Skip to main content

Security Telemetry events sent to SIEM

This section explains what information security agents send to the SIEM solution (Splunk). The information is grouped by event type.

Process create

Field name

Description

cmdline

The command line that started the process.

company_id

Indicates the company ID in GravityZone.

ctc_version

The version of CTC security signatures

datetime

The date and time in Unix epoch time format

elevation

The numeric ID associated with the elevation level of the process

elevation_sz

Indicates whether the process ran with elevated privileges. Possible values:

  • elevated

  • restricted

event_name

The event name

event_version

Event version

hardware_id

An ID, generated by BEST, that uniquely identifies an endpoint.

integrity

The numeric ID associated with the integrity level

integrity_sz

The process integrity level. Possible values:

  • untrusted

  • low

  • medium

  • high

  • system

These values are the equivalent of mandatory integrity levels described here.

machine_name

The host name

mitre_ids

This field contains the following information related to Mitre attack and techniques:

  • name - The Mitre technique name, as documented on the official website. For example: Command and Scripting Interpreter.

  • id - The Mitre Technique ID, as documented on the official website. For example: T1074.

  • subtechniques - This field contains the following information related to Mitre subtechniques:

    • name - The Mitre subtechnique name

    • id - The Mitre subtechnique ID. For example: T1595.002.

  • categories - This field contains the following information:

    • categories - The Mitre category, the Mitre mapping of kill chain phases

os_family

The type of operating system. Possible values:

  • windows

  • linux

  • macos

os_platform

The type of OS architecture, x86, x64, or arm64.

os_type

Indicates whether the operating system fulfils the role of a client or a server.

os_version

The operating system version. For example: Windows 11.

parent_cmdline

The command line that started the parent process.

parent_elevation

The numeric ID associated with the elevation level of the parent process

parent_elevation_sz

Indicates whether the parent process ran with elevated privileges. Possible values:

  • elevated

  • restricted

parent_integrity

The numeric ID associated with the integrity level of the parent process

parent_integrity_sz

The integrity level of the parent process. Possible values:

  • untrusted

  • low

  • medium

  • high

  • system

These values are the equivalent of mandatory integrity levels described here.

parent_pid

The parent process identifier

parent_process_path

The file path of the parent process

parent_user_name

The username listed for the parent process

pid

The process identifier

process_md5

The MD5 hash of the process

process_path

The process path

process_sha

The SHA256 hash of the process

product_version

BEST product version

user_name

The user who started the process.

user_sid

The ID associated with the user account that started the process.

Terminate process

Field name

Description

company_id

Indicates the company ID in GravityZone.

ctc_version

The version of CTC security signatures

datetime

The date and time in Unix epoch time format

event_name

Event name

event_version

Event version

hardware_id

An ID, generated by BEST, that uniquely identifies an endpoint.

machine_name

The host name

os_family

The type of operating system. Possible values:

  • windows

  • linux

  • macos

os_platform

The type of OS architecture, x86, x64, or arm64.

os_type

Indicates whether the operating system fulfils the role of a client or a server.

os_version

The operating system version. For example: Windows 11.

pid

The process identifier

product_version

BEST product version

Network connection

Field name

Description

bytes_sent

The number of bytes sent by the source endpoint

bytes_received

The number of bytes received by the destination endpoint

company_id

Indicates the company ID in GravityZone.

ctc_version

The version of CTC security signatures

datetime

The date and time in Unix epoch time format

direction

Indicates where the network connection originated, whether it was inbound or outbound.

event_name

Event name

event_version

Event version

hardware_id

An ID, generated by BEST, that uniquely identifies an endpoint.

ip_dest

The destination IP address

ip_source

The source IP address

machine_name

The host name

operation

Indicates the type of network operation performed. For example: connect, disconnect.

os_family

The type of operating system. Possible values:

  • windows

  • linux

  • macos

os_platform

The type of OS architecture, x86, x64, or arm64.

os_type

Indicates whether the operating system fulfils the role of a client or a server.

os_version

The operating system version. For example: Windows 11.

pid

The process identifier

port_dest

The destination port

port_source

The source port

process_path

The process path

product_version

BEST product version

Logon

To receive logon events successfully, you must first enable the Audit Logon policy on the endpoint.

