This article describes the system event types of the Endpoint Protection Platform (see the table below).
System event type using the Endpoint Protection Platform (EPP) technology
Code |
Event type title |
Conditions for registration |
---|---|---|
4000005500 |
Activity specific for network attacks |
The integration server received information about the triggering of the Network Threat Protection component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application. |
4000005501 |
Connection of an untrusted external device |
The integration server received information about the triggering of the Device Control component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application. |
4000005502 |
Attempt to run an unauthorized or untrusted application |
The integration server received information about the triggering of the Device Control component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application. |
4000005503 |
Prohibited file operation in the specified monitoring scope |
The integration server received information about the triggering of the File Integrity Monitor component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application. |
4000005504 |
Files in the specified monitoring scope are modified |
The integration server received information about the triggering of the Baseline File Integrity Monitor component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application. |
4000005505 |
Network connection not allowed by firewall rules |
The integration server received information about the triggering of the Firewall Management component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application. |
4000005506 |
System registry modifications in the specified monitoring scope |
The integration server received information about the triggering of the Registry Access Monitor component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application. |
4000005507 |
Log analysis rule was triggered |
The integration server received information about the triggering of the Log Inspection component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application. |
4000005508 |
Attempt to exploit a vulnerability in a protected process |
The integration server received information about the triggering of the Exploit Protection component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application. |
4000005509 |
Attempt to maliciously encrypt network file resources |
The integration server received information about the triggering of the Anti-Cryptor component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application. |
4000005510 |
Attempt to connect to a Wi-Fi network |
The integration server received information about the triggering of the Wi-Fi Control component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application. |
4000005512 |
Infected or probably infected object was detected |
The integration server received information about the triggering of the Real-Time File Protection component of an EPP application. In the description of the event type, the $epp_event_description variable is used for the information from the EPP application. |
4000005513 |
Sigma rule $sigmaAlertTitle triggered |
The integration server received data about an Endpoint Agent component Sigma rule being triggered. The following variables are used in the title and description of the event type:
|