Security Telemetry events sent to SIEM
This section explains what information security agents send to the SIEM solution (Splunk). The information is grouped by event type.
Process create
Field name | Description |
---|---|
cmdline | The command line that started the process. |
company_id | Indicates the company ID in GravityZone. |
ctc_version | The version of CTC security signatures |
datetime | The date and time in Unix epoch time format |
elevation | The numeric ID associated with the elevation level of the process |
elevation_sz | Indicates whether the process ran with elevated privileges. Possible values:
|
event_name | The event name |
event_version | Event version |
hardware_id | An ID, generated by BEST, that uniquely identifies an endpoint. |
integrity | The numeric ID associated with the integrity level |
integrity_sz | The process integrity level. Possible values:
These values are the equivalent of mandatory integrity levels described here. |
machine_name | The host name |
mitre_ids | This field contains the following information related to Mitre attack and techniques:
|
os_family | The type of operating system. Possible values:
|
os_platform | The type of OS architecture, |
os_type | Indicates whether the operating system fulfils the role of a client or a server. |
os_version | The operating system version. For example: |
parent_cmdline | The command line that started the parent process. |
parent_elevation | The numeric ID associated with the elevation level of the parent process |
parent_elevation_sz | Indicates whether the parent process ran with elevated privileges. Possible values:
|
parent_integrity | The numeric ID associated with the integrity level of the parent process |
parent_integrity_sz | The integrity level of the parent process. Possible values:
These values are the equivalent of mandatory integrity levels described here. |
parent_pid | The parent process identifier |
parent_process_path | The file path of the parent process |
parent_user_name | The username listed for the parent process |
pid | The process identifier |
process_md5 | The MD5 hash of the process |
process_path | The process path |
process_sha | The SHA256 hash of the process |
product_version | BEST product version |
user_name | The user who started the process. |
user_sid | The ID associated with the user account that started the process. |
Terminate process
Field name | Description |
---|---|
company_id | Indicates the company ID in GravityZone. |
ctc_version | The version of CTC security signatures |
datetime | The date and time in Unix epoch time format |
event_name | Event name |
event_version | Event version |
hardware_id | An ID, generated by BEST, that uniquely identifies an endpoint. |
machine_name | The host name |
os_family | The type of operating system. Possible values:
|
os_platform | The type of OS architecture, |
os_type | Indicates whether the operating system fulfils the role of a client or a server. |
os_version | The operating system version. For example: |
pid | The process identifier |
product_version | BEST product version |
Network connection
Field name | Description |
---|---|
bytes_sent | The number of bytes sent by the source endpoint |
bytes_received | The number of bytes received by the destination endpoint |
company_id | Indicates the company ID in GravityZone. |
ctc_version | The version of CTC security signatures |
datetime | The date and time in Unix epoch time format |
direction | Indicates where the network connection originated, whether it was |
event_name | Event name |
event_version | Event version |
hardware_id | An ID, generated by BEST, that uniquely identifies an endpoint. |
ip_dest | The destination IP address |
ip_source | The source IP address |
machine_name | The host name |
operation | Indicates the type of network operation performed. For example: |
os_family | The type of operating system. Possible values:
|
os_platform | The type of OS architecture, |
os_type | Indicates whether the operating system fulfils the role of a client or a server. |
os_version | The operating system version. For example: |
pid | The process identifier |
port_dest | The destination port |
port_source | The source port |
process_path | The process path |
product_version | BEST product version |
Logon
To receive logon events successfully, you must first enable the Audit Logon policy on the endpoint.
Field name | Description |
---|---|
company_id | Indicates the company ID in GravityZone. |
ctc_version | The version of CTC security signatures |
datetime | The date and time in Unix epoch time format |
event_name | Event name |
event_version | Event version |
hardware_id | An ID, generated by BEST, that uniquely identifies an endpoint. |
ip_source | The source IP address |
logon_type | The ID associated with the logon type. Possible values:
|
logon_type_sz | The type of login. Possible values:
To learn more about these logon types, refer to Logon types and descriptions. |
machine_name | The host name |
os_family | The type of operating system. Possible values:
|
os_platform | The type of OS architecture, |
os_type | Indicates whether the operating system fulfils the role of a client or a server. |
os_version | The operating system version. For example: |
product_version | BEST product version |
user_name | The user that performed the login |
Logoff
To receive logoff events successfully, you must first enable the Audit Logoff policy on the endpoint. Follow the steps depicted here. At step 3, open the Audit Logoff policy instead.
