaction type |
interactionType |
Enum |
The type of interaction. Use PASS_THE_HASH. |
Associated with Malops |
malops |
Boolean |
Indicates whether the interaction operation is associated with any Malops. |
Receiver machine for Pass the Hash evidence |
passTheHashReceiverEvidence |
Boolean |
Indicates whether there is evidence that the machine is the receiving machine for a Pass the Hash attack. |
Pass the Hash receiver machine |
passTheHashReceiverSuspicion |
Boolean |
Indicates whether the machine is the receiving machine for a Pass the Hash attack. |
Sender machine for Pass the Hash evidence |
passTheHashSenderEvidence |
Boolean |
Indicates whether there is evidence that the machine is the sending machine for a Pass the Hash attack. |
Pass the Hash sender machine |
passTheHashSenderSuspicion |
Boolean |
Indicates whether the machine is the sending machine for a Pass the Hash attack. |
Related to Malop |
relatedToMalop |
Boolean |
Indicates whether the interaction operation is related to a Malop. |
Server machine |
serverMachine |
String |
The name of the machine identified as the server in this interaction operation. |
Server machine IP |
serverMachineIp |
IP address |
The IP address for the machine identified as the server machine in this interaction operation. |
Server machine port |
serverMachinePort |
Integer |
The port used by the machine identified as the server machine in this interaction. |
Process initiating interaction on the server machine |
ServerProcess |
String |
The name of the process initiating the interaction operation on the server machine. |
Server user |
serverUser |
String |
”The user on the server machine associated with the interaction. |
Compromised user |
user |
String |
The name of the user with the compromised credentials that were used as part of the interaction operation. |
IP address for victim client machine |
victimClientMachineIp |
IP address |
The IP address of the machine identified as the client machine which was also the victim in this interaction as seen from the victim machine perspective. Note that this property may be different than the IP address for the attacker machine as determined from the victim side of an attack. For example, if you have a network with 2 network segments: 127.16.0.x and 192.168.0.x. The attacker is in the 127.16.0.100 segment and the victim in the 192.168.0.200 segment. You also have a proxy or NAC in between that with the following segments - 127.16.0.77 and 192.168.0.81. This property will be displayed as follows:
|
IP address for victim server machine |
victimServerMachineIp |
IP address |
The IP address of the machine identified as the server machine which was also the victim in this interaction as seen from the victim machine perspective. Note that this property may be different than the IP address for the attacker machine as determined from the victim side of an attack. For example, if you have a network with 2 network segments: 127.16.0.x and 192.168.0.x. The attacker is in the 127.16.0.100 segment and the victim in the 192.168.0.200 segment. You also have a proxy or NAC in between that with the following segments - 127.16.0.77 and 192.168.0.81. This property will be displayed as follows:
|
First time detected on victim machine |
victimTimestamp |
Integer |
The timestamp of the first time the victim machine detected the interaction event. |
Malop Logon Session (EDR)
Use these features to filter for Malop Logon Session Elements:
UI Name |
API Name |
Type |
Description |
---|---|---|---|
Affected machines |
affectedMachines |
Array |
Collection of machines affected by this Malop |
Affected users |
affectedUsers |
Array |
Collection of users affected by this Malop. |
Detection type |
detectionType |
Enum |
The type of detection for the Malop. Possible values include: In the UI:
In the API:
|
Has Suspicions |
hasSuspicions |
Boolean |
Indicates whether or not the element has any suspicions. |
Malicious activity type |
elementDisplayName |
String |
Type of malicious activity that triggered the Malop. |
Malop activity type |
malopActivityTypes |
String |
Type of activity detected. |
Primary Malop type |
primaryMalopType |
Enum |
The primary type of activity detected. Possible values include In the UI:
In the API:
|
Root cause elements |
rootCauseElements |
String |
The Elements identified as the root cause of the Malop. |
Suspects |
suspects |
Array |
Collection of suspect processes associated with this Malop. |
Malop Process (EDR)
Use these features to filter for Malop Process Elements:
UI Name |
API Name |
Type |
Description |
---|---|---|---|
Has Ransomware processes suspended |
hasRansomwareSuspendedProcesses |
Boolean |
Indicates whether or not any of the Malop’s suspicious processes are currently suspended due to ransomware activity. |
Has Suspicions |
hasSuspicions |
Boolean |
Indicates whether or not the process associated with the Malop is associated with any Suspicions. |
Malicious activity type |
elementDisplayName |
String |
Type of activity detected. |
Malop activity types |
malopActivityTypes |
String |
Type of activity detected |
Malop has suspended processes |
allRansomwareProcessesSuspended |
Boolean |
Indicates whether or not the Malop has malicious processes which are suspended. |
Marked for prevention |
isBlocked |
Boolean |
Indicates whether or not the Malop has malicious processes that are marked for prevention. |
Root cause element hashes |
rootCauseElementHashes |
String |
Hash value of the Element that triggered the Malop. |
Root cause element names |
rootCauseElementNames |
String |
Name of the Element that triggered the Malop. |
Root cause element types |
rootCauseElementTypes |
String |
Type of Element that triggered the Malop. |
Root cause elements |
rootCauseElements |
String |
The Element that triggered the Malop. |
Root cause elements company and product |
rootCauseElementCompanyProduct |
String |
The company and product associated with the Element that triggered the Malop, represented as company:product. |
Root cause type |
detectionType |
Enum |
The root cause for the Malop. Possible values include: In the UI:
In the API:
|
Primary Malop type |
primaryMalopType |
Enum |
The type of the primary Malop. Possible values include In the UI:
In the API:
|
Suspects host processes |
suspectsHostProcesses |
Array |
Collection of suspect processes associated with this Malop process that are host processes. |
Suspects injecting processes |
suspectsInjectingProcessses |
Array |
Collection of suspect processes associated with this Malop process that are injecting processes. |
Suspects processes |
suspectsProcesses |
Array |
Collection of suspect processes associated with this Malop process. |
Total number of incoming connections |
totalNumberOfIncomingConnections |
Integer |
Total number of incoming connections associated with the malicious process. |
Total number of outgoing connections |
totalNumberOfOutgoingConnections |
Integer |
Total number of outgoing connections associated with the malicious process. |
Total received bytes |
totalReceivedBytes |
Long |
Total bytes received by the malicious process. |
Total transmitted bytes |
totalTransmittedBytes |
Long |
Total bytes transmitted by the malicious process. |
Module (EDR)
Use these features to filter for Module Elements:
UI Name |
API Name |
Type |
Description |
---|---|---|---|
Address (in Decimal) |
address |
Long |
The address to which the module was loaded. |
Allocated Protection |
exeAllocatedProtection |
Enum |
The level of protection allocated to this module. Possible values include In the UI:
In the API:
|
Blocklisted module |
blackListClassificationEvidence |
Boolean |
Indicates whether there is evidence that the module’s file is on the blocklist. |
File for module on blocklist |
blackListedModuleSuspicion |
Boolean |
Indicates whether the module’s file is on the blocklist. |
Export name |
exportName |
String |
The export name for the module. |
Fake OWAAuth |
fakeOwaAuthEvidence |
Boolean |
Indicates whetherthere is evidence that the Cybereason platform identified the module as a fake OWAAuth module. |
Fake OWA Auth module |
fakeOwaAuthSuspicion |
Boolean |
Indicates whether the Cybereason platform identified the module as a fake OWAAuth module. |
File |
file |
String |
The file from which the module is loaded. |
File From Temp |
isFileFromTempEvidence |
Boolean |
Indicates whether there is evidence the module’s file is located in a temporary folder. |
Hacking Tool |
hackingToolClassificationEvidence |
Boolean |
Indicates whether there is evidence that the Cybereason platform identified the module’s as a module for hacking tool. |
Header protection |
exeHeaderProtection |
Enum |
Level of protection for the module header. Possible values include In the UI:
In the API:
|
Has Malops |
hasMalops |
Boolean |
Indicates whether or not the module is associated with any Malops. |
Has registry entry |
hasAutorun |
Boolean |
Indicates whether the module has a registry entry that can load the module. |
Has Suspicions |
hasSuspicions |
Boolean |
Indicates whether the module is associated with any Suspicions. |
Is ever in loader DB |
isEverInLoaderDb |
Boolean |
Indicates whether the module was ever loaded by the standard loader. |
Is floating code |
isFloating |
Boolean |
Indicates whether the module was loaded by writing to memory without going through the Windows loader. |
Machine |
ownerMachine |
String |
The machine in which this module is executing. |
Malformed Executable Header |
exeHeaderMalformed |
Boolean |
Indicates whether this module has a malformed executable header. |
File for module classified as malicious |
moduleReputationSuspicion |
Boolean |
Indicates whether the module’s file has a malicious reputation. |
Malicious module prevented by App Control |
executionPreventedEvidence |
Boolean |
Indicates whether there is evidence that this module was prevented by the Cybereason Application Control service.s |
Process prevented by Cybereason |
executionPreventedSuspicion |
Boolean |
Indicates whether this module was prevented by the Cybereason Application Control service. |
Malicious Tool |
maliciousToolClassificationEvidence |
Boolean |
Indicates whether the Cybereason threat intelligence service identified the module as a malicious tool. |
Malware |
malwareClassificationEvidence |
Boolean |
Indicates whether there is evidence the Cybereason threat intelligence service classified the module as malware. |
Marked for prevention |
markedForPrevention |
Boolean |
Indicates whether or not the module’s file is prevented from executing. |
Module name |
elementDisplayName |
String |
The name of the module. |
Not in loader DB |
notInLoaderDbEvidence |
Boolean |
Indicates whether there is evidence the module was not loaded by a standard loader. |
Pe header allocated size |
peHeaderAllocatedSize |
String |
The size of memory section in which the PE header resides. |
Potentially unwanted program |
unwantedClassificationEvidence |
Boolean |
Indicates whether there is evidence the Cybereason threat intelligence service classified the module as a potentially unwanted program (PUP). |
Prevent execution file hash |
blockedFileHash |
Array |
Collection of file hashes that were prevented during module execution. |
Prevented successfully |
isBlocked |
Boolean |
Indicates whether or not the module execution was prevented. |
Ransomware |
ransomwareClassificationEvidence |
Boolean |
Indicates whether there is evidence the Cybereason threat intelligence service classified the module as ransomware. |
Reputation |
maliciousClassification |
String |
The reputation of the module according to intelligence feeds and user classification. |
Unsigned or unverified |
unsignedOrUnverifiedFileEvidence |
Boolean |
Indicates whether there is evidence the module’s file is not signed by a trusted signer. |
Unsigned with a signed version |
fileUnsignedHasSignedVersionEvidence |
Boolean |
Indicates whether there is evidence the fact that the module’s file is unsigned even though a signed version exists. |
Unsigned with a signed version |
unsignedWithSignedVersion |
Boolean |
Indicates whether the module’s file is unsigned even though a signed version exists. |
Mount Point (EDR)
Use these features to filter for Mount Point Elements:
UI Name |
API Name |
Type |
Description |
---|---|---|---|
Active removable device |
isActiveRemovableDeviceEvidence |
Boolean |
Indicates whether there is evidence the mount point is an active removable device. |
Device name |
deviceName |
String |
The name of the removable device. |
Has Suspicions |
hasSuspicions |
Boolean |
Indicates whether the mount point is associated with any suspicions. |
Inactive removable device |
isInactiveRemovableDeviceEvidence |
Boolean |
Indicates whether there is evidence the mount point is an inactive removable device. |
Media type |
mediaType |
Enum |
The mount point’s media type. Possible values include In the UI:
In the API:
|
Mount point name |
elementDisplayName |
String |
The name of the mount point. |
Name |
name |
String |
The display identification name of the mount point. |
Owner machine |
ownerMachine |
String |
The machine on which the the mount point is located. |
Removable device |
isRemovableDevice |
Boolean |
Indicates whether the mount point is a removable device. |
Unusual removable device |
rareRemovableDeviceEvidence |
Boolean |
Indicates whether there is evidence that the mount point is an unusual removable device. |
Volume name |
volumeName |
String |
The volume name identifier assigned to the mount point. |
MS-RPC (EDR)
Use these Features to filter for MS-RPC Elements:
UI Name |
API Name |
Type |
Description |
---|---|---|---|
Authentication Level |
authLevelName |
Enum |
The authentication level used by the remote procedure call operation. Possible values include: In the UI:
In the API:
|
Authentication Service |
aufhServiceName |
Enum |
The name of the service that provided authentication for the remote procedure call. Possible values include: In the UI:
In the API:
|
Creation timestamp |
creationTimestamp |
Integer |
The time when the remote procedure call operation was initiated. |
Msrpc Name |
elementDisplayName |
String |
The name of the remote procedure call. |
Endpoint |
endoint |
String |
The target for the remote procedure call information. The value for this field is related to the value of the protocolName Feature:
|
Event counter |
eventCounter |
Integer |
The number of remote procedure call events. |
Event source |
eventSoruce |
Enum |
The source of the remote procedure call events. Possible values include: In the UI:
In the API:
|
Impersonation level |
impersonationLevelName |
Enum |
The type of impersonation the remote procedure call performs. Possible values include: In the UI:
In the API:
|
Interface Name |
interfaceName |
String |
The name of the interface that initiated the remote procedure Call. |
Interface UUID |
interfaceUUID |
String |
The unique identifier for the interface that initiated the remote procedure call. |
Last seen timestamp |
lastSeenTimeStamp |
Integer |
The last time the Cybereason Platform detected the remote procedure call operation. |
Network address |
networkAddress |
IP address |
The network address to which the remote procedure call is targeted. The value for this field is related to the value of the protocolName Feature:
|
Operation Number |
opNum |
Integer |
The unique operation number for the remote procedure call. |
Operation Name |
operationName |
String |
The name for the remote procedure call operation that was requested. |
Options |
options |
String |
The options used by the remote procedure call. |
Owner machine |
ownerMachine |
String |
The name of the machine on which the remote procedure call was initiated. |
Process |
process |
String |
The name of the process that sent the remote procedure Call. |
Protocol |
protocolName |
Enum |
The protocol used by the remote procedure call. Possible values include: In the UI:
In the API:
|
Status |
statusName |
Enum |
The status for the Remote Procedure Call operation. Possible values include: In the UI:
In the API:
|
Network Interface (EDR)
Use these features to filter for Network Interface Elements:
UI Name |
API Name |
Type |
Description |
---|---|---|---|
Description |
description |
String |
The description of the network interface. |
DHCP server address |
dhcpServer |
String |
The IP address of the DHCP server for this network interface. |
DNS server address |
dnsServer |
String |
The IP address of the DNS server for this network interface. |
Gateway address |
gateway |
String |
The IP address of the gateway for this network interface. |
Hardware address (MAC) |
macAddressFormat |
String |
The network interface’s hardware (MAC) address. |
Identifier |
id |
String |
The network interface identifier. |
Ip address |
IpAddress |
String |
The IP address of this network interface. |
Local networks the network interface is registered on |
localNetworks |
Array |
Collection of local networks on which this network interface is registered. |
Name |
name |
String |
The name of the network interface. |
Network interface name |
elementDisplayName |
String |
The display name of the network interface. |
Owner machine |
ownerMachine |
String |
The machine to which this network interface belongs. |
Proxies |
proxies |
Array |
Collection of the proxies associated with this network interface. |
Network Machine (EDR)
Use these features to filter for Network Machine Elements:
UI Name |
API Name |
Type |
Description |
---|---|---|---|
Has suspicions |
hasSuspicions |
Boolean |
Indicated whether or not this network machine is associated with Suspicions. |
Machine name |
elementDisplayName |
String |
The Name of the network machine as reported by the operating system. |
Process (EDR)
Use these features to filter for Process Elements:
UI Name |
API Name |
Type |
Description |
---|---|---|---|
Abnormal number of RWX sections count by machine |
abnormalRwxSectionsCountByMachineEvidence |
Boolean |
Indicates whether there is evidence the process has an abnormal number of RWX sections per machine. |
Abnormal process activity on device |
abnormalProcessActivityEvidence |
Boolean |
Indicates whether there is evidence of any detected abnormal activity. |
Abnormal Process Activity Suspicion |
abnormalProcessActivitySuspicion |
Boolean |
Indicates there is detected abnormal activity |
Abnormal process invocation using DCOM |
abnormalDCOMServerSuspicion |
Boolean |
Indicates whether there was an abnormal process invocation using DCOM. |
Abnormal RWX section count |
abnormalRwxSectionsCountEvidence |
Boolean |
Indicates whether there is evidence the process has an abnormal number of RWX sections. |
Abuse of cmstp.exe |
uncommonUseOfCmstpSuspicion |
Boolean |
Indicates whether the cmstp.exe process was abused to execute arbitrary code. |
Abuse of cmstp.exe evidence |
uncommonUseOfCMSTPEvidence |
Boolean |
Indicates whether there is evidence the cmstp.exe process loaded the scrobj.dll module. |
Access to password store files |
passwordsFileAccessByTextEditorEvidence |
Boolean |
Indicates whether there is evidence the process attempted to access a Linux password store file. |
Accessibility feature abuse |
accessibilityFeaturePersistenceSuspicion |
Boolean |
Indicates whether this process is masquerading as one of the Windows accessibility features. |
Accessibility feature abuse evidence |
accessibilityFeaturePersistenceEvidence |
Boolean |
Indicates whether there is evidence that this process is masquerading as one of the Windows accessibility features. |
Accessibility feature abuse through registry modification |
accessibilityFeaturesAbuseByRegistrySuspicion |
Boolean |
Indicates whether this process modifies the registry to abuse Windows accessibility features. |
Accessibility feature abuse through registry modification evidence |
accessibilityFeaturesAbuseByRegistryEvidence |
Boolean |
Indicates whether there is evidence this process modifies the registry to abuse Windows accessibility features. |
Accessibility feature binary file swap |
accessibilityFeatureBinarySwapSuspicion |
Boolean |
Indicates whether an Accessibility Feature binary file was swapped for a different executable. |
Accessibility feature binary file swap evidence |
accessibilityFeatureBinarySwapEvidence |
Boolean |
Indicates whether there is evidence an accessibility feature binary was swapped for another executable. |
Account discovery evidence |
accountDiscoveryEvidence |
Boolean |
Indicates whether there is evidence that the process is involved in an account discovery attempt. |
Accounts discovery |
accountsDiscoveryEvidence |
Boolean |
Indicates there is evidence the process is engaged in accounts discovery. |
Add firewall rule in command line |
commandLineContainsAddFirewallRule |
Boolean |
Indicates whether the command line of the process includes adding a firewall rule. |
Associated file |
file |
String |
The file associated with this process. |
Hiding files using Alternate Data Stream |
alternativeDataStreamHidingEvidence |
Boolean |
Indicates whether the process is hiding executable files with Alternate Data Stream. |
Always-on VPN app set |
alwaysOnVpnAppSuspicion |
Boolean |
Indicates that an app has been configured as an always-on VPN on this device. The app may monitor all communications the device makes to the Internet. |
Android device possible tampering suspicion |
SafetyNetAttestationBasicIntegrityFalseSuspicion |
Boolean |
Indicates the Android device has been tampered with. The device is not certified by Google, and may have been additionally compromised, such as a rooted device. |
Anti-Malware detection suspicion |
maliciousNGAVDetectionOfPowershellSuspicion |
Boolean |
Indicates whether this process is classified as malicious or suspicious due to detection by the Cybereason Anti-Malware service. |
Anti-Malware suspended |
antiVirusSuspendedSuspicion |
Boolean |
Indicates whether the process is an anti-virus process that is suspended. |
Antivirus suspended |
suspendedAntiVirusEvidence |
Boolean |
Indicates whether there is evidence the process is an anti-virus process that is suspended. |
App performs privilege elevation on device |
processEopEvidence |
Boolean |
Indicates there is evidence of elevation of privileges on the mobile device by a process, which allows the attacker to take full control of the device |