Field name

Description

company_id

Indicates the company ID in GravityZone.

ctc_version

The version of CTC security signatures

datetime

The date and time in Unix epoch time format

event_name

Event name

event_version

Event version

hardware_id

An ID, generated by BEST, that uniquely identifies an endpoint.

ip_source

The source IP address

logon_type

The ID associated with the logon type. Possible values:

  • 0: correlates with system logon type

  • 2: correlates with interactive logon type

  • 3: correlates with network logon type

  • 4: correlates with batch logon type

  • 5: correlates with service logon type

  • 7: correlates with unlock logon type

  • 8: correlates with networkcleartext logon type

  • 9: correlates with newcredentials logon type

  • 10: correlates with remoteinteractive logon type

  • 11: correlates with cachedinteractive logon type

  • 12: correlates with cachedremoteinteractive logon type

  • 13: correlates with cachedunlock logon type

  • 255: correlates with invalid logon type

logon_type_sz

The type of login. Possible values:

  • system

  • interactive

  • network

  • batch

  • service

  • unlock

  • networkcleartext

  • newcredentials

  • remoteinteractive

  • cachedinteractive

  • cachedremoteinteractive

  • cachedunlock

  • invalid

To learn more about these logon types, refer to Logon types and descriptions.

machine_name

The host name

os_family

The type of operating system. Possible values:

  • windows

  • linux

  • macos

os_platform

The type of OS architecture, x86, x64, or arm64.

os_type

Indicates whether the operating system fulfils the role of a client or a server.

os_version

The operating system version. For example: Windows 11.

product_version

BEST product version

user_name

The user that performed the login

Logoff

To receive logoff events successfully, you must first enable the Audit Logoff policy on the endpoint. Follow the steps depicted here. At step 3, open the Audit Logoff policy instead.

Field name

Description

company_id

Indicates the company ID in GravityZone.

ctc_version

The version of CTC security signatures

datetime

The date and time in Unix epoch time format

event_name

Event name

event_version

Event version

hardware_id

An ID, generated by BEST, that uniquely identifies an endpoint.

machine_name

The host name

os_family

The type of operating system. Possible values:

  • windows

  • linux

  • macos

os_platform

The type of OS architecture, x86, x64, or arm64.

os_type

Indicates whether the operating system fulfils the role of a client or a server.

os_version

The operating system version. For example: Windows 11.

product_version

BEST product version

user_name

The user that logged off

Create file

Field name

Description

company_id

Indicates the company ID in GravityZone.

ctc_version

The version of CTC security signatures

datetime

The date and time in Unix epoch time format

event_name

Event name

event_version

Event version

hardware_id

An ID, generated by BEST, that uniquely identifies an endpoint.

machine_name

The host name

md5

The MD5 hash of the file

os_family

The type of operating system. Possible values:

  • windows

  • linux

  • macos

os_platform

The type of OS architecture, x86, x64, or arm64.

os_type

Indicates whether the operating system fulfils the role of a client or a server.

os_version

The operating system version. For example: Windows 11.

path

The file path

pid

The process identifier

process_sha

The SHA256 hash of the process that generated the file

process_md5

The MD5 hash of the process that generated the file

process_path

The process path

product_version

BEST product version

sha

The SHA256 hash of the file

source_path

When a file is copied to a new location, this field indicates the initial file path. Otherwise, the field is empty.

user_name

The user who started the process that generated the file.

Delete file

Field name

Description

company_id

Indicates the company ID in GravityZone.

ctc_version

The version of CTC security signatures

datetime

The date and time in Unix epoch time format

event_name

Event name

event_version

Event version

hardware_id

An ID, generated by BEST, that uniquely identifies an endpoint.

is_remote

Indicates whether the change made on a file happened via remote connection

machine_name

The host name

os_family

The type of operating system. Possible values:

  • windows

  • linux

  • macos

os_platform

The type of OS architecture, x86, x64, or arm64.

os_type

Indicates whether the operating system fulfils the role of a client or a server.

os_version

The operating system version. For example: Windows 11.

path

The file path of the deleted file

pid

The process identifier

process_sha

The SHA256 hash of the process that deleted the file

process_md5

The MD5 hash of the process that deleted the file

process_path

The process path

product_version

BEST product version

user_name

The user who started the process that deleted the file

Modify file

Field name

Description

bytes_written

A buffer (up to 64K) of the first bytes written

company_id

Indicates the company ID in GravityZone.

ctc_version

The version of CTC security signatures

datetime

The date and time in Unix epoch time format

entropy

The file entropy value

event_name

Event name

event_version

Event version

extra_keys

Keys for extra information to be displayed in the generated incident

extra_values

Values corresponding to the extra_keys field.

hardware_id

An ID, generated by BEST, that uniquely identifies an endpoint.

is_remote

Indicates whether the change made on a file happened via remote connection

machine_name

The host name

md5

The MD5 hash of the file

os_family

The type of operating system. Possible values:

  • windows

  • linux

  • macos

os_platform

The type of OS architecture, x86, x64, or arm64.

os_type

Indicates whether the operating system fulfils the role of a client or a server.

os_version

The operating system version. For example: Windows 11.

path

The file path

pid

The process identifier

process_sha

The SHA256 hash of the process that generated the file

process_md5

The MD5 hash of the process that generated the file

process_path

The process path

product_version

BEST product version

sha

The SHA256 hash of the file

type

The ID associated with the file type. Possible values:

  • 0: correlates with executable file type

  • 1: correlates with document file type

  • 2: correlates with archive file type

  • 3: correlates with script file type

  • 4: correlates with media file type

  • 5: correlates with possibleimportantformat file type

  • 999: correlates with unknown file type

type_sz

The file type. Possible values:

  • executable

  • document

  • archive

  • script

  • media

  • possibleimportantformat

  • unknown

possibleimportantformat is an umbrella term. It keeps records of files that may be important for security investigation later on due to a possible data exfiltration. The targeted file extensions are: .3dm, .3ds, .3g2, .3gp, .7z, .aac, .accdb, .ai, .aif, .asd, .asf, .avi, .bmp, .bz2, .cbr, .cda, .csv, .db, .dbf, .dds, .doc, .docx, .dwg, .dxf, .email, .eml, .emlx, .eps, .fdb, .flac, .flv, .frm, .gif, .gpx, .gslides", .gz, .h264, .heic, .ico, .iff, .jpg, .kexi, .key, .kml, .kmz, .log, .lz, .m3u, .m4a, .m4v, .max, .md, .mdb, .mde, .mdf, .mid, .midi, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .obj, .odp, .ods, .odt, .oft, .ogg, .opus, .ost, .pdb, .pdf, .pez, .png, .pot, .pps, .ppt, .pptx, .psd, .pspimage, .pst, .rar, .rm, .rtf, .sqlite, .srt, .svg, .swf, .tar, .tar.gz, .tar.xz, .tex, .tga, .thm, .tif, .tiff, .vcf, .vob, .wav, .wdb, .wma, .wmv, .wpd, .wps, .xlr, .xls, .xls, .xlsm, .xlsx, .xz, .yuv, .zip, and .zipx.

user_name

The user who started the process that modified the file.

Read from file

Field name

Description

bytes_read

The number of bytes read from file

company_id

Indicates the company ID in GravityZone.

ctc_version

The version of CTC security signatures

datetime

The date and time in Unix epoch time format

entropy

The file entropy value

event_name

Event name

event_version

Event version

extra_keys

Keys for extra information to be displayed in the generated incident

extra_values

Values corresponding to the extra_keys field.

hardware_id

An ID, generated by BEST, that uniquely identifies an endpoint.

is_remote

Indicates whether the file was read via remote connection

machine_name

The host name

os_family

The type of operating system. Possible values:

  • windows

  • linux

  • macos

os_platform

The type of OS architecture, x86, x64, or arm64.

os_type

Indicates whether the operating system fulfils the role of a client or a server.

os_version

The operating system version. For example: Windows 11.

path

The file path

pid

The process identifier

process_md5

The MD5 hash of the process

process_path

The process path

process_sha

The SHA256 hash of the process

product_version

BEST product version

type

The ID associated with the file type. Possible values:

  • 0: correlates with executable file type

  • 1: correlates with document file type

  • 2: correlates with archive file type

  • 3: correlates with script file type

  • 4: correlates with media file type

  • 5: correlates with possibleimportantformat file type

  • 999: correlates with unknown file type

type_sz

The file type. Possible values:

  • executable

  • document

  • archive

  • script

  • media

  • possibleimportantformat

  • unknown

possibleimportantformat is an umbrella term. It keeps records of files that may be important for security investigation later on due to a possible data exfiltration. The targeted file extensions are: .3dm, .3ds, .3g2, .3gp, .7z, .aac, .accdb, .ai, .aif, .asd, .asf, .avi, .bmp, .bz2, .cbr, .cda, .csv, .db, .dbf, .dds, .doc, .docx, .dwg, .dxf, .email, .eml, .emlx, .eps, .fdb, .flac, .flv, .frm, .gif, .gpx, .gslides", .gz, .h264, .heic, .ico, .iff, .jpg, .kexi, .key, .kml, .kmz, .log, .lz, .m3u, .m4a, .m4v, .max, .md, .mdb, .mde, .mdf, .mid, .midi, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .obj, .odp, .ods, .odt, .oft, .ogg, .opus, .ost, .pdb, .pdf, .pez, .png, .pot, .pps, .ppt, .pptx, .psd, .pspimage, .pst, .rar, .rm, .rtf, .sqlite, .srt, .svg, .swf, .tar, .tar.gz, .tar.xz, .tex, .tga, .thm, .tif, .tiff, .vcf, .vob, .wav, .wdb, .wma, .wmv, .wpd, .wps, .xlr, .xls, .xls, .xlsm, .xlsx, .xz, .yuv, .zip, and .zipx.

user_name

The user who started the process that read from file

Move file

Field name

Description

company_id

Indicates the company ID in GravityZone.