Field name | Description |
---|---|
company_id | Indicates the company ID in GravityZone. |
ctc_version | The version of CTC security signatures |
datetime | The date and time in Unix epoch time format |
event_name | Event name |
event_version | Event version |
hardware_id | An ID, generated by BEST, that uniquely identifies an endpoint. |
machine_name | The host name |
os_family | The type of operating system. Possible values:
|
os_platform | The type of OS architecture, |
os_type | Indicates whether the operating system fulfils the role of a client or a server. |
os_version | The operating system version. For example: |
product_version | BEST product version |
user_name | The user that logged off |
Create file
Field name | Description |
---|---|
company_id | Indicates the company ID in GravityZone. |
ctc_version | The version of CTC security signatures |
datetime | The date and time in Unix epoch time format |
event_name | Event name |
event_version | Event version |
hardware_id | An ID, generated by BEST, that uniquely identifies an endpoint. |
machine_name | The host name |
md5 | The MD5 hash of the file |
os_family | The type of operating system. Possible values:
|
os_platform | The type of OS architecture, |
os_type | Indicates whether the operating system fulfils the role of a client or a server. |
os_version | The operating system version. For example: |
path | The file path |
pid | The process identifier |
process_sha | The SHA256 hash of the process that generated the file |
process_md5 | The MD5 hash of the process that generated the file |
process_path | The process path |
product_version | BEST product version |
sha | The SHA256 hash of the file |
source_path | When a file is copied to a new location, this field indicates the initial file path. Otherwise, the field is empty. |
user_name | The user who started the process that generated the file. |
Delete file
Field name | Description |
---|---|
company_id | Indicates the company ID in GravityZone. |
ctc_version | The version of CTC security signatures |
datetime | The date and time in Unix epoch time format |
event_name | Event name |
event_version | Event version |
hardware_id | An ID, generated by BEST, that uniquely identifies an endpoint. |
is_remote | Indicates whether the change made on a file happened via remote connection |
machine_name | The host name |
os_family | The type of operating system. Possible values:
|
os_platform | The type of OS architecture, |
os_type | Indicates whether the operating system fulfils the role of a client or a server. |
os_version | The operating system version. For example: |
path | The file path of the deleted file |
pid | The process identifier |
process_sha | The SHA256 hash of the process that deleted the file |
process_md5 | The MD5 hash of the process that deleted the file |
process_path | The process path |
product_version | BEST product version |
user_name | The user who started the process that deleted the file |
Modify file
Field name | Description |
---|---|
bytes_written | A buffer (up to 64K) of the first bytes written |
company_id | Indicates the company ID in GravityZone. |
ctc_version | The version of CTC security signatures |
datetime | The date and time in Unix epoch time format |
entropy | The file entropy value |
event_name | Event name |
event_version | Event version |
extra_keys | Keys for extra information to be displayed in the generated incident |
extra_values | Values corresponding to the extra_keys field. |
hardware_id | An ID, generated by BEST, that uniquely identifies an endpoint. |
is_remote | Indicates whether the change made on a file happened via remote connection |
machine_name | The host name |
md5 | The MD5 hash of the file |
os_family | The type of operating system. Possible values:
|
os_platform | The type of OS architecture, |
os_type | Indicates whether the operating system fulfils the role of a client or a server. |
os_version | The operating system version. For example: |
path | The file path |
pid | The process identifier |
process_sha | The SHA256 hash of the process that generated the file |
process_md5 | The MD5 hash of the process that generated the file |
process_path | The process path |
product_version | BEST product version |
sha | The SHA256 hash of the file |
type | The ID associated with the file type. Possible values:
|
type_sz | The file type. Possible values:
|
user_name | The user who started the process that modified the file. |
Read from file
Field name | Description |
---|---|
bytes_read | The number of bytes read from file |
company_id | Indicates the company ID in GravityZone. |
ctc_version | The version of CTC security signatures |
datetime | The date and time in Unix epoch time format |
entropy | The file entropy value |
event_name | Event name |
event_version | Event version |
extra_keys | Keys for extra information to be displayed in the generated incident |
extra_values | Values corresponding to the extra_keys field. |
hardware_id | An ID, generated by BEST, that uniquely identifies an endpoint. |
is_remote | Indicates whether the file was read via remote connection |
machine_name | The host name |
os_family | The type of operating system. Possible values:
|
os_platform | The type of OS architecture, |
os_type | Indicates whether the operating system fulfils the role of a client or a server. |
os_version | The operating system version. For example: |
path | The file path |