App set as Always-on VPN |
alwaysOnVpnAppEvidence |
Boolean |
Indicates there is evidence that an app has been configured as an always-on VPN on this device. The app may monitor all communications the device makes to the Internet. |
App tampering evidence |
appTamperingEvidence |
Boolean |
Indicates there is evidence of existing application libraries that may have been modified or a foreign library may have been injected. |
App tampering suspicion |
appTamperingSuspicion |
Boolean |
Indicates there is evidence of existing application libraries that may have been modified or a foreign library may have been injected. |
Application Control prevented malicious command |
maliciousNGAVPreventedOfPowershellSuspicion |
Boolean |
Indicates whether this process is classified as malicious or suspicious due to prevention by the Cybereason Anti-Malware service. |
AppLocker bypass via regsrv32 |
maliciousUseOfRegsvr32Evidence |
Boolean |
Indicates whether there is evidence this process this process used the regsvr32.exe process to bypass AppLocker. |
AppLocker bypass via regsrv32 |
maliciousUseOfRegsvr32Suspicion |
Boolean |
Indicates whether this process this process used the regsvr32.exe process to bypass AppLocker. |
Architecture |
architecture |
Enum |
The architecture of the machine on which the process is running. Possible values include In the UI:
In the API:
|
ARP reconnaissance scan |
scanArpEvidence |
Boolean |
Indicates there is evidence of a reconnaissance scan using the ARP protocol that is an indicator of a malicious attacker searching for a device vulnerable for a network attack such as MITM. |
ARP scan |
scanArpSuspicion |
Boolean |
Indicates there is a reconnaissance scan using the ARP protocol that is an indicator of a malicious attacker searching for a device vulnerable for a network attack such as MITM. |
Attempt to stop Cybereason service |
stopCybereasonServiceAttemptEvidence |
Boolean |
Indicates whether there is evidence that the process attempted to stop or disable the Cybereason service. |
Attempt to stop Cybereason service |
stopCybereasonServiceAttemptSuspicion |
Boolean |
Indicates whether the process attempted to stop or disable the Cybereason service. |
Audit object access |
unexpectedAuditObjectAccessEvidence |
Boolean |
Indicates whether there is evidence the process gained access to the system audit objects where credential information is stored. |
Audit object access by loaded module |
unexpectedAuditObjectAccessByProcessLoadingPSModuleSuspicion |
Boolean |
Indicates whether one of Windows credential hashes resources was accessed by a process which loads the PowerShell system.management.automation.dll module. |
Audit object access by shell process |
unexpectedAuditObjectAccessShellSuspicion |
Boolean |
Indicates whether one of Windows credential hashes resources was accessed by a shell process. |
Audit object access by unknown process |
unexpectedAuditObjectAccessUnknownSuspicion |
Boolean |
Indicates whether one of Windows credential hashes resources was accessed by an unknown process. |
Audit object access by unsigned and unknown process |
unexpectedAuditObjectAccessUnsignedUnknownSuspicion |
Boolean |
Indicates whether one of Windows credential hashes resources was accessed by unsigned and unknown process. |
Audit object access by unsigned process |
unexpectedAuditObjectAccessUnsignedSuspicion |
Boolean |
Indicates whether one of Windows credential hashes resources was accessed by an unsigned process. |
Audit object access NTDS file evidence |
unexpectedAuditObjectAccessNtdsFileEvidence |
Boolean |
Indicates whether there is evidence that the process accessed an audited system resource - NTDS file. |
Backup catalog deletion |
wbadminDeleteCatalogSuspicion |
Boolean |
Indicates whether the wbadmin.exe processs deleted the backup catalog. |
Backup catalog deletion |
wbadminDeleteCatalogMalop |
Boolean |
Indicates the process caused a Malop due to deletion of the backup catalog with the wbadmin.exe utility. |
Backup catalog deletion evidence |
wbadminDeleteCatalogEvidence |
Boolean |
Indicates whether there is evidence that the wbadmin.exe process deleted the backup catalog. |
Connection to domain on blocklist |
connectionToBlackListDomainSuspicion |
Boolean |
Indicates whether this process was identified creating a DNS query or a direct connection to a domain classified as malicious by the Cybereason threat intelligence service. |
Connection to IP address on the blocklist suspicion |
connectingToBlackListAddressSuspicion |
Boolean |
Indicates whether this process was identified connecting to an IP address on the blocklist. |
Blocklisted unresolved domain DNS queries |
unresolvedQueryFromBlackListDomain |
Array |
Collection of the unresolved DNS queries associated with this process that accessed a domain on the blocklist. |
Captive portal network usage |
captivePortalEvidence |
Boolean |
Indicates there is evidence the device is using Captive Portal networks to route traffic through a single proxy (portal), potentially opening up the traffic to monitoring. |
Certutil.exe downloaded file |
certutilDownloadEvidence |
Boolean |
Indicates whether there is evidence the certutil.exe process downloaded a file. |
Certutil.exe downloaded suspicious file |
certutilDownloadSuspicion |
Boolean |
Indicates whether the certutil.exe process downloaded a file. |
Client interactions as Pass the Hash |
passTheHashClientInteractions |
Array |
Collection of interactions in which the process participates as the client machine in a Pass the Hash attack. |
CMSTPLUA ShellExec method invoked using DCOM |
msrpcCMSTPLUAServerEvidence |
Boolean |
Indicates whether the CMSTPLUA ShellExec method was invoked using DCOM. |
COM scriptlet execution with regsrv32 |
maliciousUseOfRegsvr32ModuleEvidence |
Boolean |
Indicates whether this process used the regsvr32.exe process to run a COM scriplet. |
Command line |
commandLine |
String |
The command line the process uses. |
Command line |
clearCommandLine |
String |
The command line that executed this process. |
Command line contains hidden environment variable |
obfuscatedCommandLineEnvArgsEvidence |
Boolean |
Indicates whether the command line for the process was obfuscated and contained an environment variable in the command line. |
Command line contains hidden keywords |
obfuscatedCommandLineKeywordEvidence |
Boolean |
Indicates whether there is evidence the command line for the process is obfuscated and contains hidden keywords. |
Command line parameter points to temporary file location |
commandLineContainsTempEvidence |
Boolean |
Indicates whether there is evidence the command that executed the process contains a parameter pointing to a temporary folder in the file directory. |
Compromised device |
systemconfigSystemTamperingEvidence |
Boolean |
Indicates that there is evidence the device is compromised and cannot be trusted. System Tampering is a process of removing security limitations put in by the device manufacturer and indicates that the device is fully compromised and cannot longer be trusted. |
Compromised WiFi network nearby |
threatMapNearbyEvidence |
Boolean |
Indicates that the device is near a Wifi network where malicious attacks have been observed. |
Connected to domain on the blocklist |
hasConnectionToBlackListDomainEvidence |
Boolean |
Indicates whether there evidence the process has a connection to a domain name on the blocklist. |
Connected to IP address on blocklist evidence |
hasBlackListConnectionEvidence |
Boolean |
Indicates whether there is evidence the process has a connection an address on the blocklist. |
Connection to blocklisted domain |
connectionsToBlackListDomain |
Array |
Collection of connections associated with this process that connected to a domain on the blocklist. |
Blocklisted domain |
connectionToBlackListDomainSuspision |
Boolean |
Indicates whether the process is connected to a domain on the blocklist. |
Connection to domain on blocklist evidence |
connectionToBlackListDomainEvidence |
Boolean |
Indicates whether there is evidence the process is connected to a domain on the blocklist. |
Connection to external IP discovery service or abuse of legitimate website |
ipDiscoverySuspicion |
Boolean |
Indicates whether the process connected an external IP discovery service or abused a legitimate website. |
Connection to external IP discovery service or abuse of legitimate website evidence |
ipDiscoveryEvidence |
Boolean |
Indicates whether there is evidence the process connected an external IP discovery service or abused a legitiamte website. |
Connection to internal address |
hasInternalConnectionEvidence |
Boolean |
Indicates whether there is evidence the process connects to an internal address. |
Connection to IP address on the blocklist |
connectionToBlackListAddressByAddressRootCause |
Boolean |
Indicates whether the process connects to an IP address on the blocklist. |
Blocklisted IP |
connectingToBlackListAddressSuspicion |
Boolean |
Indicates whether the process connects to an IP address on the blocklist. |
Connection to malicious address |
connectingToBadReputationAddressSuspicion |
Boolean |
Indicates whether the process connects to an address with a malicious reputation. |
Connection to malicious address |
connectionToMaliciousAddressByAddressRootCause |
Boolean |
Indicates whether the process identified as the root cause connected to an address the Cybereason threat intelligence service classified as malicious. |
Connection to malicious address |
connectionToMaliciousAddress |
Boolean |
Indicates whether the process connects to a malicious address. |
Connection to malicious address |
hasMaliciousConnectionEvidence |
Boolean |
Indicates whether there is evidence the process has a connection to a malicious address |
Connection to malicious domain |
connectionToMaliciousDomainByDomainRootCause |
Boolean |
Indicates whether the process identified as the root cause connected to an address the Cybereason threat intelligence service classified as malicious |
Connection to malicious domain |
connectionToMaliciousDomain |
Boolean |
Indicates whether the process connects to a malicious domain |
Connection to malicious domain |
hasConnectionToMaliciousDomainEvidence |
Boolean |
Indicates whether there is evidence the process created a connection to a malicious domain |
Connection to malware address |
hasConnectionToMalwareAddressesEvidence |
Boolean |
Indicates whether there is evidence this process has a connection to an address used by malware |
Connection to malware address |
maliciousByAccessingAddressUsedByMalwares |
Boolean |
Indicates whether the process connects to an address used by malware |
Connection to rogue WiFi |
mitmRogueApEvidence |
Boolean |
Indicates there is evidence the device was connected to a rogue WiFi. Connection to a rogue access point exposes the device to attack by an unauthorized party to access your network data and/or credentials |
Connection to Tor domain |
connectiontoTorDomainEvidence |
Boolean |
Indicates whether there is evidence the process has connections to a Tor domain |
Connection to TOR domain by non-browser process |
connectionToTorDomainSuspicion |
Boolean |
Indicates whether a non-browser process has connections to a Tor domain |
Connections of host process |
connectionsOfHostProcess |
String |
Collection of the connections performed by the host process of this injected thread |
Connections to Malicious domain |
connectionsToMaliciousDomain |
Array |
Collection of connections associated with this processes thatconnected to a domain classified as malicious by the Cybereason threat intelligence service |
Connections to malware address |
connectionsToMalwareAddresses |
Array |
Collection of connetions associated with this process that connected to a domain classified as malware by the Cybereason threat intelligence service |
Connections |
connections |
Array |
Collection of connections associated with this process |
Contains floating portable executable code |
hasPeFloatingCodeEvidence |
Boolean |
Indicates whether there is evidence the process has PE (Portable Executable) code floating in memory (not attached to a module/file) |
Runs hidden code |
shellcodeInProcessEvidence |
Boolean |
Indicates whether there is evidence the process is executing hidden code |
CPU time |
cpuTime |
Long |
The amount of CPU time the process used |
Created children |
createdChildren |
Array |
Collection of child processes the process created |
Created scheduled task as SYSTEM |
scheduledTaskAsSystemEvidence |
Boolean |
Indicates whether there is evidence the process created a scheduled task to execute as SYSTEM |
Created scheduled task on reboot |
scheduledTaskRebootPersistenceEvidence |
Boolean |
Indicates whether there is evidence the process created a a scheduled task to execute on reboot |
Creation of new service |
newServiceSuspicion |
Boolean |
Indicates whether the process created a new service |
Creation of new LaunchAgents persistence file |
plistBuddyCreatesLaunchAgentsFileEvidence |
Boolean |
Indicates whether the process plistBuddy created a new file in one of the LaunchAgents persistence paths |
Credential repository access from shadow copy |
credentialsViaShadowCopyAccessSuspicion |
Boolean |
Indicates whether the process accessed a sensitive credentials repository via shadow copy volume |
Critical process running injected code |
injectionToProtectedProcessSuspicion |
Boolean |
Indicates whether the process is critical and is running code injected to the process by another process |
Daemon anomaly activity detected |
daemonAnomalyEvidence |
Boolean |
Daemon Anomaly indicates abnormal system process activities which could indicate that the device has been exploited |
Decoded command line |
decodedCommandLine |
String |
Command line with clear text version of an encoded command |
Detected by PowerShell Protection |
ngavPowershellDetectionEvidence |
Boolean |
Indicates whether there is evidence that this process was detected by PowerShell Protection |
Detected injecting process |
detectedInjectingEvidence |
Boolean |
Indicates whether there is evidence the process is injecting malicious code into another process. |
Device configurations that may put corporate and personal data at risk |
untrustedProfileByDomainSuspicion |
Boolean |
Indicates that configurations on the device put the device at risk |
Device connected to threat map |
threatMapConnectedSuspicion |
Boolean |
Indicates that the device has connected to a Wifi network where malicious attacks have been observed |
Device jailbroken/rooted suspicion |
jailbrokenSuspicion |
Boolean |
Indicates that this device may be jailbroken. Jailbreaking and rooting are the processes of gaining unauthorized access or elevated privileges on a system. Jailbreaking and rooting can potentially open security holes that may have not been readily apparent, or undermine the device built-in security measures |
DGA communication with C&C server |
maliciousByDgaDetection |
Boolean |
Indicates whether the process is using a Domain Generation Algorithm to communicate with its Command & Control server |
DNS query from suspicious domain |
hasDnsQueryFromSuspiciousDomainEvidence |
Boolean |
Indicates whether there is evidence the process created an A-type DNS request (domain to IP) with a malicious domain |
DNS query or connection to domain on blocklist |
connectionToBlackListDomainByDomainRootCause |
Boolean |
Indicates whether the process connects to a domain on the blocklist |
DNS query or connection to malicious domain |
connectionToMaliciousDomainSuspicion |
Boolean |
Indicates whether the process connects to a malicious domain |
DNS query to suspicious domain |
hasDnsQueryToSuspiciousDomainEvidence |
Boolean |
Indicates whether there is evidence the process created a PTR-type DNS request (IP to Domain) with a malicious domain |
DNS request from domain on blocklist |
hasDnsQueryFromBlackListDomainEvidence |
Boolean |
Indicates whether there is evidence the process received a DNS request from a domain on the blocklist |
DNS request to domain on blocklist |
hasDnsQueryToBlackListDomainEvidence |
Boolean |
Indicates whether there is evidence the process sent a DNS request to a domain on the blocklist |
DNS request to IP address on the blocklist |
hasBlackListDnsQueryDomainToDomainEvidence |
Boolean |
Indicates whether there is evidence the process connects to an IP address on the blocklist |
Domain trust relationship reconnaissance |
domainTrustRelationshipReconSuspicion |
Boolean |
Indicates whether the process performed domain trust relationship reconnaissance activities |
Domain-to-domain DNS query to suspicious domain |
hasSuspiciousDnsQueryDomainToDomainEvidence |
Boolean |
Indicates whether there is evidence the process created a CNAME-type DNS request (domain to domain) and the Cybereason threat intelligence service identified one of the domains as malicious |
Downloaded from Internet |
isDownloadedFromInternet |
Boolean |
Indicates whether the process was downloaded from the Internet |
Dumped LSASS process memory |
memoryDumpLsassSuspicion |
Boolean |
Indicates whether the process performed a memory dump of the LSASS process memory |
Dumped LSASS process memory evidence |
memoryDumpLsassEvidence |
Boolean |
Indicates whether there is evidence the process performed a memory dump of the LSASS process memory |
Elevated privileges command execution |
PrivilegeEscalationUsingSudoCommandEvidence |
Boolean |
Indicates whether there is evidence the process attempted to execute commands with elevated privileges |
Elevated privilege level for child process |
elevatingPrivilegesToChildEvidence |
Boolean |
Indicates whether there is evidence the process elevates privileges of its child process |
Elevation of Privileges suspicion |
processEopSuspicion |
Boolean |
Indicates there is elevation of privileges on the mobile device by a process, which allows the attacker to take full control of the device |
Event log deletion |
logDeletionSuspicion |
Boolean |
Indicates whether this process deleted logs from the machine |
Event log deletion evidence |
logDeletionEvidence |
Boolean |
Indicates whether there is evidence this process deleted logs from the machine |
Executable image file hash |
imageExecutableHash |
String |
The hash value of the executable image file |
Executed file on allowlist |
fileWhiteListEvidence |
Boolean |
Indicates whether there is evidence the process is executing a file on the allowlist |
Executed file on blocklist |
fileBlackListEvidence |
Boolean |
Indicates whether there is evidence the process is executing a file on the blocklist |
Executed malicious script from unexpected origin |
maliciousScriptExecutionEvidence |
Boolean |
Indicates whether there is evidence the Cybereason platform detected the process executing a potentially malicious script from an unexpected origin |
Executes known hacker tool |
hasChildKnownHackerToolEvidence |
Boolean |
Indicates whether there is evidence the process executes a known hacker tool |
Executing process |
execedBy |
String |
The name of the process executing this process |
Execution of fileless malware |
filelessMalware |
Boolean |
Indicates whether the process executes fileless malware |
Execution of fileless malware suspicion |
filelessMalwareSuspicion |
Boolean |
Indicates whether the process ran fileless malware |
explorer.exe IP connected to discovery service |
explorerIPDiscoverySuspicion |
Boolean |
Indicates whether the explorer.exe process performed IP discovery activities |
Extension type |
imageFileExtensionType |
Enum |
The image file extension type for this process. Possible values include: In the UI:
In the API:
|
External connection to well-known port |
hasExternalConnectionToWellKnownPortEvidence |
Boolean |
Indicates whether there is evidence your process has at least one external connection using a well-known port (less than 1024) |
Failed to access file |
failedToAccess |
Boolean |
Indicates whether Cybereason was able to access the process image file |
Fake unsigned module |
fakeModuleUnsignedEvidence |
Boolean |
Indicates whether there is evidence the process loaded a fake module that has the same name as another loaded module but is not signed |
File and directory enumeration |
fileDirectoryDiscoverySuspicion |
Boolean |
Indicates whether the process performed activities to learn more about files and directories on a machine |
File size mismatch |
multipleSizeForHashEvidence |
Boolean |
Indicates whether there is evidence that multiple files have the same name but different sizes |
Firewall hole punching |
maliciousFirewallHolePunching |
Boolean |
Indicates whether the process maliciously modifies the machine firewall configuration |
First execution of downloaded process |
firstExecutionOfDownloadedProcessEvidence |
Boolean |
Indicates whether there is evidence the process image file was downloaded from the Internet and this instance is the first execution of the process |
Floating code |
shellcodeProcess |
Boolean |
Indicates that the process is running floating code |
fsutil.exe deleted Update Sequence Number journal change evidence |
fsutilDeleteJournalEvidence |
Boolean |
Indicates whether there is evidence the fsutil.exe process deleted the Update Sequence Number journal changes made by the process to mask process activities |
ftp.exe descendant of suspicious process |
ftpDescendantofSuspiciousProcessEvidence |
Boolean |
Indicates whether this ftp.exe process is a child process of another suspicious process |
ftp.exe transmitted data and is child of suspicious process |
potentiallyMaliciousFtpSuspicion |
Boolean |
Indicates whether there is evidence of the process trying to perform password policy discovery |
Group Context Modification Evidence |
LinuxGroupContextModificationEvidence |
Boolean |
Indicates whether there is evidence a process attempted to set a file group access rights |
Hacking tool with unusual parent |
hackingToolOfNonToolRunnerSuspicion |
Boolean |
Indicates whether a hacking tool was executed by a process that should not execute hacking tools |
Hacking tool with unusual parent evidence |
hackingToolOfNonToolRunnerEvidence |
Boolean |
Indicates whether there is evidence the hacking tool was executed by a process that should not execute hacking tools |
Has a rare known hacker tool child process |
hasRareChildProcessKnownHackerToolEvidence |