ctc_version

The version of CTC security signatures

datetime

The date and time in Unix epoch time format

event_name

Event name

event_version

Event version

hardware_id

An ID, generated by BEST, that uniquely identifies an endpoint.

machine_name

The host name

md5

The MD5 hash of the file

new_path

The new file path

os_family

The type of operating system. Possible values:

  • windows

  • linux

  • macos

os_platform

The type of OS architecture, x86, x64, or arm64.

os_type

Indicates whether the operating system fulfils the role of a client or a server.

os_version

The operating system version. For example: Windows 11.

path

The initial file path

pid

The process identifier

process_sha

The SHA256 hash of the process that moved the file

process_md5

The MD5 hash of the process that moved the file

process_path

The process path

product_version

BEST product version

sha

The SHA256 hash of the file that was moved

user_name

The user who started the process that moved the file.

Registry create key

Field name

Description

company_id

Indicates the company ID in GravityZone.

ctc_version

The version of CTC security signatures

datetime

The date and time in Unix epoch time format

event_name

Event name

event_version

Event version

hardware_id

An ID, generated by BEST, that uniquely identifies an endpoint.

key_path

The path to the registry key

machine_name

The host name

operation

The type of operation performed on the registry key. Possible values:

  • create

  • write

  • delete

os_family

The type of operating system. Possible values:

  • windows

  • linux

  • macos

os_platform

The type of OS architecture, x86, x64, or arm64.

os_type

Indicates whether the operating system fulfils the role of a client or a server.

os_version

The operating system version. For example: Windows 11.

pid

The process identifier

product_version

BEST product version

user_name

The user who started the process that created the registry key.

Registry delete key

Field name

Description

company_id

Indicates the company ID in GravityZone.

datetime

The date and time in Unix epoch time format

event_name

Event name

event_version

Event version

hardware_id

An ID, generated by BEST, that uniquely identifies an endpoint.

key_path

The path to the registry key

machine_name

The host name

operation

The type of operation performed on the registry key. Possible values:

  • create

  • write

  • delete

os_family

The type of operating system. Possible values:

  • windows

  • linux

  • macos

os_platform

The type of OS architecture, x86, x64, or arm64.

os_type

Indicates whether the operating system fulfils the role of a client or a server.

os_version

The operating system version. For example: Windows 11.

pid

The process identifier

product_version

BEST product version

user_name

The user who started the process that deleted the registry key.

Registry delete value

Field name

Description

company_id

Indicates the company ID in GravityZone.

ctc_version

The version of CTC security signatures

datetime

The date and time in Unix epoch time format

event_name

Event name

event_version

Event version

hardware_id

An ID, generated by BEST, that uniquely identifies an endpoint.

key_path

The path to the registry key

machine_name

The host name

operation

The type of operation performed on the registry key. Possible values:

  • create

  • write

  • delete

os_family

The type of operating system. Possible values:

  • windows

  • linux

  • macos

os_platform

The type of OS architecture, x86, x64, or arm64.

os_type

Indicates whether the operating system fulfils the role of a client or a server.

os_version

The operating system version. For example: Windows 11.

pid

The process identifier

product_version

BEST product version

user_name

The user who started the process that deleted the registry value.

value

The registry value

Registry modify value

Field name

Description

company_id

Indicates the company ID in GravityZone.

ctc_version

The version of CTC security signatures

data

The data that was written into the value

data_type

The ID associated with the registry data type. Possible values:

  • 0: correlates with none data type

  • 1: correlates with string data type

  • 2: correlates with expandablestring data type

  • 3: correlates with binary data type

  • 4: correlates with dword data type

  • 5: correlates with dwordbigendian data type

  • 6: correlates with link data type

  • 7: correlates with multistring data type

  • 8: correlates with resourcelist data type

  • 9: correlates with resourcedescriptor data type

  • 10: correlates with resourcerequirements data type

  • 11: correlates with qword data type

data_type_sz

The data format for the registry value. Possible values:

  • none

  • string

  • expandablestring

  • binary

  • dword

  • dwordbigendian

  • link

  • multistring

  • resourcelist

  • resourcedescriptor

  • resourcerequirements

  • qword

To learn more about these data formats, refer to Registry value types.

datetime

The date and time in Unix epoch time format

event_name

Event name

event_version

Event version

hardware_id

An ID, generated by BEST, that uniquely identifies an endpoint.

key_path

The path to the registry key

machine_name

The host name

operation

The type of operation performed on the registry key. Possible values:

  • create

  • write

  • delete

os_family

The type of operating system. Possible values:

  • windows

  • linux

  • macos

os_platform

The type of OS architecture, x86, x64, or arm64.

os_type

Indicates whether the operating system fulfils the role of a client or a server.

os_version

The operating system version. For example: Windows 11.

pid

The process identifier

product_version

BEST product version

user_name

The user who started the process that modified the registry value.

value

The registry value