pid | The process identifier |
process_md5 | The MD5 hash of the process |
process_path | The process path |
process_sha | The SHA256 hash of the process |
product_version | BEST product version |
type | The ID associated with the file type. Possible values:
|
type_sz | The file type. Possible values:
|
user_name | The user who started the process that read from file |
Move file
Field name | Description |
---|---|
company_id | Indicates the company ID in GravityZone. |
ctc_version | The version of CTC security signatures |
datetime | The date and time in Unix epoch time format |
event_name | Event name |
event_version | Event version |
hardware_id | An ID, generated by BEST, that uniquely identifies an endpoint. |
machine_name | The host name |
md5 | The MD5 hash of the file |
new_path | The new file path |
os_family | The type of operating system. Possible values:
|
os_platform | The type of OS architecture, |
os_type | Indicates whether the operating system fulfils the role of a client or a server. |
os_version | The operating system version. For example: |
path | The initial file path |
pid | The process identifier |
process_sha | The SHA256 hash of the process that moved the file |
process_md5 | The MD5 hash of the process that moved the file |
process_path | The process path |
product_version | BEST product version |
sha | The SHA256 hash of the file that was moved |
user_name | The user who started the process that moved the file. |
Registry create key
Field name | Description |
---|---|
company_id | Indicates the company ID in GravityZone. |
ctc_version | The version of CTC security signatures |
datetime | The date and time in Unix epoch time format |
event_name | Event name |
event_version | Event version |
hardware_id | An ID, generated by BEST, that uniquely identifies an endpoint. |
key_path | The path to the registry key |
machine_name | The host name |
operation | The type of operation performed on the registry key. Possible values:
|
os_family | The type of operating system. Possible values:
|
os_platform | The type of OS architecture, |
os_type | Indicates whether the operating system fulfils the role of a client or a server. |
os_version | The operating system version. For example: |
pid | The process identifier |
product_version | BEST product version |
user_name | The user who started the process that created the registry key. |
Registry delete key
Field name | Description |
---|---|
company_id | Indicates the company ID in GravityZone. |
datetime | The date and time in Unix epoch time format |
event_name | Event name |
event_version | Event version |
hardware_id | An ID, generated by BEST, that uniquely identifies an endpoint. |
key_path | The path to the registry key |
machine_name | The host name |
operation | The type of operation performed on the registry key. Possible values:
|
os_family | The type of operating system. Possible values:
|
os_platform | The type of OS architecture, |
os_type | Indicates whether the operating system fulfils the role of a client or a server. |
os_version | The operating system version. For example: |
pid | The process identifier |
product_version | BEST product version |
user_name | The user who started the process that deleted the registry key. |
Registry delete value
Field name | Description |
---|---|
company_id | Indicates the company ID in GravityZone. |
ctc_version | The version of CTC security signatures |
datetime | The date and time in Unix epoch time format |
event_name | Event name |
event_version | Event version |
hardware_id | An ID, generated by BEST, that uniquely identifies an endpoint. |
key_path | The path to the registry key |
machine_name | The host name |
operation | The type of operation performed on the registry key. Possible values:
|
os_family | The type of operating system. Possible values:
|
os_platform | The type of OS architecture, |
os_type | Indicates whether the operating system fulfils the role of a client or a server. |
os_version | The operating system version. For example: |
pid | The process identifier |
product_version | BEST product version |
user_name | The user who started the process that deleted the registry value. |
value | The registry value |
Registry modify value
Field name | Description |
---|---|
company_id | Indicates the company ID in GravityZone. |
ctc_version | The version of CTC security signatures |
data | The data that was written into the value |
data_type | The ID associated with the registry data type. Possible values:
|
data_type_sz | The data format for the registry value. Possible values:
To learn more about these data formats, refer to Registry value types. |
datetime | The date and time in Unix epoch time format |
event_name | Event name |
event_version | Event version |
hardware_id | An ID, generated by BEST, that uniquely identifies an endpoint. |
key_path | The path to the registry key |
machine_name | The host name |
operation | The type of operation performed on the registry key. Possible values:
|
os_family | The type of operating system. Possible values:
|
os_platform | The type of OS architecture, |
os_type | Indicates whether the operating system fulfils the role of a client or a server. |
os_version | The operating system version. For example: |
pid | The process identifier |
product_version | BEST product version |
user_name | The user who started the process that modified the registry value. |
value | The registry value |