Boolean |
Indicates whether there is evidence the process has a rare child process which is a known hacker tool |
Has automatic execution |
hasAutomaticExecutionEvidence |
Boolean |
Indicates whether there is evidence the process has an automatic execution associated with the process. |
Has blocked modules |
hasBlockedModules |
Boolean |
Indicates whether the process tried to load blocked modules. |
Has children |
hasChildren |
Boolean |
Indicates whether the process has child processes. |
Has classification |
hasClassification |
Boolean |
Indicates whether the process has a well known classification. |
Has external connection |
hasExternalConnection |
Boolean |
Indicates whether the process has an external connection. |
Has incoming connections |
hasIncomingConnection |
Boolean |
Indicates whether the process has incoming connections. |
Has injected children |
hasInjectedChildren |
Boolean |
Indicates whether the process has any injected child processes. |
Has Injected thread from process with lower privileges |
injectedThreadPrivilegeEscalationEvidence |
Boolean |
Indicates whether there is evidence the process is an injected thread where the injecting process has lower privileges than the host process. |
Has internal connection |
hasInternalConnection |
Boolean |
Indicates whether the process has an internal connection. |
Has malicious connections |
hasMaliciousReputationConnections |
Boolean |
Indicates whether the process has connections to a known malicious addresses. |
Has Malops |
hasMalops |
Boolean |
Indicates whether the process is associated with any Malops. |
Has opened socket |
hasListeningConnection |
Boolean |
Indicates whether the process has an opened listening socket. |
Has outgoing connections |
hasOutgoingConnection |
Boolean |
Indicates whether the process has outgoing connections. |
Has registry entry |
hasAutorun |
Boolean |
Indicates whether the process is associated with a registry entry. |
Has Suspicions |
hasSuspicions |
Boolean |
Indicates whether the process is associated with any suspicions. |
Has suspicious external connection |
hasSuspiciousExternalConnectionEvidence |
Boolean |
Indicates whether there is evidence the process has an external connection that is marked as suspicious. |
Has suspicious internal connection |
hasSuspiciousInternalConnectionEvidence |
Boolean |
Indicates whether there is evidence the process has an internal connection that is marked as suspicious. |
Has threads with injected code |
hostingInjectedThreadEvidence |
Boolean |
Indicates whether there is evidence the process contains threads that execute code injected into memory by another process. |
Has unresolved DNS queries |
hasUnresolvedDnsQueriesFromDomain |
Boolean |
Indicates whether the process has unresolved DNS queries |
Has visible windows |
hasVisibleWindows |
Boolean |
Indicates whether the process has visible windows. |
Has windows |
hasWindows |
Boolean |
Indicates whether the process has open windows on the machine. |
Hash with multiple names |
multipleNameForHashEvidence |
Boolean |
Indicates whether there is evidence the Cybereason platform found multiple file names for the same hash signature |
Hidden by a rootkit |
rootkitProcessHide |
Boolean |
Indicates whether the process is hidden by a rootkit. |
Hidden PowerShell payload |
ObfuscatedPowershellSuspicion |
Boolean |
Indicates whether this PowerShell payload has been obfuscated. |
Hidden PowerShell payload evidence |
ObfuscatedPowershellEvidence |
Boolean |
Indicates whether there is evidence that this PowerShell payload has been obfuscated. |
Hidden process |
covertProcessDecisionFeature |
Boolean |
Indicates whether this process was detected to be attempting to hide itself or its assets. |
Hidden process |
covertProcessSuspicion |
Boolean |
Indicates whether a hidden process was detected. |
Hiding files using Alternate Data Stream |
alternativeDataStreamHidingEvidence |
Boolean |
Indicates whether the process is hiding executable files with Alternate Data Stream. |
High data volume transfer and running injected code |
highDataVolumeTransmittedByInjectedProcess |
Boolean |
Indicates whether the process transmits high volume of data while it is running injected code. |
High data volume transfer to malicious address |
highDataVolumeTransmittedToMaliciousAddressSuspicion |
Boolean |
Indicates whether the process transmitted a high data volume to an address marked as malicious. |
High data volume transfer to suspicious address |
highDataTransmittedSuspicion |
Boolean |
Indicates whether the process is transferring a high volume of data to a specific address. |
High data volume transfer with unrecognized process |
highDataVolumeTransmittedByUnknownProcess |
Boolean |
Indicates whether the process transmits high volume of data while it is not recognized as a legitimate program for such behavior. |
High internal outgoing embryonic connection rate |
highInternalOutgoingEmbryonicConnectionRateEvidence |
Boolean |
Indicates whether there is evidence that more than 25% of the internal connections the process creates receive a response (embryonic). |
High IP scanning rate |
highIpScanRateEvidence |
Boolean |
Indicates whether there is evidence the process is performing a high rate of IP address scanning. |
High number of internal outgoing embryonic connections |
absoluteHighNumberOfInternalOutgoingEmbryonicConnectionsEvidence |
Boolean |
Indicates whether there is evidence that the process creates internal connections which do not receive a response (embryonic). |
High unresolved-to-resolved DNS query ratio |
highUnresolvedToResolvedRateEvidence |
Boolean |
Indicates whether there is evidence the process has DNS queries with a high unresolved to resolved ratio. |
High volume of transmitted data |
maliciousByHighVolumeDataTransmittedByUnknownProcess |
Boolean |
Indicates whether the process transmits high volumes of data while it is not recognized by the Cybereason threat intelligence service as a legitimate program for such behavior. |
Host process and injection process user mismatch |
injectedThreadDifferentUserForInjectingAndHostEvidence |
Boolean |
Indicates whether there is evidence the user of the injecting process is different than the user of the host process. |
Hosting injected thread |
hostingInjectedThreadSuspicion |
Boolean |
Indicates whether the process contains threads that execute code injected into memory by another process. |
Icon |
icon44 |
Long |
The icon of the process image file. |
Identified as known malware |
knownMalwareSuspicion |
Boolean |
Indicates whether the Cybereason threat intelligence service classified the process as malware. |
Identified as LaZagne reconnaissance tool |
laZagneReconToolEvidence |
Boolean |
Indicates whether there is evidence that this process is using the LaZagne recon tool. |
Identified as Potentially Unwanted Program (PUP) |
knownUnwantedSuspicion |
Boolean |
Indicates whether the Cybereason threat intelligence service classified the process as a Potentially Unwanted Program (PUP). |
Identified as ransomware |
knownRansomwareSuspicion |
Boolean |
Indicates whether the Cybereason threat intelligence service classified the process as ransomware. |
Image file broken link in chain of trust |
signatureVerificationStatusBadChainOfTrustEvidence |
Boolean |
Indicates whether there is evidence the file associated with the process had one of the following issues during the chain of trust verification: chain of trust could not be established to a root certificate, chain of trust was built to a root certificate which is not known or recognized as trusted on the local machine, broken chain of trust. |
Image file classified as malicious tool module |
maliciousToolModuleEvidence |
Boolean |
Indicates whether there is evidence the Cybereason threat intelligence service classified the module associated with the process as a malicious tool. |
Image file downloaded from Internet |
isDownloadedFromInternetEvidence |
Boolean |
Indicates whether there is evidence the process image file was downloaded from the Internet. |
Image file expired signature |
signatureVerificationStatusExpiredEvidence |
Boolean |
Indicates whether there is evidence that any of the process image file signing certificates in the chain of trust has expired. |
Image file hash |
imageFileHash |
String |
The hash of the file associated with the process. |
Image file is malware |
malwareEvidence |
Boolean |
Indicates whether there is evidence the Cybereason threat intelligence service classified the process image file as malware. |
Image file mismatched signaturesignatureVerificationStatusHashMismatchEvidence |
Boolean |
Indicates whether there is evidence the process image file signed hash does not matches the file contents. |
|
Image file misused signature |
signatureVerificationStatusMisuseEvidence |
Boolean |
Indicates whether there is evidence the process image file certificate was misused. |
Image file path |
imageFilePath |
String |
The path to the process image file. |
Image file suspicious signature |
suspiciousSignedUnverifiedFileSuspicion |
Boolean |
Indicates whether the process image file has a suspicious signature. |
Image file unknown root certificate |
signatureVerificationStatusUnrecognizedRootEvidence |
Boolean |
Indicates whether there is evidence the process image file verified chain of trust has an unknown root certificate. |
Image file unsigned |
signatureVerificationStatusNotSignedEvidence |
Boolean |
Indicates whether or not there is evidence the process file is signed. |
Image file unverified signature by technical failure |
signatureVerificationStatusTechnicalFailureEvidence |
Boolean |
Indicates whether there is evidence a technical failure prohibited the completion of the process image file verification process. |
Image file user distrust |
signatureVerificationStatusUserDistrustEvidence |
Boolean |
Indicates whether there is evidence the user trusted the process image file certificate during an interactive session. |
Image file verified |
isImageFileVerified |
Boolean |
Indicates whether the signature for the process image file is verified. |
Infected process connection to known malware address |
accessToMalwareAddressInfectedProcess |
Boolean |
Indicates whether the process is benign and connects to an address being used by malware. |
Injected code into protected process |
detectedInjectingToProtectedProcessEvidence |
Boolean |
Indicates whether there is evidence the process is injecting code into a protected process. |
Injected PowerShell process |
injectedPowershellProcessEvidence |
Boolean |
Indicates whether there is evidence the process is a PowerShell process and was detected as receiving injected code. |
Injected shellcode |
shellInjectionSuspicion |
Boolean |
Indicates whether the process is running code injected to the process by a shell process. |
Injected shellcode |
shellcodeInjectionSuspicion |
Boolean |
Indicates whether a remote process injected shellcode into the victim process. |
Injected shellcode evidence |
shellcodeInjectorEvidence |
Boolean |
Indicates whether there is evidence that a remote process injected shellcode into the victim process. |
Injection detected via event monitoring |
processInjectionAnonRwxByEtwEvidence |
Boolean |
Indicates whether there is evidence that process injection was detected via event monitoring. |
Injection method |
injectionMethod |
Enum |
The manner of injection for the process. Possible values include In the UI:
In the API:
|
Injection to protected process |
injectingToProtectedProcessSuspicion |
Boolean |
Indicates whether the process was identified as injecting malicious code into a protected process. |
Injector not shell runner |
isInjectorNotShellRunner |
Boolean |
Indicates whether the process is an injected thread that was executed by a process not known to run shell processes. |
Injector signed by Microsoft |
isInjectorSignedByMicrosoft |
Boolean |
Indicates whether the process is running an injected thread that was executed by a process signed by Microsoft. |
Installer |
isInstaller |
Boolean |
Indicates whether the process is an installer process for an application. |
Installer |
isInstallerEvidence |
Boolean |
Indicates whether there is evidence that this process is an installer. |
Internal connections |
internalConnections |
Array |
Collection of internal connections associated with this process |
Internal Network Access |
internalNetworkAccessSuspicion |
Boolean |
Indicates there is an app connecting to private, internal servers. It is uncommon for public applications to connect to internal servers. Public applications connecting to internal servers is considered suspicious behavior and should be investigated immediately for the possible threat of malware installed on the device and the risk of data leakage. |
IP reconnaissance scan |
scanIpSuspicion |
Boolean |
Indicates there is a reconnaissance scan using the IP protocol that is an indicator of a malicious attacker searching for a device vulnerable for a network attack such as MITM. |
IP reconnaissance scan |
scanningProcessSuspicion |
Boolean |
Indicates whether the process creates embryonic connections that characterize scanning activity. |
IP reconnaissance scan |
scanTcpEvidence |
Boolean |
Indicates there is evidence of a reconnaissance scan using the TCP protocol that is an indicator of a malicious attacker searching for a device vulnerable for a network attack such as MITM. |
IP scan evidence |
scanIpEvidence |
Boolean |
Indicates there is evidence of a reconnaissance scan using the IP protocol that is an indicator of a malicious attacker searching for a device vulnerable for a network attack such as MITM. |
IP scanned rate 10 seconds |
ipScannedRate10Seconds |
Integer |
The maximum number of IPs scanned by the process in the span of 10 seconds. |
IP scanned rate 30 seconds |
ipScannedRate30Seconds |
Integer |
The maximum number of IPs scanned by the process in the span of 30 seconds. |
IP scanned rate 60 seconds |
ipScannedRate60Seconds |
Integer |
The maximum number of IPs scanned by the process in the span of 60 seconds. |
Is aggregated process |
isAggregate |
Boolean |
Indicates whether the process represents multiple short-lived frequently-running processes. |
Is Apple system process |
isAppleSystemProcess |
Boolean |
Indicates whether the process is signed by Apple and is running with local system user privileges. |
Is chain of injections |
isChainOfInjections |
Boolean |
Indicates whether the injecting process to the injected thread also has injected code. |
Is encoded commandline |
isEncodedCommandLine |
Boolean |
Indicates whether the command line contains encoded text. |
Is hidden process |
isHidden |
Boolean |
Indicates whether the process was hidden from the task list. |
Is hosting injected thread |
isHostingInjectedThread |
Boolean |
Indicates whether another process injected code to the process. |
Is identified product |
isIdentifiedProduct |
Boolean |
Indicates whether the process has a known product category. |
Is injected |
isInjectedProcess |
Boolean |
Indicates whether another process injected code in the process. |
Is injecting |
isInjectingProcess |
Boolean |
Indicates whether the process is currently injecting code into another process. |
Is injector shell |
isInjectorShell |
Boolean |
Indicates whether the process is running an injected thread and was injected by a shell process. |
Is live process |
isLiveProcess |
Boolean |
Indicates whether the process is currently running. |
Is Microsoft system process |
isMicrosoftSystemProcess |
Boolean |
Indicates whether the process is signed by Microsoft and is running as a local system user. |
Is minion host |
isMinionhost |
Boolean |
Indicates whether the process is the Cybereason MinionHost process (part of Cybereason sensor running on the endpoint). |
Is operating system process |
isOperatingSystemProcess |
Boolean |
Indicates whether the process is signed by the operating system and is running with local system user privileges. |
Is process debugged |
isProcessDebugged |
Boolean |
Indicates whether there is a debugger attached to the process. |
Is scheduled task |
isScheduledTask |
Boolean |
Indicates whether the process is a scheduled task. |
Is shell process |
isShellProcess |
Boolean |
Indicates whether the process is a known shell program such as cmd, cscript, PowerShell, and so forth. |
Is Shinobot RAT |
shinobotEvidence |
Boolean |
Indicates whether there is evidence the process is using the ShinoBOT RAT. |
Is suspended |
isSuspended |
Boolean |
Indicates whether the process is currently suspended. |
Jailbroken or rooted device |
jailbrokenEvidence |
Boolean |
Indicates there is evidence that this device may be jailbroken. Jailbreaking and rooting are the processes of gaining unauthorized access or elevated privileges on a system. Jailbreaking and rooting can potentially open security holes that may have not been readily apparent, or undermine the device built-in security measures |
Java-based RAT malware |
jscriptRATMalop |
Boolean |
Indicates whether this process is exhibiting Java-based RAT (Remote Access Trojan) behaviors. |
Large data transfer to malicious address |
hasAbsoluteHighVolumeExternalOutgoingConnectionEvidence |
Boolean |
Indicates whether there is evidence the process has a connection that transferred high volumes of data to an external address. |
Large data transfer to or from malicious address |
hasAbsoluteHighVolumeConnectionToMaliciousAddressEvidence |
Boolean |
Indicates whether there is evidence the process has a connection that transferred high volumes of data to or from a malicious address. |
Large number of error code 9003 responses |
manyUnresolvedRecordNotExistsEvidence |
Boolean |
Indicates whether there is evidence the process contains more than 100 unresolved DNS queries with a Record-Not-Exists error code (9003). |
Large number of external connections |
highNumberOfExternalConnectionsSuspicion |
Boolean |
Indicates whether the process creates a significantly high number of external connections. |
Large number of external connections evidence |
highNumberOfExternalConnectionsEvidence |
Boolean |
Indicates whether there is evidence the process has a high number of external connections. |
Large number of internal connections |
highNumberOfInternalConnectionsSuspicion |
Boolean |
Indicates whether the process creates a significantly high number of internal connections. |
Large number of internal connections evidence |
absoluteHighNumberOfInternalConnectionsEvidence |
Boolean |
Indicates whether there is evidence the process creates a significantly high number of internal connections. |
Last minute instances |
lastMinuteNumOfInstances |
Long |
The number of short-lived, frequently running processes started in the last minute that are associated with this process. |
Linux Remote System Discovery |
LinuxRemoteSystemDiscoveryEvidence |
Boolean |
Indicates there is evidence the process executed a tool used for remote system discovery. |
Loaded a module for ransomware |
maliciousByRansomwareModule |
Boolean |
Indicates whether the process loaded a module classified as known ransomware by the Cybereason threat intelligence service. |
Loaded a module with rare registry entry |
hasRareModuleAutorunEvidence |
Boolean |
Indicates whether there is evidence the process is associated with rare module registry entries. |
Loaded Cobalt Strike in memory |
maliciousCobaltAgent |
Boolean |
Indicates whether this process loaded the Cobalt Strike agent into memory on a machine. |
Loaded executable on the blocklist |
reflectivelyLoadedMaliciousPESuspicion |
Boolean |
Indicates whether the process loaded a malicious module in memory. |
Loaded executable on the blocklist evidence |
reflectivelyLoadedMaliciousPEEvidence |
Boolean |
Indicates whether there is evidence the process loaded a suspicious module in memory. |
Loaded fake OWA Auth module |
fakeOwaAuthSuspicion |
Boolean |
Indicates whether the process loaded a module that was identified as a fake OWA Auth module. |
Loaded fake OWA Auth module evidence |
fakeOwaAuthEvidence |
Boolean |
Indicates whether there is evidence the process loaded a module that was identified as a fake OWA Auth module. |
Loaded Meterpreter in memory |
maliciousMeterpreterAgent |
Boolean |
Indicates whether this process loaded the Meterpreter agent into memory on a machine. |
Loaded Mimikatz in memory |
maliciousMimikatzAgent |
Boolean |
Indicate whether this process loaded the Mimikatz agent into memory on a machine. |
Loaded Mimikatz resources |
mimikatzResourceEvidence |
Boolean |
Indicates whether there is evidence Cybereason identified evidence of Mimikatz resources |
Loaded module ciassified as a malicious tool |
maliciousToolModuleSuspicion |
Boolean |
Indicates whether a process module was classified as a malicious tool by the Cybereason threat intelligence service. |
Loaded module for malicious tool |
maliciousByMaliciousToolModule |
Boolean |
Indicates whether the process loaded a module classified as a malicious tool by the Cybereason threat intelligence service. |
Loaded module for malware |
maliciousByMalwareModule |
Boolean |
Indicates whether the process loaded a module classified as known malware by the Cybereason threat intelligence service. |
Loaded module for Potentially Unwanted Program (PUP) |
maliciousByUnwantedModule |
Boolean |
Indicates whether the process loaded a module classified as a Potentially Unwanted Program (PUP) by the Cybereason threat intelligence service. |
Loaded module on blocklist |
maliciousByBlackListModule |
Boolean |
Indicates whether the process loaded a module on the blocklist. |
Loaded PeddleCheap in memory |
maliciousPeddleCheapAgent |
Boolean |
Indicates whether this process loaded the PeddleCheap agent in memory on a machine. |
Loaded PowerShell Empire in memory |
maliciousEmpireAgent |
Boolean |
Indicates whether this process loaded the Empire agent into memory on a machine. |
Loaded suspicious unknown DLL |
dllSeachOrderEvidence |
Boolean |
Indicates there is evidence that the process loaded a suspicious and unknown DLL file. |
Local account creation |
localLinuxAccountCreationEvidence |
Boolean |
Indicates whether there is evidence the process attempted to create an account on a Linux machine. |
Local terminal service status query evidence |
remoteDesktopRegistryReconEvidence |
