System event types of the Endpoint Protection Platform technology

This article describes the system event types of the Endpoint Protection Platform (see the table below).

System event type using the Endpoint Protection Platform (EPP) technology

Code

Event type title

Conditions for registration

4000005500

Activity specific for network attacks

The integration server received information about the triggering of the Network Threat Protection component of an EPP application.

In the description of the event type, the $epp_event_description variable is used for the information from the EPP application.

4000005501

Connection of an untrusted external device

The integration server received information about the triggering of the Device Control component of an EPP application.

In the description of the event type, the $epp_event_description variable is used for the information from the EPP application.

4000005502

Attempt to run an unauthorized or untrusted application

The integration server received information about the triggering of the Device Control component of an EPP application.

In the description of the event type, the $epp_event_description variable is used for the information from the EPP application.

4000005503

Prohibited file operation in the specified monitoring scope

The integration server received information about the triggering of the File Integrity Monitor component of an EPP application.

In the description of the event type, the $epp_event_description variable is used for the information from the EPP application.

4000005504

Files in the specified monitoring scope are modified

The integration server received information about the triggering of the Baseline File Integrity Monitor component of an EPP application.

In the description of the event type, the $epp_event_description variable is used for the information from the EPP application.

4000005505

Network connection not allowed by firewall rules

The integration server received information about the triggering of the Firewall Management component of an EPP application.

In the description of the event type, the $epp_event_description variable is used for the information from the EPP application.

4000005506

System registry modifications in the specified monitoring scope

The integration server received information about the triggering of the Registry Access Monitor component of an EPP application.

In the description of the event type, the $epp_event_description variable is used for the information from the EPP application.

4000005507

Log analysis rule was triggered

The integration server received information about the triggering of the Log Inspection component of an EPP application.

In the description of the event type, the $epp_event_description variable is used for the information from the EPP application.

4000005508

Attempt to exploit a vulnerability in a protected process

The integration server received information about the triggering of the Exploit Protection component of an EPP application.

In the description of the event type, the $epp_event_description variable is used for the information from the EPP application.

4000005509

Attempt to maliciously encrypt network file resources

The integration server received information about the triggering of the Anti-Cryptor component of an EPP application.

In the description of the event type, the $epp_event_description variable is used for the information from the EPP application.

4000005510

Attempt to connect to a Wi-Fi network

The integration server received information about the triggering of the Wi-Fi Control component of an EPP application.

In the description of the event type, the $epp_event_description variable is used for the information from the EPP application.

4000005512

Infected or probably infected object was detected

The integration server received information about the triggering of the Real-Time File Protection component of an EPP application.

In the description of the event type, the $epp_event_description variable is used for the information from the EPP application.

4000005513

Sigma rule $sigmaAlertTitle triggered

The integration server received data about an Endpoint Agent component Sigma rule being triggered.

The following variables are used in the title and description of the event type:

  • $sigmaAlertTitle: Sigma rule name
  • $sigma_detection_type: detection technology
  • $sigma_object_type: the type of object that triggered the Sigma rule
  • $sigma_object_name: the name of object that triggered the Sigma rule or the name of the first triggered Sigma rule
  • $sigma_status: detection status
Page top