Kaspersky Anti Targeted Attack Platform
Contents
Contents
Event search criteria
You can use the following criteria to search for events in builder mode:
- General information:
- Host is the host name.
- HostIP is the IP address of the host.
- EventType is the type of the event.
- UserName is the name of the user.
- OsFamily is the family of the operating system.
- OsVersion is the version of the operating system being used on the host.
- TAA properties:
- IOAId is the TAA (IOA) rule ID.
- IOATag is the information about the results of file analysis using the Targeted Attack Analyzer technology: name of the TAA (IOA) rule that was used to create the alert.
- IOATechnique is the MITRE technique.
- IOATactics is the MITRE tactic.
- IOAImportance is the importance level that is assigned to an event generated using this TAA (IOA) rule.
- IOAConfidence is the level of confidence depending on the likelihood of false alarms caused by the rule.
- File properties:
- CreationTime is the event creation time.
- FileName is the name of the file.
- FilePath is the path to the directory where the file is located.
- FileFullName is the full path to the file. Includes the path to the directory and the file name.
- ModificationTime is the file modification time.
- FileSize is the size of the file.
- MD5 is the MD5 hash of the file.
- SHA256 is the SHA256 hash of the file.
- SimilarDLLPath is the malicious DLL placed in a directory on the standard search path to make the operating system load it before the original DLL.
- Linux processes:
- LogonRemoteHost is the IP address of the host that initiated remote access.
- RealUserName is the name of the user assigned when the user was registered in the system.
- EffectiveUserName is the user name that was used to log in to the system.
- FileOwnerUserName is the name of the file owner.
- RealGroupName is the name of the user group.
- EffectiveGroupName is the name of the user group that is used for operation.
- Environment is system environment variables.
- ProcessType is the type of the process.
- OperationResult is the result of the operation.
- Process started:
- PID is the process ID.
- ParentFileFullName is the path to the parent process file.
- ParentMD5 is the MD5 hash of the parent process file.
- ParentSHA256 is the SHA256 hash of the parent process file.
- StartupParameters is the options that the process was started with.
- ParentPID is the parent process ID.
- ParentStartupParameters is the parent process startup settings.
- Remote connection:
- HTTPMethod is the HTTP request method. For example, Get, Post, or Connect.
- ConnectionDirection is the direction of the connection (inbound or outbound).
- LocalIP is the IP address of the local computer from which the remote connection attempt was made.
- LocalPort is the IP address of the local computer from which the remote connection attempt was made.
- RemoteHostName is the name of the computer that was the target of the remote connection attempt.
- RemoteIP is the IP address of the computer that was the target of the remote connection attempt.
- RemotePort is the port of the computer that was the target of the remote connection attempt.
- URl is the address of the resource to which the HTTP request was made.
- TlsVersion is the version of the protocol.
- TlsSni is the Server Name Indication, that is, the name of the resource to which the connection is being established.
- TlsCertificateMd5 is the MD5 hash of the TLS certificate.
- TlsCertificateSha1 is the SHA1 hash of the TLS certificate.
- TlsCertificateSubjectNames are the primary and secondary DNS names.
- TlsCertificateIssuerName is the name of the organization of the certificate owner.
- TlsCertificateSerialNumber is the serial number of the certificate.
- TlsCertificateCheckResult is the certificate verification result.
- TlsCipherSuite are the cipher suites of the certificate.
- TlsCertificateValidFrom is the date from which the certificate expiration date is calculated.
- TlsCertificateValidTo is the date after which the certificate expires.
- DNS:
- DnsServerIpAddress is the IP address of the DNS server.
- DnsQueryDomainName is the domain name from the request.
- DnsAnswerData is the response data.
- DnsQueryTypeId is the record type ID.
- LDAP:
- LDAPSearchFilter is the search filter.
- LDAPSearchDistinguishedName is the distinguished name.
- LDAPSearchAttributeList is a list of search attributes.
- LDAPSearchScope is the search scope.
- Named pipe:
- PipeName is the named pipe.
- PipeOperationType is the type of the operation with the named pipe.
- WMI:
- WmiOperationType is the WMI operation type: WMI activity or WMI event consumer name.
- WmiHostName is the name of the machine.
- WmiUserName is the user name.
- WmiNamespaceName is the namespace.
- WmiQuery is the text of the query.
- WmiFilterName is the event filter.
- WmiConsumerName is the name of the event consumer.
- WmiConsumerText is the source code of the event consumer.
- Registry modified:
- RegistryKey is the registry key.
- RegistryValueName is the name of the registry value.
- RegistryValue is the data of the registry value.
- RegistryOperationType is the type of the operation with the registry.
- RegistryPreviousKey is the previous registry key.
- RegistryPreviousValue is the previous name of the registry value.
- System event log:
- WinLogEventID is the type ID of the security event in the Windows log.
- LinuxEventType is the type of the event. This criterion is used for Linux and macOS operating systems.
- WinLogName is the name of the log.
- WinLogEventRecordID is the log entry ID.
- WinLogProviderName is the ID of the system that logged the event.
- WinLogTargetDomainName is the domain name of the remote computer.
- WinLogObjectName is the name of the object that initiated the event.
- WinlogPackageName is the name of the package that initiated the event.
- WinLogProcessName is the name of the process that initiated the event.
- Detect and processing result:
- DetectName is the name of the detected object.
- RecordID is the ID of the triggered rule.
- ProcessingMode is the scanning mode.
- ObjectName is the name of the object.
- ObjectType is the type of the object.
- ThreatStatus is the detection mode.
- UntreatedReason is the event processing status.
- ObjectContent (for AMSI events too) is the content of the script sent for scanning.
- ObjectContentType (for AMSI events too) is the type of script content.
- Console interactive input:
- InteractiveInputText is the text entered on the command line.
- InteractiveInputType is the input type (console or pipe).
- File modified:
- FileOperationType is the type of the file operation.
- FilePreviousPath is the path to the directory where the file was previously located.
- FilePreviousName is the previous name of the file.
- FilePreviousFullName is the full name of the file including the path to the directory where the file was previously located and/or the previous file name.
- DroppedFileType is the type of the modified file.
- Code injection and process access:
- AccessMethod is the access method.
- InjectAddress is the address space of the recipient process.
- InjectedDllName is the name of the injected DLL.
- ModifiedStartupParameters are the modified startup parameters.
- InjectedDllPath is the path to the injected DLL.
- CallTrace is the call trace.
- TargetStartupParameters is the command that was used to start the recipient process.
- Process access:
- AccessOperationType is the operation type: Process access is open or Duplicate handle.
- ProccessAccessRights are the requested process access rights.
- HandleSourceStartupParameters is the command that starts the source handle.
- HandletargetStartupParameters is the command to start the target handle.
- Other:
- File type is the type of the file.
- TlsJa3Md5 contains decimal byte values for the following fields in the client hello packet: TLS version, cipher suite, list of TLS protocol extensions, elliptic curves, and elliptic curve formats.
- TlsJa3sMd5 contains decimal byte values for the following fields in the server hello packet: TLS version, cipher suite, and list of TLS protocol extensions.
- DotNetAssemblyName is the name of the .NET assembly.
- DotNetAssemblyFlags contains .NET assembly flags.
To view the list of event search fields in source code mode, you can download this file.
Page top