Boolean |
Indicates whether there is evidence this process is querying the local terminal service status. |
Logon script registration |
logonScriptSuspicion |
Boolean |
Indicates whether this process registered a logon script on the machine. |
Logon script registration evidence |
logonScriptEvidence |
Boolean |
Indicates whether there is evidence the process registered a logon script on the machine. |
Low TTL DNS query |
hasLowTtlDnsQueryEvidence |
Boolean |
Indicates whether there is evidence the process has at least one DNS query with a low time-to-leave (TTL). |
LSASS audit object access |
unexpectedAuditObjectAccessLsassSuspicion |
Boolean |
Indicates whether the process accessed an audited system resource. |
LSASS audit object access evidence |
unexpectedAuditObjectAccessLsassEvidence |
Boolean |
Indicates whether there is evidence that the process accessed an audited system resource. |
LSASS virtual memory read |
lsassVMReadEvidence |
Boolean |
Indicates whether there is evidence this process performed a read operation of the LSASS process virtual memory. |
LSASS virtual memory write |
lsassVMWriteEvidence |
Boolean |
Indicates whether there is evidence this process performed a write action for the LSASS process virtual memory. |
Malicious activity by PowerShell process |
maliciousExecutionOfPowerShell |
Boolean |
Indicates whether the PowerShell process was executed with malicious parameters. |
Malicious application suspicion |
appMaliciousSuspicion |
Boolean |
Indicates a malicious app may have been detected on a device. |
Malicious by floating code |
maliciousByFloatingCode |
Boolean |
Indicates whether the Cybereason platform identified the process as malicious due of suspicious PE (Portable Executable) code floating in memory (not attached to a module/file). |
Malicious by hash |
isMaliciousByHashEvidence |
Boolean |
Indicates whether there is evidence the Cybereason threat intelligence service classified the process image file as malicious. |
Malicious by obscured extension |
maliciousByDualExtension |
Boolean |
Indicates whether the process was determined to be malicious because it obscures the real file extension by using multiple file extensions. |
Malicious by opening malicious file |
maliciousByOpeningMaliciousFile |
Boolean |
Indicates whether this process the Cybereason platform classified this file as malicious when it opened a malicious file. |
Malicious code injection |
maliciousByCodeInjection |
Boolean |
Indicates whether the process was classified as malicious through detection of instances of malicious code injection. |
Malicious code injection into a process |
maliciousInjectingCodeSuspicion |
Boolean |
Indicates whether the process was identified as injecting malicious code into another process. |
Malicious execution by PsExec |
executedByPsexecSuspicion |
Boolean |
Indicates whether PsExec service executed the process maliciously. |
Malicious execution of shell process |
maliciousExecutionOfShellProcess |
Boolean |
Indicates whether the process is a shell process that was executed in a non standard way and might be used for malicious operations. |
Malicious execution with elevated privileges |
maliciousPrivilegeEscalation |
Boolean |
Indicates whether the process was maliciously executed with escalated privileges. |
Malicious fake module |
maliciousFakeModuleLoaded |
Boolean |
Indicates whether the process loaded a malicious fake module. |
Malicious file execution attempt |
processExecutionPreventedByNGAVSuspicion |
Boolean |
Indicates whether the process attempted to execute a malicious file and process execution was prevented by Cybereason. |
Malicious file execution attempt evidence |
processExecutionPreventedByNGAVEvidence |
Boolean |
Indicates whether there is evidence this process attempted to execute a malicious file and process execution was blocked by the Cybereason platform |
Malicious file execution prevention |
processExecutionPreventedSuspicion |
Boolean |
Indicates whether the Cybereason platform prevented process execution: |
Malicious file execution prevention evidence |
processExecutionPreventedEvidence |
Boolean |
Indicates whether there is evidence the Cybereason platform prevented process execution |
Malicious injected code from injected thread host |
maliciousInjectionByProcessHostingInjectedCode |
Boolean |
Indicates whether Cybereason identified malicious injected code originating from a process hosting an injected thread |
Malicious PowerShell process uses suspicious parameters |
maliciousUseOfPowershellSuspicion |
Boolean |
Indicates whether there is a suspicion the PowerShell process was executed with malicious parameters |
Malicious process |
isMaliciousEvidence |
Boolean |
Indicates whether there is evidence the Cybereason threat intelligence service classified the process image file as malicious |
Malicious remote execution |
maliciousUseOfPsexec |
Boolean |
Indicates whether the process was maliciously executed from a remote machine |
Malicious resolved domains |
maliciousDomainsDnsIpToDomain |
Array |
Collection of resolved domains in DNS requests that are classified as malicious |
Malicious script from unexpected origin |
maliciousScriptExecutionSuspicion |
Boolean |
Indicates whether the Cybereason platform found the process executing a potentially malicious script from an unexpected origin |
Malicious system volume information execution path or name |
maliciousProcessByPath |
Boolean |
Indicates whether the process has a system volume information execution path or name classified as malicious |
Malicious tool |
knownMaliciousToolSuspicion |
Boolean |
Indicates whether the Cybereason threat intelligence service classified the process as a malicious tool |
Malicious tool classification by hash |
maliciousToolByHashReputation |
Boolean |
Indicates whether the Cybereason threat intellgence service classified the process image file as a malicious tool by file hash |
Malicious tool loaded in memory |
maliciousGenericAgent |
Boolean |
Indicates whether this process loaded a malicious tool into memory on a machine |
Malicious use of operating system process for persistence |
maliciousUseOfWinOSProcessSuspicion |
Boolean |
Indicates whether this process used an operating system process for malicious purposes to achieve persistence on a machine |
Malicious use of operating system process for persistence evidence |
maliciousUseOfWinOSProcessEvidence |
Boolean |
Indicates whether there is evidence this process used an operating system process for malicious purposes to achieve persistence on a machine |
Malicious web shell |
maliciousWebShellExecution |
Boolean |
Indicates that this process ran a web shell for malicious purposes |
Malware module indications |
malwareModuleSuspicion |
Boolean |
Indicates whether the Cybereason threat intelligence service classified a process module as malware. |
Malware that aggressively displays ads, negatively affecting user productivity and device performance |
maliciousPupAppEvidence |
Boolean |
Indicates there is evidence of malware that displays ads which negatively affects user productivity and evice performance |
Malware that aggressively displays ads, negatively affecting user productivity and device performance |
maliciousPupAppSuspicion |
Boolean |
Indicates there is malware that displays ads which negatively affects user productivity and evice performance |
Malware that attempts to obtain escalated system privileges |
privEscAppMaliciousSuspicion |
Boolean |
Indicates there is malware that attempts to obtain escalated system privileges |
Malware that blocks access to a device until a ransom is paid |
maliciousRansomwareAppSuspicion |
Boolean |
Indicates there is malware that blocks the access to a device until a ransom is paid |
Malware that causes SMS related charges |
maliciousSMSAppEvidence |
Boolean |
indicates there is evidence of malware that causes SMS-related charges |
Malware that causes SMS related charges |
maliciousSMSAppSuspicion |
Boolean |
indicates there is malware that causes SMS-related charges |
Malware that is monitoring and collecting information about a user and the device |
maliciousSpywareAppEvidence |
Boolean |
Indicates there is evidence there is malware that is monitoring and collecting information about a user and the device like spyware |
Malware that is monitoring and collecting information about a user and the device |
maliciousSpywareAppSuspicion |
Boolean |
Indicates there is malware that is monitoring and collecting information about a user and the device like spyware |
Malware that obtains unauthorized access to a mobile device |
maliciousTrojanAppEvidence |
Boolean |
Indicates there is evidence of malware that gains unauthorized access to the mobile device |
Malware that obtains unauthorized access to a mobile device |
maliciousTrojanAppSuspicion |
Boolean |
Indicates there is evidence of malware that gains unauthorized access to the mobile device |
Malware that steals bank credentials |
maliciousBankerAppEvidence |
Boolean |
Indicates there is evidence of malware that steals bank credentials |
Malware that steals bank credentials |
maliciousBankerAppSuspicion |
Boolean |
Indicates there is malware that steals bank credentials |
Man in the Middle attack |
mitmEvidence |
Boolean |
Indicates there is evidence the communication between a device and a network was intercepted and could be monitored and modified by an unauthorized party. Man-in-the-Middle attack where a malicious attacker can hijack traffic and steal credentials or deliver malware to the device |
Man in the Middle attack via ARP |
mitmArpEvidence |
Boolean |
Indicates there is evidence that the device may be involved in a network attack. Communication between the device and a network was intercepted and could be monitored and modified by an unauthorized party. Man-in-the-Middle attack using ARP table poisoning where a malicious attacker can hijack traffic and steal credentials or deliver malware to the device |
Man in the Middle attack with fake SSL certificate |
mitmSslCertificateEvidence |
Boolean |
Indicates there is evidence of a Man-in-the-Middle attack using a fake certificate where a malicious attacker can hijack traffic and steal credentials or deliver malware to the device |
Man in the Middle attack with ICMP |
mitmIcmpEvidence |
Boolean |
Indicates there is evidence that the device may be involved in a network attack. The communication between the device and a network was intercepted. The attacker can hijack traffic and steal credentials or deliver malware to the device. Man-in-the-Middle attack using ICMP protocol where a malicious attacker can hijack traffic and steal credentials or deliver malware to the device |
Man in the Middle attack with SSL stripping |
mitmSslStripEvidence |
Boolean |
Indicates there is evidence that the device may be involved in a network attack through a Man-in-the-Middle attack with SSL stripping that allows a malicious attacker to change HTTPS traffic to HTTP so they can hijack traffic and steal credentials or deliver malware to the device. The communication between the device and a network was intercepted and could allow an unauthorized party to steal credentials or deliver malware to the device |
Many internal connections |
highNumberOfInternalConnectionsEvidence |
Boolean |
Indicates whether there is evidence the process has a high number of internal connections |
Marked for prevention |
markedForPrevention |
Boolean |
Indicates whether the process executable file is prevented from executing by Application Control |
Memory usage |
memoryUsage |
Long |
The amount of memory the process uses |
Meterpreter executable detected |
meterpreterX86executableSuspicion |
Boolean |
Indicates whether Cybereason detected remote malicious tool resources |
Meterpreter executable detected evidence |
meterpreterX86executableEvidence |
Boolean |
Indicates whether there is evidence that the Cybereason platform identified remote malicious tool resources were identified |
Mimikatz execution by shell process |
mimikatzByShellSuspicion |
Boolean |
Indicates whether this process is a shell process executing Mimikatz |
Mimikatz execution by shell process evidence |
mimikatzExecutedByShellProcessEvidence |
Boolean |
Indicates whether there is evidence this process is a shell process executing Mimikiatz |
Mimikatz execution evidence |
mimikatzExecutionEvidence |
Boolean |
Indicates whether there is evidence of Mimikatz execution |
Mimikatz process |
mimikatzSuspicion |
Boolean |
Indicates whether the process has associated Mimikatz suspicions |
Mismatch between memory and on-disk code |
rareHasPeMismatchEvidence |
Boolean |
Indicates whether there is evidence the process has a mismatch between the in-memory code and the code on disk |
Mismatching memory section |
hasSectionMismatchEvidence |
Boolean |
Indicates whether there is evidence the process has a memory section which does not match the disk image for this section |
MITM attack |
mitmSuspicion |
Boolean |
Indicates the communication between a device and a network was intercepted and could be monitored and modified by an unauthorized party. Man-in-the-Middle attack where a malicious attacker can hijack traffic and steal credentials or deliver malware to the device |
MITM attack through SSL Strip |
mitmSslStripSuspicion |
Boolean |
Indicates that the device may be involved in a network attack through a Man-in-the-Middle attack with SSL stripping that allows a malicious attacker to change HTTPS traffic to HTTP so they can hijack traffic and steal credentials or deliver malware to the device. The communication between the device and a network was intercepted and could allow an unauthorized party to steal credentials or deliver malware to the device |
MITM attack via ARP suspicion |
mitmArpSuspicion |
Boolean |
Indicates that the device may be involved in a network attack. Communication between the device and a network was intercepted and could be monitored and modified by an unauthorized party. Man-in-the-Middle attack using ARP table poisoning where a malicious attacker can hijack traffic and steal credentials or deliver malware to the device |
MITM attack via ICMP redirect suspicion |
mitmIcmpSuspicion |
Boolean |
Indicates that the device may be involved in a network attack. The communication between the device and a network was intercepted. The attacker can hijack traffic and steal credentials or deliver malware to the device |
MITM attack with fake SSL certificate suspicion |
mitmSslCertificateSuspicion |
Boolean |
Indicates there is a Man-in-the-Middle attack using a fake certificate where a malicious attacker can hijack traffic and steal credentials or deliver malware to the device |
Module classified as malware evidence |
malwareModuleEvidence |
Boolean |
Indicates whether there is evidence the Cybereason threat intelligence service classified one of the process modules as malware |
Module not in loader database |
rareHasUnloadedToDbEvidence |
Boolean |
Indicates whether there is evidence the process is found to have a module that does not appear in the loader database |
Module prevention |
processModuleExecutionPreventedEvidence |
Boolean |
Indicates whether the process loaded a module that was previously prevented by Application Control |
Modules loaded from the temporary directory |
modulesFromTemp |
Array |
Collection of modules associated with this process that are loaded from the temporary directory |
Modules not in loader DB |
modulesNotInLoaderDbList |
Array |
Collection of modules associated with this process that are not located in the loader database |
MS Build as child of suspicious Office process |
msbuildChildofMSOfficeSuspicion |
Boolean |
Indicates whether the this process is an MSBuild process that was executed by an MS office application |
MS Exchange application pool exploit attempt |
MSExchangeOWAPoolWebshellEvidence |
Boolean |
Indicates whether there is evidence the process was observed making an attempt to exploit the MS Exchange application pool |
MS-RPC request invoked/accessed the process using DCOM |
msrpcDCOMServerEvidence |
Boolean |
Indicates whether an MS-RPC request invoked or accessed the process using a DCOM object |
MSBuild in suspicious execution chain |
msbuildChildOfSuspiciousEvidence |
Boolean |
Indicates whether there is evidence this process is an executable process that is suspected of being an descendant of a MS office application |
Multiple extensions for image file |
dualExtensionNameEvidence |
Boolean |
Indicates whether there is evidence the process file contains more than one extension. |
Multiple extensions obscuring image file extension |
hiddenFileExtensionEvidence |
Boolean |
Indicates whether there is evidence that the process uses an extension disguised from the user by using multiple extensions. |
Multiple hashes for unsigned files with same PE information as image file |
multipleHashForUnsignedPeInfoEvidence |
Boolean |
Indicates whether there is evidence the Cybereason platform identified multiple hashes for unsigned files with the same path and PE information as the process image file |
N/A |
rareInternalConnections |
Array |
Collection of rare internal connections associated with this process |
Connection to rogue WiFi |
mitmRogueApNearbyEvidence |
Boolean |
Indicates there is evidence of a rogue access point which exploits a device vulnerability to connect to a previously known WiFi network by masking preferred/known networks |
net.exe add new user to local admin user group |
netCreateAdminSuspicion |
Boolean |
Indicates whether the net.exe process is suspected of attempting to add a user to the local admin user group |
net.exe added new local admin user |
netAddAdminEvidence |
Boolean |
Indicates whether there is evidence that the net.exe process attempted to add a user to the local admin user group |
net.exe as child process of suspicious process |
netDescendantOfSuspiciousProcessEvidence |
Boolean |
Indicates whether there is evidence the net.exe process is a descendant of a suspicious process |
net.exe used to create or add user to group |
netAddUserSuspicion |
Boolean |
Indicates whether the net.exe process is suspected of attempting to add a user to the user group |
net.exe used to create or add user to group evidence |
netAddUserEvidence |
Boolean |
Indicates whether there is evidence that the net.exe process attempted to add a user to the user group |
Netsh process |
isNetshProcess |
Boolean |
Indicates whether the process is a Netsh process |
netsh.exe disabled firewall |
netshDisableFirewallSuspicion |
Boolean |
Indicates whether the netsh.exe process disabled a firewall |
netsh.exe disabled firewall evidence |
netshDisableFirewallEvidence |
Boolean |
Indicates whether there is evidence that the netsh.exe process disabled a firewall. |
Network handoff to alter routing |
arpHandoffEvidence |
Boolean |
Indicates there is evidence that the device is using network handoff to alter routing on a network, potentially allowing for a Man-in-the-Middle attack. |
Network scan while running injected code |
maliciousByScanningOfInjectedProcess |
Boolean |
Indicates whether the process performs network scans while running an injected code |
Network scan with elevated privileges |
maliciousByScanningOfElevatedProcess |
Boolean |
Indicates whether the process performs network scans while running with high privileges or escalating a child process to run with high privileges |
Network scanner |
networkScannerEvidence |
Boolean |
Indicates whether there is evidence the process is scanning the internal network. |
Network share discovery |
networkShareDiscoveryEvidence |
Boolean |
Indicates whether there is evidence the process is involved in network share discovery to obtain details of network share. |
New process |
newProcessEvidence |
Boolean |
Indicates whether there is evidence the process is executed for the first time on this machine. |
New process |
newProcess |
Boolean |
Indicates whether the process is executed for the first time on this machine |
New process created above normal threshold |
newProcessesAboveThresholdEvidence |
Boolean |
Indicates whether there is evidence the process created multiple new processes. |
New service |
newServiceEvidence |
Boolean |
Indicates whether there is evidence this process started a new service for malicious purposes. |
Non-certified or compromised device |
SafetyNetAttestationBasicIntegrityFalseEvidence |
Boolean |
Indicates there is evidence that the Android device has been tampered with. The device is not certified by Google, and may have been additionally compromised, such as a rooted device. |
Non-compliant app |
appOutOfComplianceEvidence |
Boolean |
Indicates that there is evidence of apps marked Out of Compliance are found on the device. |
Non-default resolver |
nonDefaultResolverSuspicion |
Boolean |
Indicates whether the resolver of the DNS request is the default resolver set to the machine |
Non-mail process connection to mail service |
hasMailConnectionForNonMailProcessEvidence |
Boolean |
Indicates whether there is evidence the process has a connection to a mail service but the process is not a mail client |
Not shell runner |
isNotShellRunner |
Boolean |
Indicates whether the process is not known to run shell processes |
NTDS audit object access by shadow copy |
unexpectedAuditObjectAccessNtdsFileShadowCopyEvidence |
Boolean |
Indicates whether there is evidence that the process accessed an audited system resource - NTDS file via shadow copy |
Number of instances |
totalNumOfInstances |
Integer |
Number of short-lived, frequently-running processes that the process represents. |
Number of threads |
threadCount |
Integer |
The Number of the process threads |
Obfuscated PowerShell command |
powerShellBase64CompressedEvidence |
Boolean |
Indicates whether there is evidence the Cybereason platform detected encoded and compressed PowerShell commands |
Obscured extension for image file |
dualExtensionSuspicion |
Boolean |
Indicates whether the process uses an extension disguised from the user through the use of multiple extensions |
Obscured file extension |
macHiddenFileExtensionEvidence |
Boolean |
Indicates whether there is evidence that the image file for this process on a Mac OS machine is hiding the file extension. |
Opened files |
openedFiles |
Array |
Collection of opened files associated with this process |
Opened potentially malicious files |
maliciousOpenedFilesEvidence |
Boolean |
Indicates whether there is evidence this process opened files classified as malicious. |
Original injector process |
originInjector |
String |
The process that first initiated the injection activity |
Osascript JavaScript payload |
osascriptPayloadSuspicion |
Boolean |
Indicates whether this process used OSA JavaScript to run a payload |
Osascript JavaScript ran payload evidence |
osascriptPayloadEvidence |
Boolean |
Indicates whether there is evidence this process used OSA JavaScript to run a payload. |
Outgoing connections of host process |
outgoingConnectionsOfHostProcess |
Array |
Collection of outgoing connections associated with this process that were made by the host of this injection thread |
Outgoing connections |
outgoingConnections |
Array |
Collection of outgoing connections associated with this process |
Outgoing external connections |
outgoingExternalConnections |
Array |
Collection of outgoing external connections associated with this process |
Outgoing internal connections |
outgoingInternalConnections |
Array |
Collection of outgoing internal connections associated with this process |
Owner machine |
ownerMachine |
String |
Name of the owner machine for this process |
Packed process |
packedProcessDecisionFeature |
Boolean |
Indicates whether this process is a packed process |
Packed process |
packedProcessSuspicion |
Boolean |
Indicates whether the process is suspected of running from a packed binary file |
Packed process evidence |
packedProcessEvidence |
Boolean |
Indicates whether there is evidence this process is running from a packed binary file |
Parent and creator process mismatch |
parentCreatorMismatchEvidence |
Boolean |
Indicates there is evidence that the parent process for this process and the process that created this process are not the same process |
Parent from removable device |
parentFromRemovableDevice |
Boolean |
Indicates whether the process parent process was executed from a removable device |
Parent of PowerShell process running JavaScript |
parentOfPowerShellProcessRunningJavaScriptEvidence |
Boolean |
Indicates whether there is evidence a PowerShell process parent process is running JavaScript via the command line |
Parent process does not match known hierarchy |
parentProcessNotMatchHierarchySuspicion |
Boolean |
Indicates whether the process parent process matches the known process hierarchy of the process |
Parent process does not match known hierarchy evidence |
parentProcessNotMatchHierarchyEvidence |
Boolean |
Indicates whether there is evidence the process parent process matches the known process hierarchy of the process |
Parent process name |
parentProcessName |
String |
The name of the parent process for this process |
Parent process not system process |
parentProcessNotSystemUserEvidence |
Boolean |
Indicates whether there is evidence the process is executed by a system user while its parent process is executed by a user that is not a system user |
Parent process run from removable device |
parentProcessFromRemovableDeviceEvidence |
Boolean |
Indicates whether there is evidence the process is executed from a removable device |
Parent process was not admin process |
parentProcessNotAdminUserEvidence |
Boolean |
Indicates whether there is evidence the process is executed by a user with administrator privileges while its parent process is executed by a user with lower privileges |
Parent process |
parentProcess |
String |
The parent process of this process |
Pass the Hash receiver |
passTheHashReceiverSuspicion |
Boolean |
Indicates whether the process is performing a suspicious incoming authentication attempt using Pass the Hash |
Pass the Hash sender |
passTheHashSenderSuspicion |
Boolean |
Indicates whether the process is performing a suspicious outgoing authentication attempt using Pass the Hash |
Password file Read attempt |
credentialDumpingFromLinuxPasswdEvidence |
Boolean |
Indicates whether there is evidence the process attempted to read from the Passwd file on the machine |
Password file search |
searchForPasswordFilesSuspicion |
Boolean |
Indicates whether the process is searching for files containing passwords |
Password file search evidence |
searchForPasswordFilesEvidence |
Boolean |
Indicates whether there is evidence that the process is searching for files containing passwords |
Password policy discovery |
passwordPolicyDiscoverySuspicion |
Boolean |
Indictes whether this process performed password policy discovery activities |
Password policy discovery evidence |
passwordPolicyDiscoveryEvidence |
Boolean |
Indicates whether there is evidence of the process trying to perform password policy discovery |
Permission groups discovery |
permissionGroupsDiscoveryEvidence |
Boolean |
Indicates whether there is evidence the process is involved in permission groups discovery |
Permission groups discovery |
LinuxPermissionGroupsDiscoveryEvidence |
Boolean |
Indicates whether there is evidence the Process attempted to discover permission groups on the machine |
Persistent modifications to device file systems |
processFilesystemchangeSuspicion |
Boolean |
Indicates there are persistent modifications to a device file system |
Persistence attempt through launch agents |
plistBuddyCreatesLaunchAgentsFileSuspicion |
Boolean |
Indicates whether the process attempted to gain persistence using the LaunchAgents mechanism |
Possibly untrusted profile |
profileUntrustedEvidence |
Boolean |
Indicates there is evidence there may be an untrusted profile on device. This untrusted profile could be used to control devices remotely, monitor and manipulate user activities, and/or hijack a users traffic |
Potential network configuration discovery |
networkConfigurationDiscoveryEvidence |
Boolean |
Indicates whether there is evidence of the process is performing a network configuration discovery |
Potentially malicious application |
appMaliciousEvidence |
Boolean |
Indicates there is evidence a malicious app may have been detected on a device |
Potentially malicious link tapped |
siteInsightLinkTappedEvidence |
Boolean |
Indicates that a potentially malicious URL was tapped on the device |
Potentially malicious link visited |
siteInsightLinkVisitedSuspicion |
Boolean |
Indicates that a potentially malicious URL was tapped on the device and the user was warned of the potential danger of visiting the linked site and chose to continue on to the site after the warning |
Potentially Unwanted Program (PUP) |
unwantedEvidence |
Boolean |
Indicates whether or not there is evidence the Cybereason threat intelligence service classified the process image file as a Potentially Unwanted Program (PUP) |
Potentially unwanted program by hash value |
unwantedByHashReputation |
Boolean |
Indicates whether the Cybereason threat intelligence service classified the process image file as a Potentially Unwanted Program (PUP) due to the file hash |
Potentially unwanted program module |
unwantedModuleSuspicion |
Boolean |
Indicates whether the Cybereason threat intelligence service identified a process module as a possibly unwanted program |
Potentially unwanted program module evidence |
unwantedModuleEvidence |
Boolean |
Indicates whether there is evidence the Cybereason threat intelligence service classified a module associated with the process as a Potentially Unwanted Program (PUP) |
Power shell modules |
powerShellModules |
Array |
Collection of PowerShell modules associated with this process |
PowerShell command line with HKCU key |
powershellCurrentUserRegistryEvidence |
Boolean |
Indicates whether there is evidence the Cybereason platform identified the process as a PowerShell process with a HKCU (current user) registry key in its command line |
PowerShell command line with HKLM key |
powershellLocalMachineRegistryEvidence |
Boolean |
Indicates whether there is evidence the Cybereason platform identified the process as a PowerShell process with a HKLM (local machine) registry key in its command line |
PowerShell command line with IP address |
powershellIpAddressEvidence |
Boolean |
Indicates whether there is evidence the Cybereason platform identified the process as a PowerShell process with a IP address in its command line |
PowerShell downloader |
powerShellDownloaderSuspcion |
Boolean |
Indicates whether the PowerShell process is attempting to download a file via command line |
PowerShell downloader evidence |
powershellDownloaderEvidence |
Boolean |
Indicates whether there is evidence the PowerShell process is attempting to download a file via command line |
PowerShell executed by cmdlet with environment variable |
powerShellIesEnvSuspicion |
Boolean |
Indicates whether PowerShell is suspected of executing with an invoked Cmdlet to execute a value stored as environment variable |
PowerShell executed by cmdllet with environment variable evidence |
powerShellIexEnvEvidence |
Boolean |
Indicates whether there is evidence that PowerShell executed with an invoked Cmdlet to execute a value stored as environment variable |
PowerShell executed by Word |
powershellExecutedByWordEvidence |
Boolean |
Indicates whether there is evidence this process is a PowerShell process that was executed by a Word document |
PowerShell process |
isPowerShellProcess |
Boolean |
Indicates whether the process is a PowerShell process |
PowerShell process command line with email address |
powershellEmailAddressEvidence |
Boolean |
Indicates whether there is evidence the Cybereason platform identified the process as a PowerShell process with an email address in its command line |
PowerShell run by encoded command |
powershellEncodedCommandEvidence |
Boolean |
Indicates whether there is evidence the PowerShell process was executed with an encoded command |
PowerShell uses suspicious parameters |
suspiciousUseOfPowershellSuspicion |
Boolean |
Indicates whether this PowerShell process was executed with suspicious parameters |
PowerShell using Invoke-Expression flag |
powershellInvokeExpressionEvidence |
Boolean |
Indicates whether there is evidence the Cybereason platform identified the process as a PowerShell process executing commands using an invoke-expression flag (iex) |
Prevent execution file hash |
blockedFileHash |
String |
List of file hashes that were prevented during process execution prevention |
Prevented by PowerShell Protection |
ngavPowershellPreventedEvidence |
Boolean |
Indicates whether there is evidence this process was prevented by PowerShell Protection |
Privilege escalation to admin |
executionPrevented |
Boolean |
Indicates whether the process elevated its privileges to the administration user level |
Process accessed ntds.file from shadow copy |
ntdsShadowCopyAccessEvidence |
Boolean |
Indicates whether there is evidence a process accessed the ntds.dit file from the shadow copy volume |
Process accessed SAM file from shadow copy |
samShadowCopyAccessEvidence |
Boolean |
Indicates whether there is evidence that a process accessed the SAM file from the shadow copy volume |
Process acting as client |
hasClientInteractionEvidence |
Boolean |
Indicates whether there is evidence this process is involved in a machine interaction as a client machine |
Process added firewall rule |
addFirewallRuleEvidence |
Boolean |
Indicates whether there is evidence the process added a firewall rule |
Process behaves like Inveigh script |
psInveighSuspicion |
Boolean |
Indicates whether the process exhibits malicious behavior related to the PowerShell Inveigh script |
Process behaves like Inveigh script evidence |
psInveighEvidence |
Boolean |
Indicates whether there was evidence the process exhibits suspicious behavior related to the PowerShell Inveigh script |
Process creation by remote WMI |
wmiRemoteProcessCreationSuspicion |
Boolean |
Indicates whether the process used WMI to perform remote process creation |
Process creation by remote WMI evidence |
wmiRemoteProcessCreationEvidence |
Boolean |
Indicates whether there is evidence the process used WMI to perform remote creation of a process |
Process creation with Win32_Product::Install method |
createdByWMIWin32ProductEvidence |
Boolean |
Indicates whether there is evidence the process was created using the Win32Product::Install method |
Process deleted parent process |
deletedParentProcessEvidence |
Boolean |
Indicates whether there is evidence the process deleted its parent process |
Process discovery |
processDiscoverySuspicion |
Boolean |
Indicates whether this process performed password policy discovery activities |
Process discovery evidence |
processDiscoveryEvidence |
Boolean |
Indicates whether there is evidence the process is involved in process discovery |
Process execution by PsExec |
parentPsexecEvidence |
Boolean |
Indicates whether there is evidence the process was executed by a PsExec service |
Process execution by system user |
threatMapConnectedEvidence |
Boolean |
Indicates that the device has connected to a Wifi network where malicious attacks have been observed |
Process execution by system user |
systemUserEvidence |
Boolean |
Indicates whether there is evidence the process is executed by a user with system level privileges |
Process execution from Recycle Bin evidence |
executedFromRecycleBinEvidence |
Boolean |
Indicates whether there is evidence the process was run from the Recycle Bin |
Process execution from Recycle Bin suspicion |
executedFromRecycleBinSuspicion |
Boolean |
Indicates whether the process was run from the Recycle Bin |
Process file extension not used for executable files |
nonExecutableExtensionEvidence |
Boolean |
Indicates whether there is evidence the process extension is normally used for executable files |
Process hidden by rootkit |
hiddenProcessSuspicion |
Boolean |
Indicates whether the process is hidden |
Process hidden by rootkit evidence |
hiddenProcessEvidence |
Boolean |
Indicates whether there is evidence the process is hidden |
Process ID |
applicablePid |
String |
The process identifier (PID) |
Process image file hash on blocklist |
blackListedFileHash |
Boolean |
Indicates whether the image file of the process is a file on the blocklist |
Process image file on blocklist |
blackListFileSuspicion |
Boolean |
Indicates whether the process is executing a file on the blocklist |
Process image file unsigned |
unknownUnsignedEvidence |
Boolean |
Indicates whether there is evidence the process image file is unsigned and the process is not known to reputation services |
Process integrity |
integrity |
Enum |
The reputation for the process running on the same user. Possible values include: In the UI:
In the API:
|
Process invoked CMSTPLUA ShellExec method using DCOM |
msrpcCMSTPLUAClientEvidence |
Boolean |
Indicates whether the process invoked the CMSTPLUA ShellExec method using DCOM |
Process is child process of Microsoft Office process |
executableChildOfMSOfficeEvidence |
Boolean |
Indicates whether there is evidence the process is a child process of a MS Office process |
Process issued an MS-RPC request to enumerate users |
msrpcUserEnumerationClientEvidence |
Boolean |
Indicates whether the process issued an MS-RPC request to enumerate users |
Process issued MS-RPC request for group discovery |
msrpcGroupDiscoveryClientEvidence |
Boolean |
Indicates whether the process issued an MS-RPC request for group discovery |
Process issued MS-RPC request for NetLogon session challenge and authentication |
msrpcNetlogonSessionChallengeClientEvidence |
Boolean |
Indicates whether the process issued an MS-RPC request for the NetLogon challenge and authentication steps |
Process issued MS-RPC request for NetLogon session challenge/authentication steps in ZeroLogon exploitation |
msrpcZerologonClientSuspicion |
Boolean |
Indicates whether the process issued an MS-RPC request for the NetLogon session challenge and authentication steps as found in the ZeroLogon exploitation |
Process issued MS-RPC request for service creation |
msrpcServiceCreateClientEvidence |
Boolean |
Indicates whether the process issued an MS-RPC request for service creation |
Process issued MS-RPC request to change service config |
msrpcServiceChangeClientEvidence |
Boolean |
Indicates whether the process issued an MS-RPC request to change a service config |
Process issued MS-RPC request to create user |
msrpcCreateUserClientEvidence |
Boolean |
Indicates whether the process issued an MS-RPC request to create a user |
Process issued MS-RPC request to delete a scheduled task |
msrpcDeleteScheduledTaskClientEvidence |
Boolean |
Indicates whether the process issued an MS-RPC request to delete a scheduled task |
Process issued MS-RPC request to delete a service |
msrpcServiceDeleteClientEvidence |
Boolean |
Indicates whether the process issued an MS-RPC request to delete a service |
Process issued MS-RPC request to enumerate domain name |
msrpcDomainEnumerationClientEvidence |
Boolean |
Indicates whether the process issued an MS-RPC request to enumerate the domain name |
Process issued MS-RPC request to get updated domain object information |
msrpcDCGetChangesClientEvidence |
Boolean |
Indicates whether the process issued an MS-RPC request to get updated domain object information |
Process issued MS-RPC request to push domain object information |
msrpcDCPushChangesClientEvidence |
Boolean |
Indicates whether the process issued an MS-RPC request to push domain object information |
Process issued MS-RPC request to query current IPv4/IPv6 DHCP lease information |
msrpcDhcpQueryClientEvidence |
Boolean |
Indicates whether the process issued an MS-RPC request that queried the current IPv4 or IPv6 DHCP lease information |
Process issued MS-RPC request to query for user information |
msrpcWkstUserInfoEnumerationClientEvidence |
Boolean |
Indicates whether the process issued an MS-RPC request to query user information |
Process issued MS-RPC request to query installed network adapters |
msrpcDnsAdapterInfoClientEvidence |
Boolean |
Indicates whether the process issued an MS-RPC request to query for installed network adapters |
Process issued MS-RPC request to query terminal name |
msrpcTerminalNameClientEvidence |
Boolean |
Indicates whether the process issued an MS-RPC request to query for the terminal name |
Process issued MS-RPC request to register scheduled task |
msrpcRegisterScheduledTaskClientEvidence |
Boolean |
Indicates whether the process issued an MS-RPC request to register a scheduled task |
Process issued MS-RPC request to Remote Registry service for HKLM hive handle |
msrpcRemoteRegistryHKLMHandleClientEvidence |
Boolean |
Indicates whether the process issued an MS-RPC request to the Remote Registry service for the HKLM hive handle |
Process issued MS-RPC request to Remote Registry service to export Windows registry hive |
msrpcRemoteRegistryExportClientEvidence |
Boolean |
Indicates whether the process issued an MS-RPC request to the Remote Registry service to export a Windows registry hive |
Process issued MS-RPC request to Remote Registry service to query Windows registry |
msrpcRemoteRegistryQueryClientEvidence |
Boolean |
Indicates whether the process issued an MS-RPC request to the Remote Registry service to query the Windows registry |
Process issued MS-RPC request to run scheduled task |
msrpcRunScheduledTaskClientEvidence |
Boolean |
Indicates whether the process issued an MS-RPC request to run a scheduled task |
Process issued MS-RPC request to start a service |
msrpcServiceStartClientEvidence |
Boolean |
Indicates whether the process issued an MS-RPC request to start a service |
Process issued MS-RPC request to update user information |
msrpcEUpdateUserClientvidence |
Boolean |
Indicates whether the process issued an MS-RPC request to update user information |
Process loaded PowerShell module |
powershellModuleLoadedEvidence |
Boolean |
Indicates whether or not there is evidence the process loaded a PowerShell module |
Process loads module on blocklist |
blackListModuleSuspicion |
Boolean |
Indicates whether the process loads a module on the blocklist |
Process loads module on blocklist evidence |
blackListModuleEvidence |
Boolean |
Indicates whether there is evidence the process loads a module on the blocklist |
Process masquerading as movie |
masqueradingAsMovieEvidence |
Boolean |
Indicates whether there is evidence the process is masquerading as a movie |
Process masquerading as operating system process |
maliciousUseOfOSProcess |
Boolean |
Indicates whether this process masqueraded as an operating system process for malicious purposes |
Process masquerading as Windows accessibility feature |
abusingWindowsAccessibilityFeatures |
Boolean |
Indicates whether this process is masquerading as one of MS Windows |
Process modified device file system |
processFilesystemchangeEvidence |
Boolean |
Indicates there is evidence of persistent modifications to a device file system. |
Process module classified as ransomware |
ransomwareModuleSuspicion |
Boolean |
Indicates whether the Cybereason threat intelligence service classified one of the process modules as ransomware |
Process module classified as ransomware evidence |
ransomwareModuleEvidence |
Boolean |
Indicates whether there is evidence the Cybereason threat intelligence service classified one of the process modules as ransomware |
Process module in temporary folder |
hasModuleFromTempEvidence |
Boolean |
Indicates whether there is evidence the process has a module located in a temporary folder |
Process name |
calculatedName |
String |
The calculated name of the process |
Process name |
elementDisplayName |
String |
The name of the process |
Process name hidden from scanning tools |
covertProcessParametersOverrideEvidence |
Boolean |
Indicates whether there is evidence the process name was hidden from normal scanning tools |
Process or image file hash classified as malware |
malwareByHashReputation |
Boolean |
Indicates whether the Cybereason threat intelligence service classified the process image file as malware due to the image file hash. |
Process or image file with unverifiable signature |
maliciousSignedUnverifiedSuspicion |
Boolean |
Indicates whether the process image file has an unverifiable signature that indicates malicious interference with the image file or the certificate used to sign the image file |
Process partially hidden from scanning API |
covertProcessFullyTemperedIterationApiEvidence |
Boolean |
Indicates whether there is evidence the process was fully hidden from the normal scanning API |
Process performed privilege elevation |
privilegeEscalationEvidence |
Boolean |
Indicates whether there is evidence the process elevated its privileges to the local system user level |
Process performed privilege elevation to admin |
privilegeEscalationToAdminSuspicion |
Boolean |
Indicates whether the process behaves like a privilege escalation tool |
Process performed privilege elevation |
privilegeEscalationEvidence |
Boolean |
Indicates whether there is evidence the process elevated its privileges to the local system user level |
Process performed privilege elevation to system |
privilegeEscalationSuspicion |
Boolean |
Indicates whether the process behaves like a privilege escalation tool |
Process pushed new domain users/object information to domain controllers |
msrpcDCShadowClientSuspicion |
Boolean |
Indicates whether the process pushed new domain users or object information to domain controllers |
Process ran injected code from deleted file |
deletedInjectorInjectionSuspicion |
Boolean |
Indicates whether the process is running code injected by a process whose file is no longer exists |
Process received MS-RPC request to Remote Registry service to export Windows registry hive |
msrpcRemoteRegistryExportServerEvidence |
Boolean |
Indicates whether the process received an MS-RPC request to the Remote Registry service to export a Windows registry hive |
Process received MS-RPC request to the Remote Registry service for HKLM hive handle |
msrpcRemoteRegistryHKLMHandleServerEvidence |
Boolean |
Indicates whether the process received an MS-RPC request to the Remote Registry service for the HKLM hive handle |
Process requested replica of domain users/object information from domain controllers |
msrpcDCSyncClientSuspicion |
Boolean |
Indicates whether the process requested a replica of the the domain users or object information from the domain controllers |
Process run on target machine in Pass the Hash attack |
executedOnPassTheHashLogonSessionSuspicion |
Long |
Indicates whether the process is running a Pass the Hash attack on the target machine |
Process run on target machine in Pass the Hash attack evidence |
executedOnPassTheHashLogonSessionEvidence |
Boolean |
Indicates whether there is evidence the process is running a Pass the Hash attack on the target machine |
Process running malicious web shell |
maliciousWebShellSuspicion |
Boolean |
Indicates whether this process ran a web shell for malicious purposes |
Process running web shell |
webShellEvidence |
Boolean |
Indicates whether there is evidence this process is running or related to a web shell |
Process used by exploit kit |
exploitKitSuspicion |
Boolean |
Indicates whether the process used an exploit kit |
Process used by exploit kit evidence |
exploitKitEvidence |
Boolean |
Indicates whether there is evidence the process uses an exploit kit |
Process used FTP data transfer |
ftpCommunicationEvidence |
Boolean |
Indicates whether there is evidence the process used communication through FTP |
Process used MS-RPC request to invoke/access a DCOM object |
msrpcDCOMClientEvidence |
Boolean |
Indicates whether the process used an MS-RPC request to invoke or access a DCOM object |
Process used rare DNS resolver server |
rareHasNonDefaultResolver |
Boolean |
Indicates whether the process uses a non-default DNS server and this behavior is rare for the process |
Product type |
productType |
Enum |
The type of product running the process. Possible values include: In the UI
In the API:
|
Protected process running injected code from other process |
injectedProtectedProcessSuspicion |
Boolean |
Indicates whether the process is a protected process and was identified as running code injected to the process by another process |
Protected process running injected code from other process evidence |
injectedProtectedProcessEvidence |
Boolean |
Indicates whether there is evidence the process is a protected process and was detected as receiving injected code |
Protection type |
protectionType |
Enum |
The type of protection the process has. Possible values include: In the UI:
In the API:
|
PsExec remote execution process |
psexecExecuterEvidence |
Boolean |
Indicates whether there is evidence the process is a remote execution process (PsExec) |
Public app connection to internal network |
internalNetworkAccessEvidence |
Boolean |
Indicates there is evidence of an app connecting to private, internal servers. It is uncommon for public applications to connect to internal servers. Public applications connecting to internal servers is considered suspicious behavior and should be investigated immediately for the possible threat of malware installed on the device and the risk of data leakage |
Ran a dropped script |
maliciousScriptDropperEvidence |
Boolean |
Indicates whether there is evidence the process opened a file that executed a potentially malicious script |
Ran encoded payload via Python |
pythonPayloadSuspicion |
Boolean |
Indicates whether this process used Python to run an encoded payload |
Ran encoded payload via Python evidence |
pythonPayloadEvidence |
Boolean |
Indicates whether there is evidence this process used Python to run an encoded payload. |
Ran injected code from compromised legitimate process |
legitProcessInjectionSuspicion |
Boolean |
Indicates whether the process is running code injected by a compromised legitimate process |
Ran injected code from other process |
detectedInjectedEvidence |
Boolean |
Indicates whether there is evidence the process is running code that was injected by another process |
Ran malicious injected code |
suspiciousInjectedCodeSuspicion |
Boolean |
Indicates whether the Cybereason platform identified the process as running code that was injected by another process |
Ran suspicious PowerShell commands |
suspiciousCommandsEvidence |
Boolean |
Indicates whether there is evidence of suspicious PowerShell commands associated with this process |
Ransomware auto blocking file hash |
ransomwareAutoRemediationBlocked |
Boolean |
Indicates whether the file associated with the process was automatically blocked due to ransomware detection |
Ransomware behavior by shadow copy deletion |
maliciousShadowCopyDeletion |
Boolean |
Indicates whether the process exhibits ransomware behavior by deletion of shadow copies |
Ransomware by hash value |
ransomwareByHashReputation |
Boolean |
Indicates whether the Cybereason threat intelligence service classified the process image file as ransomware |
Ransomware by hash value evidence |
ransomwareEvidence |
Boolean |
Indicates whether there is evidence the Cybereason threat intelligence service classified the process image file as ransomware |
Ransomware classification modules |
ransomwareClassificationModules |
Array |
Collection of modules associated with the process that are classified as ransomware by the Cybereason threat intelligence service |
Ransomware file manipulation |
ransomwareByCanaryFilesSuspicion |
Boolean |
Indicates whether the process behaves like ransomware due to file manipulation |
Ransomware file manipulation evidence |
ransomwareByCanaryFilesEvidence |
Boolean |
Indicates whether there is evidence the process behaves like ransomware due to file manipulation |
Ransomware shadow copy deletion |
ransomwareByVssSuspicion |
Boolean |
Indicates whether the process behaves like ransomware due to shadow copy deletion with the vssadmin.exe utility |
Ransomware shadow copy deletion evidence |
ransomwareByVssEvidence |
Boolean |
Indicates whether there is evidence the process behaves like ransomware due to shadow copy deletion with the vssadmin.exe utility |
Rare child process |
rareChildProcessEvidence |
Boolean |
Indicates whether there is evidence the process child process appears significantly less than other processes in the environment |
Rare execution by local system user |
rareLocalSystemUserEvidence |
Boolean |
Indicates whether there is evidence the process is executed by a local system user |
Rare execution by non-local system user |
rareNotLocalSystemUserEvidence |
Boolean |
Indicates whether there is evidence the process is executed by a local system user whose user name appears infrequently within the environment |
Rare extension for process |
rareExtension |
Boolean |
Indicates whether the process extension is rare |
Rare extension type for process |
rareExtensionType |
Boolean |
Indicates whether the process extension type is rare |
Rare external connection |
rareExternalConnections |
Boolean |
Indicates whether the process has rare external connections |
Rare floating executable code |
rarePeFloatingCodeEvidence |
Boolean |
Indicates whether there is evidence the process has PE (Portable Executable) code floating in memory (not attached to a module/file) and this behavior is rare for the process |
Rare internal connection |
hasRareInternalConnectionEvidence |
Boolean |
Indicates whether there is evidence the process has rare internal connections |
Rare internal connection |
hasRareInternalConnection |
Boolean |
Indicates whether there are rare internal connections associated with this process |
Rare listening connection |
rareListeningConnectionEvidence |
Boolean |
Indicates whether there is evidence the process has an unusual open listening socket |
Rare parent |
rareParentEvidence |
Boolean |
Indicates whether there is evidence the process is a parent process that appears significantly less than other processes in the environment |
Rare process |
rareProcessEvidence |
Boolean |
Indicates whether there is evidence the process appears significantly less frequently than other processes in the environment |
Rare registry entry execution |
rareHasAutorunEvidence |
Boolean |
Indicates whether there is evidence the associated registry entry for the process appears significantly less frequently than other registry entries in the environment |
Rare remote address |
hasRareRemoteAddress |
Boolean |
Indicates whether the process has a remote address that appears significantly less frequently than other addresses in the environment |
Rare remote address |
hasRareRemoteAddressEvidence |
Boolean |
Indicates whether there is evidence the process has a rare remote address associated with the process |
Rare service for process |
rareProcessRunByService |
Boolean |
Indicates whether the rare process was executed by a service |
RAT behavior |
maliciousTool |
Boolean |
Indicates whether this process is classified as a malicious tool due to Remote Access Trojan (RAT) behavior |
RDP enabled by registry modification |
remoteDesktopRegistryEnabledEvidence |
Boolean |
Indicates whether there is evidence the process enabled the Remote Desktop Protocol due to registry modification |
RDP enabled by service execution |
remoteDesktopRegistryReconSuspicion |
Boolean |
Indicates whether the process is suspected of querying the local terminal service status |
RDP started |
remoteDesktopProtocolStartedSuspicion |
Boolean |
Indicates whether the process enabled the Remote Desktop Protocol by registry modification |
RDP suspected enabled |
rdpEnableSuspicion |
Boolean |
Indicates whether this process enabled the Remote Desktop Protocol on a machine |
Read action on lsasrv.dll |
lsassSensitiveReadSuspicion |
Boolean |
Indicates whether this process performed a read operation on the lsasrv.dll file related to credential information |
reg.exe command line with temp |
regFromTempSuspicion |
Boolean |
Indicates whether the reg.exe process command line contains a temporary folder |
reg.exe command line with temp evidence |
regFromTempEvidence |
Boolean |
Indicates whether there is evidence that the reg.exe process command line contains a temporary folder |
reg.exe performed registry credential dump |
regCredentialsDumpSuspicion |
Boolean |
Indicates whether the reg.exe process was used to dump credentials from memory |
reg.exe performed SAM registry dump |
regDumpSamEvidence |
Boolean |
Indicates whether there is evidence the reg.exe process executed a SAM registry dump |
reg.exe performed Security registry dump |
regDumpSecurityEvidence |
Boolean |
Indicates whether there is evidence the reg.exe process executed a SECURITY registry dump |
reg.exe performed System registry dump |
regDumpSystemEvidence |
Boolean |
Indicates whether there is evidence the reg.exe process executed a SYSTEM registry dump |
Regasm library modification |
regasmUninstallEvidence |
Boolean |
Indicates whether there is evidence the Windows Registration Assembly utility (regasm.exe) process tried to uninstall a library |
Registry events |
registryEvents |
Array |
Collection of registry events associated with this process |
regsvcs.exe performed library modification |
regsvcsUninstallEvidence |
Boolean |
Indicates whether there is evidence the Remote Registry service (regsvcs.exe) process tried to uninstall a library |
Related to Malop |
relatedToMalop |
Boolean |
Indicates whether the process is related to a Malop |
Remote Desktop Protocol enabled |
rdpEnableEvidence |
Boolean |
Indicates whether there is evidence the process enabled the Remote Desktop Protocol |
Remote Desktop Protocol service started |
remoteDesktopServiceEnabledEvidence |
Boolean |
Indicates whether there is evidence the process ennabled the Remote Desktop Protocol by service execution |
Remote PowerShell execution |
remoteExecutionOfPowershellEvidence |
Boolean |
Indicates whether there is evidence the process is a remote execution of PowerShell |
Remote process creation with Win32_Product::Install method |
remotelyCreatedByWMIWin32ProductEvidence |
Boolean |
Indicates whether there is evidence this process was created remotely with the user of the WMI Win32_Product::Install method |
Remote Registry service received MS-RPC request to query Windows registry hive |
msrpcRemoteRegistryQueryServerEvidence |
Boolean |
Indicates whether the Remote Registry service received an MS-RPC request to query a Windows registry hive |
Remote service creation with Win32_BaseService::Start method |
remotelyCreatedByWMIWin32ServiceEvidence |
Boolean |
Indicates whether there is evidence a service for this process was remotely created using the WMI Win32_BaseService::Start method |
Remote session |
remoteSession |
Array |
Collection of remote sessions associated with this process |
Remote system discovery |
remoteSystemDiscoveryEvidence |
Boolean |
Indicates whether there is evidence the process is involved in remote system discovery in an attempt to get a listing of other accessible systems |
Renamed well-known executable |
renamedWellKnownToolSuspicion |
Boolean |
Indicates whether this process is renamed to the name of well-known tool |
Renamed well-known executable evidence |
renamedWellKnownToolEvidence |
Boolean |
Indicates whether there is evidence this process is renamed to the name of a well-known tool |
Resolved DNS queries from domain to domain |
resolvedDnsQueriesDomainToDomain |
String |
List of resolved DNS queries made by this process from domain pointing to another domain name |
Resolved DNS queries from domain to IP |
resolvedDnsQueriesDomainToIp |
Array |
Collection of resolved DNS queries doing lookup from domain to the IP address associated with it |
Resolved DNS queries from IP to Domain |
resolvedDnsQueriesIpToDomain |
Array |
List of resolved DNS queries made by this process from IP pointing to find its domain name |
Rogue Access Point |
mitmRogueApSuspicion |
Boolean |
Indicates the device was connected to a rogue WiFi. Connection to a rogue access point exposes the device to attack by an unauthorized party to access your network data and/or credentials |
Running from temporary folder |
runningFromTempEvidence |
Boolean |
Indicates whether there is evidence the process is running from a temporary folder |
Running injected code |
maliciousInjectedCodeSuspicion |
Boolean |
Indicates whether the process is running code injected by another process |
Running injected code from child of legitimate process |
injectorChildOfLegitProcessInjectionSuspicion |
Boolean |
Indicates whether the process is running code injected by a process that is a child of a legitimate process |
Running injected floating code |
maliciousPeExecutionSuspicion |
Boolean |
Indicates whether the process is running floating code injected by another process |
Contains shellcode in memory |
shellcodeInProcessSuspicion |
Boolean |
Indicates whether malicious, floating, and position-independent code was found in process memory |
SAM file audit object access |
unexpectedAuditObjectAccessSamFileEvidence |
Boolean |
Indicates whether there is evidence that the process accessed an audited system resource - SAM file |
SAM key audit object access |
unexpectedAuditObjectAccessSamKeyEvidence |
Boolean |
Indicates whether there is evidence that the process accessed an audited system resource - SAM key |
Sandbox process |
isSandbox |
Boolean |
Indicates whether the process is executed in a sandbox mode |
UDP scan |
scanUdpEvidence |
Boolean |
Indicates there is evidence of a reconnaissance scan using the UDP protocol that is oftentimes an indicator of a malicious attacker searching for a device vulnerable for a network attack such as MITM |
Scheduled task |
scheduledTask |
String |
Scheduled task running this process |
Scheduled task creation |
linuxScheduledTaskCreationProcessEvidence |
Boolean |
Indicates whether the process attempted to create a scheduled task |
Scheduled tasks discovery |
scheduledTaskDiscoverySuspicion |
Boolean |
Indicates whether this process performed activities to discover information about scheduled tasks on a machine |
Scheduled tasks discovery evidence |
scheduledTaskDiscoveryEvidence |
Boolean |
Indicates whether there is evidence the process is performing scheduled tasks discovery to attempt to obtain details of existing scheduled tasks |
Screen saver with child processes |
screenSaverWithChildrenEvidence |
Boolean |
Indicates whether there is evidence the process is a screensaver process with child processes |
Service creation on remote machine |
remoteServiceCreationSuspicion |
Boolean |
Indicates whether the process created a service on a remote machine. |
Service creation on remote machine evidence |
remoteServiceCreationEvidence |
Boolean |
Indicates whether there is evidence this process created a service on a remote machine |
Service execution by process |
serviceProcessEvidence |
Boolean |
Indicates whether there is evidence the process was executed by a service |
Service host |
isServiceHost |
Boolean |
Indicates whether the process is a service host |
Service loaded by non-SCM process |
svchostNewProcessParentSuspicion |
Boolean |
Indicates whether a service was loaded by a new process and not directly by SCM (Service Control Manager) |
Service running non-service process |
rareServiceRunningProcess |
Boolean |
Indicates whether the process instance was executed by a service that appears significantly less frequently than other services in the environment |
Service start with Win32_BaseService::Start method |
createdByWMIWin32ServiceEvidence |
Boolean |
Indicates whether there is evidence the service related to the process was created by the WMI Win32_BaseService::Start method |
Service started evidence |
serviceExecutionEvidence |
Boolean |
Indicates whether there is evidence that the process started a service for malicious purposes |
Service without service host |
serviceWithoutServiceHost |
Boolean |
Indicates whether this service was executed by a process that is not service host |
Service |
service |
String |
The service associated with this process |
Several error code 9003 responses |
multipleUnresolvedRecordNotExistsEvidence |
Boolean |
Indicates whether there is evidence the process contains more than five unresolved DNS queries with a Record-Not-Exists error code (9003) |
Shadow copy deletion via VSSAdmin |
vssAdminDeleteShadowsEvidence |
Boolean |
Indicates whether there is evidence the process is the vssadmin.exe process executed to delete shadow copies |
Shadow copy deletion via WMIC |
wmicShadowCopyDeleteEvidence |
Boolean |
Indicates whether there is evidence the process is a WMIC process executed to delete shadow copies |
Shadow copy deletion with vssadmin.exe |
shellWithVssAdminDeleteShadowCopiesEvidence |
Boolean |
Indicates whether there is evidence the process is a shell process that is executing vssadmin.exe to delete shadow copies |
Shadow file Read attempt |
credentialDumpingFromLinuxShadowEvidence |
Boolean |
Indicates whether there is evidence the process attempted to read from the Shadow file on a machine |
Shell process connection to remote address |
linuxMacReverseShellSuspicion |
Boolean |
Indicates whether this shell process on a Linux or Mac machine connected to a remote address |
Shell process connection to remote address evidence |
linuxMacReverseShellEvidence |
Boolean |
Indicates whether there is evidence this shell process on a Linux or Mac machine connected to a remote address |
Shell with elevated privileges |
shellWithElevatedPrivilegesSuspicion |
Boolean |
Indicates whether the process is a shell process that was executed by a local system user with elevated privileges |
Shell with elevated privileges evidence |
shellWithElevatedPrivilegesEvidence |
Boolean |
Indicates whether there is evidence the process is a shell process that was executed by a local system user with elevated privileges |
Shell with unexpected parent |
shellOfNonShellRunnerSuspicion |
Boolean |
Indicates whether the process is a shell process that was executed by a process that is not supposed to execute shell applications |
Shell with unexpected parent evidence |
shellOfNonShellRunnerEvidence |
Boolean |
Indicates whether there is evidence the process is a shell process that was executed by a process that is not supposed to execute shell applications |
Shell process connects to a remote address and allows interactive commands |
linuxMacReverseShellEvidence |
Boolean |
Indicates whether there is evidence the shell process connects to a remote address and allows interactive commands |
Shell process connects to a remote address and allows interactive commands |
linuxMacReverseShellSuspicion |
Boolean |
Indicates whether a shell process connects to a remote address and allows interactive commands |
Sideloaded apps |
sideloadedAppSuspicion |
Boolean |
Indicates there are sideloaded apps that are installed independently of an official app store and can present a security risk |
Sideloaded or unofficial apps |
sideloadedAppEvidence |
Boolean |
Indicates there are sideloaded apps that are installed independently of an official app store and can present a security risk |
Signature explicitly revoked |
signatureVerificationStatusExplicitlyRevokedEvidence |
Boolean |
Indicates whether there is evidence any of the process image file signing certificates in the chain of trust has been explicitly revoked |
Signed and verified |
isImageFileSignedAndVerified |
Boolean |
Indicates whether the process image file is signed and verified |
Signed image file |
isImageFileSigned |
Boolean |
Indicates whether the process image file is digitally signed |
Signer |
protectionSigner |
Enum |
The authority that signed the protected process. Possible values include: In the UI:
In the API:
|
Site designed to deceive the end user into submitting sensitive personal or corporate information through a seemingly trusted web form |
maliciousPhishingSuspicion |
Boolean |
Indicates there is evidence the device visited a site designed (through the use of what appears to be a trusted web from) to deceive the end user to enter and submit sensitive personal or corporate information through a seemingly trusted web form |
Site Insight - link visited evidence |
siteInsightLinkVisitedEvidence |
Boolean |
Indicates there is evidence that a potentially malicious URL was tapped on the device and the user was warned of the potential danger of visiting the linked site and chose to continue on to the site after the warning |
Suspected fsutil.exe deleted Update Sequence Number journal change |
fsutilDeleteJournalSuspicion |
Boolean |
Indicates whether the process deleted the Update Sequence Number Journal changes in an effort to make process activities |
Sudoers file access |
sudoersFileModificationEvidence |
Boolean |
Indicates whether the process attempted to access the Sudoers file |
Suspected network configuration discovery |
networkConfigurationDiscoverySuspicion |
Boolean |
Indicates whether this process performed network configuration discovery activities |
Suspected RAT process |
ratSuspicion |
Boolean |
Indicates whether the process behavior is known to be used by Remote Access Trojans |
Suspended |
ransomwareAutoRemediationSuspended |
Boolean |
Indicates whether the process is suspended |
Suspicious |
isSuspicious |
Boolean |
Indicates whether the process is classified as suspicious by the Cybereason threat intelligence service |
Suspicious app |
ipaMaliciousEvidence |
Boolean |
Indicates there may be evidence of a malicious app on a device where the app tries to take control of the device in some manner (e.g. elevate privileges, spyware, etc.) |
Suspicious Domain-to-Domain DNS queries |
suspiciousDnsQueryDomainToDomain |
Array |
Collection of Domain-to-Domain DNS queries where one of the domains was detected as malicious by the Cybereason threat intelligence service |
Suspicious external connection |
hasSuspiciousExternalConnectionSuspicion |
Boolean |
Indicates whether the process has an external connection that is marked as suspicious |
Suspicious external connections |
suspiciousExternalConnections |
Array |
Collection of external connections associated with the process that are classified as suspicious by the Cybereason threat intelligence service |
Suspicious internal connection |
hasSuspiciousInternalConnectionSuspicion |
Boolean |
Indicates whether the process has an internal connection that is marked as suspicious |
Suspicious internal connections |
suspiciousInternalConnections |
Array |
Collection of internal connections associated with the process that are classified as suspicious by the Cybereason threat intelligence service |
Suspicious iOS app suspicion |
ipaMaliciousSuspicion |
Boolean |
Indicates there may be a malicious app on a device where the app tries to take control of the device in some manner (e.g. elevate privileges, spyware, etc.) |
Suspicious mail connections |
suspiciousMailConnections |
Boolean |
Indicates whether the process creates mail connections while it is not recognized by the Cybereason threat intelligence service as a legitimate program for such behavior |
Suspicious MSBuild code behavior |
msbuildBehaviourSuspicion |
Boolean |
Indicates whether the Msbuild process exhibited suspicious behavior related to code execution |
Suspicious net.exe activity |
netActivitySuspicion |
Boolean |
Indicates whether the net.exe process is part of a suspicious execution chain |
Suspicious scanning activity |
maliciousByScanningOfUnknownProcess |
Boolean |
Indicates whether the process performs network scans while it is not recognized as a legitimate program for such behavior |
Suspicious screen saver |
suspicionsScreenSaverEvidence |
Boolean |
Indicates whether there is evidence the process is a suspicious screensaver process. |
Suspicious screen saver |
suspiciousScreenSaver |
Boolean |
Indicates whether this process is a suspicious screensaver process |
Suspicious shadow copy deletion |
shadowCopyDeletionSuspicion |
Boolean |
Indicates whether the process maliciously deletes shadow copy files |
Suspicious System Volume Information path |
uncommonExecutionSysVolPathSuspicion |
Boolean |
Indicates whether the process is using an uncommon System Volume Information execution path or name |
Suspicious System Volume Information path evidence |
uncommonExecutionSysVolPathEvidence |
Boolean |
Indicates whether there is evidence that the process is using an uncommon System Volume Information execution path or name |
Suspicious Unresolved Domain DNS queries |
unresolvedQueryFromSuspiciousDomain |
Array |
Collection of the unresolved DNS queries associated with this process that accessed a domain that was classified as malicious by the Cybereason threat intelligence service |
svchost.exe loaded by non-SCM process |
svchostUnexpectedParentEvidence |
Boolean |
Indicates whether there is evidence the svchost process was loaded directly by Windows SCM (Service Control Manager) |
svchost.exe loaded by non-SCM process |
svchostUnsignedParentSuspicion |
Boolean |
Indicates whether a service was loaded by an unsigned parent and not directly by Windows SCM (Service Control Manager) |
System information discovery |
systemInformationDiscoverySuspicion |
Boolean |
Indicates wheter this process performed activities to learn information about the system on a machine |
System information discovery evidence |
systemInformationDiscoveryEvidence |
Boolean |
Indicates whether there is evidence this process is involved in system information discovery to obtain detailed information about a machine the operating system |
System network configuration discovery |
systemNetworkConfigurationDiscoveryEvidence |
Boolean |
Indicates whether there is evidence the process is performing system network configuration discovery to obtain network configuration details and settings |
System network connections discovery |
systemNetworkConnectionsDiscoverySuspicion |
Boolean |
Indicates whether the process performed activities to discover information about system network connections |
System network connections discovery evidence |
systemNetworkConnectionsDiscoveryEvidence |
Boolean |
Indicates whether there is evidence the process is performing system network connections discovery |
System owner or user discovery |
systemOwnerOrUserDiscoveryEvidence |
Boolean |
Indicates whether there is evidence this process is performing system owner or user discovery |
System services discovery |
servicesDiscoverySuspicion |
Boolean |
Indicates whether this process performed activities to discover information about services on a machine |
System services discovery evidence |
servicesDiscoveryEvidence |
Boolean |
Indicates whether there is evidence the process is performing a system services discovery |
System Tampering |
systemconfigSystemTamperingSuspicion |
Boolean |
Indicates that the device is compromised and cannot be trusted. System Tampering is a process of removing security limitations put in by the device manufacturer and indicates that the device is fully compromised and cannot longer be trusted |
System time discovery |
systemTimeDiscoveryEvidence |
Boolean |
Indicates whether there is evidence that the process attempted a system time discovery |
TCP scan |
scanTcpSuspicion |
Boolean |
Indicates there is a reconnaissance scan using the TCP protocol that is an indicator of a malicious attacker searching for a device vulnerable for a network attack such as MITM |
Temporary folder location in process Cscript command line |
cscriptFileFromTempSuspicion |
Boolean |
Indicates that the command line for this process contains a temporary folder location |
Temporary folder location in process Cscript command line evidence |
cscriptFileFromTempEvidence |
Boolean |
Indicates there is evidence that the command line for this process contains a temporary folder location |
The process contains shellcode |
shellcodeInjectonEvidence |
Boolean |
Indicates whether there is evidence that this process runs injected code |
Third party application stores are applications that can download and install other applications and they might distribute malicious applications because those apps are not diligently tested against malicious behavior |
appDownloadedFromThirdPartyStoreSuspicion |
Boolean |
Indicates there are apps from third party application stores. Third party application stores are applications that can download and install other applications and they might distribute malicious applications because those apps are not diligently tested against malicious behavior |
This process injected shellcode into the victim process |
shellcodeInjectorSuspicion |
Boolean |
Indicates whether this process injected shellcode into the victim process |
Thread ID |
tid |
Long |
The thread id for the process |
TOR browser use |
TorBrowserEvidence |
Boolean |
Indicates whether there is evidence this process uses a Tor browser |
TOR browser use on non-Windows machine |
TorBrowserEvidenceNonWindows |
Boolean |
Indicates whether this non-Windows process uses a Tor browser |
Total number of connections |
totalNumberOfConnections |
Integer |
The total number of connections associated with the process |
Total received bytes |
totalReceivedBytes |
Long |
The total amount of data received by the process |
Total transmitted bytes |
totalTransmittedBytes |
Long |
The total amount of data transmitted by the process |
Transmits high volume of data with injected code |
maliciousByHighVolumeDataTransmittedByInjectedProcess |
Boolean |
Indicates whether the process transmits high volumes of data while it is running an injected code |
UDP scan |
scanUdpSuspicion |
Boolean |
Indicates there is a reconnaissance scan using the UDP protocol that is oftentimes an indicator of a malicious attacker searching for a device vulnerable for a network attack such as MITM. |
UNC path |
uncPath |
Boolean |
Indicates whether the process path uses the Universal Naming Convention format |
UNC path with machine name |
uncPathEvidence |
Boolean |
Indicates whether there is evidence the path in the command line executing the process is a Uniform Naming Convention path that includes the name of the machine on which the process file is located |
Unexpected Audit Object Access - SAM file via Shadow Copy |
unexpectedAuditObjectAccessSamFileShadowCopyEvidence |
Boolean |
Indicates whether there is evidence that the process accessed an audited system resource - SAM file via shadow copy |
Unexpected service host behavior |
unexpectedBehaviourFromServiceHost |
Boolean |
Indicates whether this service host process has unexpected behavior |
Unexpected unsigned file |
unknownUnsignedBySigningCompany |
Boolean |
Indicates whether the process is executed by an unsigned file of company that usually signs its executable files |
Unknown process connects to known malware address |
accessToMalwareAddressByUnknownProcess |
Boolean |
Indicates whether the process connects to an address being used by malware |
Unknown process reputation |
unknownEvidence |
Boolean |
Indicates whether there is evidence the process is not known to reputation services |
Unresolved DNS queries from Non-existent Record |
unresolvedRecordNotExist |
Array |
Collection of DNS queries associated with this process that were not resolved because the record does not exist |
Unresolved DNS query to domain on blocklist |
hasUnresolvedQueryFromBlackListDomainEvidence |
Boolean |
Indicates whether is evidence the process received a DNS request that was unresolved from a domain on the blocklist |
Unresolved DNS query to malicious domain |
hasUnresolvedQueryFromSuspiciousDomainEvidence |
Boolean |
Indicates whether there is evidence the process created an unresolved DNS request to a malicious domain |
Unresolved domain DNS lookups |
unresolvedDnsQueriesFromDomain |
Array |
Collection of unresolved DNS queries associated with this process that failed looking up domain names |
Unresolved IP DNS lookups |
unresolvedDnsQueriesFromIp |
Array |
Collection of unresolved DNS queries associated with this process that failed looking up IP addresses |
Unsecured WiFi Network |
unsecuredWifiEvidence |
Boolean |
Indicates there is evidence of unsecured Wifi Networks are not protected by encryption or authentication protocols and are open to attackers |
Unsecured WiFi network |
unsecuredWifiEvidence |
Boolean |
Indicates that the device connected to an unsecured Wifi network. Unsecured Wifi Networks are not protected by encryption or authentication protocols and are open to attackers |
Unsigned and unknown process opened external connections |
unknownUnsignedWithWellKnownPortConnections |
Long |
Indicates whether the unsigned process is recognized by Cybereason and it creates external connections using a well-known port |
Unsigned and unknown process with suspicious extension |
unknownWithSuspiciousExtension |
Boolean |
Indicates whether the process is unsigned and has a suspicious extension |
Unsigned image file |
imageFileUnsignedEvidence |
Boolean |
Indicates whether the process image file is signed |
Unsigned image file despite signed version |
imageFileUnsignedHasSignedVersionEvidence |
Boolean |
Indicates whether there is evidence the process image file is signed and a signed version exists |
Unsigned process by company that signs processes |
rareUnsignedForCompany |
Boolean |
Indicates whether the process company name has a rare signature |
Unsigned version of signed image file |
unsignedWithSignedVersion |
Boolean |
Indicates whether the process file is unsigned while a signed version exists |
Unsigned version of signed module |
unsignedWithSignedVersionModule |
Boolean |
Indicates whether the process has an unsigned module when a signed version of the same module exists |
Unsigned with a signed version modules |
unsignedWithSignedVersionModules |
Array |
Collection of unsigned modules that have a signed version |
Untrusted profile suspicion |
profileUntrustedSuspicion |
Boolean |
Indicates there may be an untrusted profile on device. This untrusted profile could be used to control devices remotely, monitor and manipulate user activities, and/or hijack a users traffic |
Unusual access to password store files |
passwordsFileAccessByTextEditorSuspicion |
Boolean |
Indicates whether the process attempted to access a Linux password store file |
Unusual execution of rundll32.exe |
uncommonUseOfRundll32Suspicion |
Boolean |
Indicates whether the rundll32.exe OS process is suspected of being abused to execute a command or arbitrary code |
Unusual execution of rundll32.exe evidence |
uncommonUseOfRundll32Evidence |
Boolean |
Indicates whether there is evidence the rundll32.exe OS process was abused to execute a command or arbitrary code |
Unusual MSBuild behavior |
msbuildUnusualBehaviourEvidence |
Boolean |
Indicates whether there is evidence that this process is an MSBuild process that is exhibiting unusual behavior |
Unusual network connection |
toolWithUnusualNetworkEvidence |
Boolean |
Indicates whether there is evidence that there is an application with unusual network connection |
Unusual operating system process location |
signedOSProcessUnusualPathSuspicion |
Boolean |
Indicates whether this process is a signed OS process that is not running from its original location |
Unusual OS process location |
osProcessUnusualPathSuspicion |
Boolean |
Indicates whether that this process is an OS process that is not running from its original location |
Unusual OS process location evidence |
osProcessUnusualPathEvidence |
Boolean |
Indicates whether there is evidence this process is an OS process and is suspected of not running from its original location |
Unusual screen saver execution |
screenSaverNotExecutedByExplorerEvidence |
Boolean |
Indicates whether there is evidence the process is a screensaver process that was not executed by explorer.exe |
Unverified signature for image file |
imageFileUnverifiedEvidence |
Boolean |
Indicates whether there is evidence the process image file is not signed by a trusted signer |
Unwanted classification modules |
unwantedClassificationModules |
Array |
Collection of modules associated with this process that are classified as unwanted by the Cybereason threat intelligence service |
Use of domain generation algorithm |
dgaSuspicion |
Boolean |
Indicates whether the process uses a Domain Generation Algorithm to communicate with its Command & Control server |
Use of unsigned module |
hasModuleUnsignedWithSignedVersionEvidence |
Boolean |
Indicates whether a module of the process is not signed while a signed version of the same module exists |
Used sticky keys to rename file |
stickyKeysFileRenameSuspicion |
Boolean |
Indicates whether the process used the sticky keys feature to rename a file |
Used sticky keys to rename file evidence |
stickyKeysFileRenameEvidence |
Boolean |
Indicates whether there is evidence the process used the sticky keys feature to rename a file |
Used Windows RTL vulnerability |
rightToLeftFileExtensionEvidence |
Boolean |
Indicates whether there is evidence the process attempted to hide a file extension by exploiting the Windows right-to-left override vulnerability |
User |
user |
String |
The user executing the process |
User Context Modification Evidence |
LinuxUserContextModificationEvidence |
Boolean |
Indicates whether there is evidence the process attempted to set a file user access rights |
Uses non-default DNS server |
hasNonDefaultResolverEvidence |
Boolean |
Indicates whether there is evidence the resolver of the DNS request is the default resolver set to the machine |
Virtual memory read on LSASS encryption keys |
lsassEncryptionKeysReadSuspicion |
Boolean |
Indicates whether this process performed a read operation on the LSASS registry keys for encryption |
Well Known Port External Connections |
wellKnownPortConnections |
Array |
Collection of external connections associated with this process that are using a well-known port (lower than 1024) |
Windows accessibility feature masquerade |
accessibilityFeaturesAbusingSuspicion |
Boolean |
Indicates whether that the process is masquerading as a Windows accessibility feature |
Windows accessibility feature masquerade evidence |
accessibilityFeaturesAbusingEvidence |
Boolean |
Indicates whether there is evidence that the process is masquerading as a Windows accessibility feature |
WinRM code execution |
winRMCodeExecutionEvidence |
Boolean |
Indicates whether there is evidence the process is performing code execution using the Windows Remote Management service |
WMI Activities |
wmiActivities |
Array |
Collection of WMI activities performed by the process |
WMI Queries |
wmiQueryStrings |
String |
List of WMI queries run by this process |
Write action on samsrv.dll |
lsassSamsrvPatchSuspicion |
Boolean |
Indicates whether this processs performed a write action for the samsrv.dll file related to credential information |
Xcopy runs file from temp folder |
xcopyFileFromTempSuspicion |
Boolean |
Indicates whether XCopy is suspected of running files from a temporary folder which is known to be used by Java-based malware |
Xcopy runs file from temp folder evidence |
xcopyFileFromTempEvidence |
Boolean |
Indicates whether there is evidence that the XCopy process is running file from a temporary folder which is known to be used by Java-based malware |
Proxy (EDR)
Use these features to filter for Proxy Elements:
UI Name |
API Name |
Type |
Description |
---|---|---|---|
Discovery type |
discoveryType |
Enum |
The way the proxy was configured. Possible values include In the UI:
In the API:
|
Has Malops |
hasMalops |
Boolean |
Indicates whether or not the proxy is associated with any Malops. |
Has suspicions |
hasSuspicions |
Boolean |
Indicates whether or not the proxy is associated with any Suspicions. |
Host |
host |
String |
The host name of the domain for the proxy address. |
IP address |
ipAddress |
String |
The IP address of the proxy. |
Port |
port |
Integer |
The port of the proxy. |
Proxy name |
elementDisplayName |
String |
The name of the proxy. |
URL of the PAC |
pacUrl |
String |
The URL of the proxy auto-config file (PAC). |
Quarantine File (EDR)
Use these features to filter for Quarantine File Elements:
UI Name |
API Name |
Type |
Description |
---|---|---|---|
File name |
elementDisplayName |
String |
The name of the quarantined file. |
Has Malops |
hasMalops |
Boolean |
Indicates whether or not the quarantined files is associated with any Malops. |
Has Suspicions |
hasSuspicions |
Boolean |
Indicates whether or not the quarantined files is associated with any Suspicions. |
Machine |
ownerMachine |
String |
The machine where the quarantine action was applied. |
MD5 signature |
md5String |
String |
The file’s MD5 signature. |
Original file |
file |
String |
The original version of the file that was quarantined. |
Quarantined file |
quarantineFile |
String |
The quarantine version of the file created by a quarantine action. |
SHA1 Signature |
sha1String |
String |
The file’s SHA1 signature |
Registry Entry/Autorun (EDR)
Use these features to filter for Registry Entry Elements. Note that the API name for this Element is Autorun.
UI Name |
API Name |
Type |
Description |
---|---|---|---|
Autorun JavaScript value |
autorunJavascriptValueEvidence |
Boolean |
Indicates whether there is evidence that the registry entry contains JavaScript. |
File |
file |
String |
The file linked to this registry entry. |
Is pointing to temporary folder |
isPointingToTemp |
Boolean |
Indicates whether the registry entry points to a temporary folder. |
Machine |
ownerMachine |
String |
The machine on which this registry entry is found. |
Rare registry key |
rareAutorunNameByOsEvidence |
Boolean |
Indicates whether there is evidence this registry key is rare for this organization. |
Registry entry file |
dependInFile |
String |
Name of the file associated with the registry entry. |
Registry entry JavaScript value |
autorunJavascriptValueSuspicion |
Boolean |
Indicates whether the registry entry is suspected of containing JavaScript. |
Registry events |
registryEvents |
Array |
Collection of registry events performed on this registry entry. |
Unusual file name for registry entry by operating system |
rareAutorunFileNameByOsEvidence |
Boolean |
Indicates whether there is evidence that the file name for this registry entry is unusual for machines with the same operating system. |
Value |
value |
String |
The value of this registry entry. |
Registry Event (EDR)
Use these features to filter for the Registry Event Elements
UI Name |
API Name |
Type |
Description |
---|---|---|---|
Data for registry entry |
data |
String |
The data in the registry entry associated with the registry event. |
Number of times for registry event |
detectionTimesNumber |
Integer |
The number of times this event has been detected by the Cybereason platform. |
Registry event |
elementDisplayName |
String |
The name of the registry event |
First time event detected |
firstTime |
Integer (timestamp) |
The first time the Cybereason platform detected this event. |
Is a CLSID |
isCLSID |
Boolean |
Indicates whether or not the registry entry associated with the registry event is a CLSID. If registry entry is a CLSID, the content displays is the content of the CLSID (the referenced registry entry) with an indication that the registry entry is a CLSID. |
Owner machine |
ownerMachine |
String |
The name of the machine on which the registry entry was found. |
Data type |
registryDataType |
Enum |
The type of data used in the registry entry associated with the registry event. Possible values include:
|
Registry entry |
registryEntry |
String |
The registry location of the registry entry associated with this registry event. |
Registry entry type |
registryEntryType |
Enum |
The type of registry entry. Possible values include:
|
Operation type |
registryOperationType |
Enum |
The type of operation performed on the registry entry associated with this registry event. Possible values include:
|
Path to registry entry for event |
registryPath |
String |
The path (registry key and value) to the registry key associated with this registry event. |
Process |
registryProcess |
String |
The name of the process associated with this registry event and a link to the process. |
Timestamp |
timestamp |
Integer (timestamp) |
The timestamp for the registry event. |
Remote Session (EDR)
Use these features to filter for Remote Session Elements:
UI Name |
API Name |
Type |
Description |
---|---|---|---|
Client |
client |
String |
The client network machine for this remote session. |
Client logon session |
clientLogonSession |
String |
The logon session of the client for this remote session. |
Client machine |
clientMachine |
String |
The machine name involved in this remote session. |
Client user |
clientUser |
String |
The client user for this remote session. |
Has Suspicions |
hasSuspicions |
Boolean |
Indicates whether the remote session is associated with any suspicions. |
Is pass the ticket |
isPassTheTicket |
Boolean |
Indicates whether Cybereason identified credential passing activity in the remote session. |
Pass the ticket |
passTheTicketEvidence |
Boolean |
Indicates whether the remote session was created using a stolen Kerberos ticket. |
Resource type |
resourceType |
String |
The authentication protocol resource type used for the remote session. |
Server |
server |
String |
The server network machine for this remote session. |
Server logon session |
serverLogonSession |
String |
The logon session of the server for this remote session. |
Server machine |
serverMachine |
String |
The name of the server machine associated with this remote session. |
Unauthorized credential usage |
passTheTicketSuspicion |
Boolean |
Indicates whether the remote session was initialized using a Kerberos ticket that doesn’t belong to its original user. |
User |
user |
String |
The user context opening this remote session. |
User and remote machine |
elementDisplayName |
String |
The user and remote machine associated with the remote session. |
Resource (XDR)
Use these features to filter for the Resource Element:
UI Name |
API Name |
Type |
Description |
---|---|---|---|
Events related with resource |
relatedEvents |
Collection |
Collection of events associated with the resource. |
Product specific resource ID |
id |
String |
The product specific resource ID for the cloud asset. |
Resource name |
name |
String |
The name for the cloud asset. |
Resource sub-type |
subtype |
String |
The subtype for the resource. |
Resource type |
type |
Enum |
The type of resource. Potential values include (but are not limited to): In the UI:
In the API:
|
Parent resource |
parent |
String |
The parent resource of this resource. |
Privacy level |
privacy |
String |
The privacy level for the cloud asset. |
Role (XDR)
Use these features to filter for the Resource Element:
UI Name |
API Name |
Type |
Description |
---|---|---|---|
Role description |
description |
String |
The description for this system role. |
Role name |
name |
String |
The name for this system role. |
Role type |
type |
String |
The type of system role. |
Scheduled Task (EDR)
Use these features to filter for Scheduled Task Elements:
UI Name |
API Name |
Type |
Description |
---|---|---|---|
Author |
author |
String |
The user that created this task. |
Automatic execution |
automaticExecution |
String |
The automatic execution asssociated with this scheduled task. |
Enabled |
enabled |
Boolean |
Indicates whether the scheduled task is enabled. |
Files |
files |
String |
The list of files related to this scheduled task. |
Has Malops |
hasMalops |
Boolean |
Indicates whether the scheduled task is associated with any Malops. |
Has Suspicions |
hasSuspicions |
Boolean |
Indicates whether the scheduled task is associated with any suspicions. |
Last modified by |
lastUpdatedBy |
String |
The last user to modify the task. |
Machine |
ownerMachine |
String |
The machine from which the scheduled task is executed. |
Scheduled task actions |
executableActions |
Array |
Collection of the actions associated with this scheduled task. |
Scheduled task name |
elementDisplayName |
String |
The name of the scheduled task. |
Task state |
state |
Enum |
The current state of the task. Possible values include In the UI:
In the API:
|
Scheduled Task Action/Executable Task Action (EDR)
Use these features to filter for Scheduled Task Action Elements. Note the API name for this Element is ExecutableTaskAction.
UI Name |
API Feature Name |
Type |
Description |
---|---|---|---|
Action name |
elementDisplayName |
String |
Name of the scheduled task action, including the path and arguments |
Arguments |
executableArguments |
String |
The arguments that are used when executing this action. |
Executable |
fileInfo |
String |
The name of the executable file associated with this scheduled task action. |
Has Malops |
hasMalops |
Boolean |
Indicates whether or not the scheduled task action is associated with any Malops. |
Has Suspicions |
hasSuspicions |
Boolean |
Indicates whether the scheduled task action is associated with any suspicions. |
Path |
executablePath |
String |
The path to the file that will be executed with this action this action. |
Service (EDR)
Use these features to filter for Service Elements:
UI Name |
API Name |
Type |
Description |
---|---|---|---|
Automatic execution |
automaticExecution |
Array |
Collection of automatic executions associated with this service. |
Binary file |
binaryFile |
String |
The binary file associated with this service. |
Binary file was changed |
binaryFileChangedEvidence |
Boolean |
Indicates whether there is evidence the binary file associated with this service was changed |
Command line arguments |
commandLineArguments |
String |
The command line arguments of the service process execution |
Description |
description |
String |
The description of the service |
Display name |
displayName |
String |
The name displayed for the service |
Driver |
driver |
String |
The driver associated with this service |
Has Malops |
hasMalops |
Boolean |
Indicates whether or not the service is associated with any Malops |
Has Suspicions |
hasSuspicions |
Boolean |
Indicates whether or not the service is associated with any Suspicions |
Is active |
isActive |
Boolean |
Indicates whether the service is active |
Is auto restart |
isAutoRestartService |
Boolean |
Indicates whether the service is an auto restart service |
Is new server |
newService |
Boolean |
Indicates whether the service is new |
Is system process |
isSystemProcess |
Boolean |
Indicates whether the service is associated with a system user |
Last binary file |
oldBinaryFile |
String |
The last binary file associated with this service |
Last service start user |
oldServiceStartName |
String |
The last account name the service process used to log in when it ran. |
Machine |
ownerMachine |
String |
The machine on which this service is running |
Microsoft PsExec service |
psexecServiceNameEvidence |
Boolean |
Indicates whether there is evidence the service is a Microsoft PsExec service |
New service |
newServiceEvidence |
Boolean |
Indicates whether there is evidence the service is new for the organization |
Rare active service |
rareActiveServiceEvidence |
Boolean |
Indicates whether there is evidence the service is active when it is usually disabled |
Rare disable service |
rareDisableServiceEvidence |
Boolean |
Indicates whether there is evidence the service is disabled when it is usually active |
Rare service |
rareServiceEvidence |
Boolean |
Indicates whether there is evidence the service is unusual in the organization |
Rare start type |
rareStartTypeEvidence |
Boolean |
Indicates whether there is evidence the service start type is unusual for the service. |
Service name |
elementDisplayName |
String |
The name of the service |
Service start name |
serviceStartName |
String |
The account name the service process will use to log in when it runs |
Service start name was changed |
serviceStartNameChangedEvidence |
Boolean |
Indicates whether there is evidence that the service process changed the service start name |
Service state |
serviceState |
Enum |
The state for the service. Possible values include In the UI:
In the API:
|
Service sub-state |
serviceSubState |
Enum |
The sub-state for the service. Possible values include In the UI:
In the API:
|
Service type |
serviceType |
Enum |
The type of service. Possible values include In the UI:
In the API:
|
Start type |
startType |
Enum |
The manner of starting the service. Possible values include In the UI:
In the API:
|
User/User Account (EDR and XDR)
Note
In versions 21.2.84 and later, in the Investigation screen, this Element is renamed User Account.
Use these features to filter for User Account Elements:
UI Name |
API Name |
Type |
Description |
---|---|---|---|
Account type |
accountType |
String |
The type of user account. Possible values include: In the UI:
In the API:
|
Account provider |
accountProvider |
String |
The entity to which the user account belongs |
Account status |
accountStatus |
Enum |
The status for this user account. Possible values include: In the UI:
In the API:
|
Active Directory SID |
adSid |
String |
The SID associated with this user according to Active Directory information |
Active Directory text country |
adTextCountry |
String |
Text country associated with this user according to Active Directory information |
Assigned user roles |
roles |
Collection |
A list of the roles for this user account |
Associated domain |
adAssociatedDomain |
String |
Domain associated with this user according to Active Directory information |
Associated email addresses |
emailAddresses |
Collection |
A list of the email addresses associated with this user account |
Company |
adCompany |
String |
Company associated with this user according to Active Directory information |
Country |
adCountry |
String |
Country associated with this user according to Active Directory information |
Department |
department |
String |
The department for the user |
Department |
adDepartments |
Array |
A collection of the departments associated with this user account according to Active Directory information |
Domain |
domain |
String |
The domain of the user (or the Computer Name if a local user) |
DomainUser Name |
elementDisplayName |
String |
Complete user name containing the domain (or local machine) and the user name |
Downloaded processes count |
downloadedProcessesCount |
Integer |
The number of processes the user downloaded from the Internet |
Email address |
adMail |
String |
User’s email address according to Active Directory information |
Employee Number |
employeeNumber |
String |
The employee number for the user associated with this user account |
Groups for user |
groups |
Collection |
List of groups to which this account belongs |
Has malicious process |
hasMaliciousProcess |
Boolean |
Indicates whether the user executed a malicious process |
Has Malops |
hasMalops |
Boolean |
Indicates whether or not the user is associated with any Malops |
Has Suspicions |
hasSuspicions |
Boolean |
Indicates whether the user is associated with any Suspicions |
Has unusual process with external connections |
hasRareProcessWithExternalConnections |
Boolean |
Indicates whether the user executed an unusual process with external connections |
High number of downloaded processes |
highNumberOfDownloadedProcessesEvidence |
Boolean |
Indicates whether the user executed multiple processes that were downloaded from the Internet |
High number of machines |
highNumberOfMachinesEvidence |
Boolean |
Indicates whether there is evidence the user was logged in to multiple machines |
High number of new processes |
highNumberOfNewProcessesEvidence |
Boolean |
Indicates whether there is evidence the user executed multiple processes for the first time in the organization |
Irregular time of day activity |
irregularActivityHourEndTimeEvidence |
Boolean |
Indicates whether there is evidence the user’s end time occurred outside normal working hours |
Is admin |
isAdmin |
Boolean |
Indicates whether the user is an administrator |
Is domain user |
isDomainUser |
Boolean |
Indicates whether the specified user account is a domain user account |
Is suspicious |
isSuspicious |
Boolean |
Indicates whether the user is associated with any suspicions |
Is system or root |
isSystemOrRoot |
Boolean |
Indicates whether the user is a local system or root user |
Launched suspicious process outside normal hours |
hasSuspiciousProcessByUserInIrregularHoursEvidence |
Boolean |
Indicates whether there is evidence the user ran a malicious process outside normal working hours |
Last Machine Logged in to |
ownerMachine |
String |
The last machine to which the user was logged in |
Local system |
isLocalSystem |
Boolean |
Indicates whether or not the user is a local system user |
Logon name |
adLogonName |
String |
The logon name for this user according to Active Directory information |
Member of |
adMemberOf |
String |
Groups this user is a member of according to Active Directory information |
New IT tool for user |
newAdminToolForUserEvidence |
Boolean |
Indicates whether there is evidence the user ran a tool with IT characteristics for the first time |
New process count |
newProcessesCount |
Integer |
The number of new processes the user executed |
Number of machines |
numberOfMachines |
Integer |
The number of machines to which the user logged in |
Organization |
ownerOrganization |
String |
The organization to which the user belongs |
Organizational unit (OU) |
adOU |
String |
Organization units to which this user is a member according to Active Directory information |
Password age in days |
passwordAgeDays |
Integer |
The number of days from the last change in the user’s password according to Active Directory information |
Primary group ID |
adPrimaryGroupID |
String |
The id of the user’s primary group according to Active Directory information |
Privileges |
privileges |
Array |
The privilege level of the user. Possible values include In the UI:
In the API:
|
Product-specific ID for account |
sid |
String |
A product-specific identifier for this user account |
Running IT tool |
runningPowerToolEvidence |
Boolean |
Indicates whether there is evidence the user executed a process identified as an IT tool |
Running malicious process |
runningMaliciousProcessEvidence |
Boolean |
Indicates whether the user ran a malicious process |
Running rare process with external connections |
runningRareProcessWithExternalConnectionsEvidence |
Boolean |
Indicates whether there is evidence the user executed a rare process that connected to an external IP address |
Running suspicious process |
hasSuspiciousProcess |
Boolean |
Indicates whether the user ever executed suspicious processes |
SAM account name |
adSamAccountName |
String |
The SAM account name associated with this user according to Active Directory information. |
Security identifier (SID) |
sid |
String |
The user’s immutable identifier |
Source user account for event |
eventSourceUser |
String |
The user account associated with an event |
Target user account for event |
eventTargetUser |
String |
The user account that was targeted in an event |
Title |
adTitle |
String |
The user’s title according to Active Directory information |
Trespassing user by suspicious activity |
trespassingUserBySuspiciousActivitySuspicion |
Boolean |
Indicates whether the user performed suspicious activities during irregular hours and is therefore suspected of trespassing |
User authentication status |
status |
Enum |
The authentication status for the user. Potential values include (but are not limited to):
|
User canonical name |
adCanonicalName |
String |
Canonical name for this user according to Active Directory information |
User creation time |
adCreated |
String |
The time the user account was created according to Active Directory data |
User display name |
adDisplayName |
String |
Display name for this user according to Active Directory information |
User display name |
displayName |
String |
The display name for the user account |
User FQDN |
fqdn |
String |
The fully qualified domain name (FQDN) for the user account |
User identity name |
identity |
String |
The user identity associated with this user account |
User name |
username |
String |
The name of the user |
User Phone Numbers |
phoneNumbers |
String |
The phone numbers associated with this user account |
User title |
title |
String |
The title for the user associated with this user account. |
User to admin |
privilegesChangeFromUserToAdmin |
Boolean |
Indicates whether the user changed their privileges from standard user to administrator |
Using power tool |
hasPowerTool |
Boolean |
Indicates whether the user ever executed a power tool |
User Identity (XDR)
Use these features to filter for User Identity Elements:
UI Name |
API Name |
Type |
Description |
---|---|---|---|
Identity aliases |
aliases |
Array |
A collection of aliases associated with this user identity. |
Source user identity for event |
eventSourceUserIdentity |
String |
The user identity associated with an event. |
Target user identity for event |
eventTargetUserIdentity |
String |
The user identity that was the target of an event. |
User accounts |
accounts |
Collection |
A list of the user accounts associated with this user identity. |
User ID |
id |
String |
The unique identifier for this user identity. |
User names |
displayNames |
Collection |
A list of the user names for this user identity. |
WMI Persistent Object (EDR)
Use these features to filter for WMI Persistent Object Elements:
UI Name |
API Name |
Type |
Description |
---|---|---|---|
Client IP Address |
clientIP |
Array |
Collection of IP addresses of the client that has connected to WMI. |
Client Machine |
clientMachine |
String |
The machine of the client that has connected to WMI. |
Client Network Machine |
clientNetworkMachine |
String |
The network machine of the client that has connected to WMI. |
Client PID |
clientPid |
Long |
The PID of the client process that has connected to WMI. Can be a remote or local process. |
Consumer Action |
consumerAction |
String |
The action to perform with the WMI Persistent object when the query is fulfilled. |
Consumer File Path |
consumerFilePath |
String |
The path to the file when the Cybereason platform is unable to find the file associated with the consumer action. This Feature is available from version 21.2.43 and higher. |
Consumer Image File |
consumerImageFile |
String |
The name of the file associated with the consumer action. This Feature is available from version 21.2.43 and higher. |
Consumer Name |
consumerName |
String |
The name of the consumer running the WMI Persistent object. |
Creating process |
creatingProc |
String |
The name of the process that created this WMI persistent object. |
Filter Name |
filterName |
String |
The name of the filter used for the WMI Persistent object. |
Filter Query |
fiterQuery |
String |
The string used in the query for the WMI Persistent object. |
Owner machine |
ownerMachine |
String |
The name of the machine on which this WMI persistent object is found. |
Persistent type |
persistenceType |
String |
The type of WMI persistent object. |
Script engine |
scriptEngine |
String |
The script engine that created the WMI persistent object. This Feature is available from version 21.2.43 and higher. |
User |
user |
String |
The user that performed the activity. |
WMI Activity |
wmiActivity |
Array |
Collection of WMI activity associated with the WMI Persistent Object. |
WMI Persistent Object |
elementDisplayName |
String |
The name of the WMI Persistent object. |