Indicators of Attack Events

Applies To: WatchGuard EPDR, WatchGuard EDR

WatchGuard EPDR and EDR monitor the processes that run on customer computers and send the generated telemetry data to the WatchGuard cloud. Specialized threat hunters use this data to detect Indicators of Attack (IOA) on customer IT resources.

Telemetry data is stored in events which consist of several fields. The information about the event that triggered the IOA is available in JSON format in the IOA details page, as well as in the attack graphs. Depending on the IOA, some of the fields show in the Other Details section of the IOA details page and in the nodes and arrows on the attack graph. For more information, see Indicator of Attack Details and About Attack Graphs.

Events

An event is a record that consists of fields that describe an action taken by a process on a computer. Each type of event includes a specific number of fields. This table provides the descriptions, data types, and possible values of the fields in events.

Field Description Field Type

accesstype

File access mask:

  • (54) WMI_CREATEPROC: Local WMI

For all other operations:

Bitmask

accnube

The agent installed on the customer computer can access WatchGuard Cloud.

Boolean

action

Type of action taken by the WatchGuard EDR or WatchGuard EPDR agent, by the user, or by the affected process:

  • 0 (Allow) — The agent allowed the process to run.
  • 1 (Block) — The agent blocked the process from running.
  • 2 (BlockTimeout) — The agent displayed a pop-up message to the user but the user did not respond in time.
  • 3 (AllowWL) — The agent allowed the process to run because it is on the local goodware allowlist.
  • 4 (BlockBL) — The agent blocked the process from running because it is on the local malware blocklist.
  • 5 (Disinfect) — The agent disinfected the process.
  • 6 (Delete) — The agent classified the process as malware and deleted it because it could not be disinfected.
  • 7 (Quarantine) — The agent classified the process as malware and moved it to quarantine folder on the computer.
  • 8 (AllowByUser) — The agent displayed a pop-up message to the user and the user responded with ‘Allow execution’.
  • 9 (Informed) — The agent displayed a pop-up message to the user.
  • 10 (Unquarantine) — The agent removed the file from the quarantine folder.
  • 11 (Rename) — The agent renamed the file. This action is used only for testing.
  • 12 (BlockURL) — The agent blocked the URL.

  • 13 (KillProcess) — The agent closed the process.

  • 14 (BlockExploit) — The agent stopped an attempt to exploit a vulnerable process.

  • 15 (ExploitAllowByUser): The user did not allow the exploited process to be closed.

  • 16 (RebootNeeded) — The agent requires that the computer be rebooted to block the exploit attempt.

  • 17 (ExploitInformed) — The agent displayed a pop-up message to the user, reporting an attempt to exploit a vulnerable process.

  • 18 (AllowSonGWInstaller) — The agent allowed the process to run because it belongs to an installation package classified as goodware.

  • 19 (EmbebedInformed) — The agent sent internal operation information to the cloud to improve detection routines.

  • 21 (SuspendProcess) — The monitored process tried to suspend the antivirus service.

  • 22 (ModifyDiskResource) — The monitored process tried to modify a resource protected by the agent shield.

  • 23 (ModifyRegistry) — The monitored process tried to modify a registry key protected by the agent shield.

  • 24 (RenameRegistry) — The monitored process tried to rename a registry key protected by the agent shield.

  • 25 (ModifyMarkFile) — The monitored process tried to modify a file protected by the agent shield.

  • 26 (Undefined) — Error monitoring the process operation.

  • 28 (AllowFGW) — The agent allowed the operation performed by the monitored process because it is on the local goodware allow list.

  • 29 (AllowSWAuthorized): The agent allowed the operation performed by the monitored process because the administrator marked the file as authorized software.

  • 31 (ExploitAllowByAdmin) — The agent allowed the operation performed by the monitored process because the network administrator excluded the exploit.

  • 32 (IPBlocked) — The agent blocked IPs to mitigate an RDP (Remote Desktop Protocol) attack.

Enumeration

actiontype

Indicates the session type:

  • 0 (Login) — Login on the customer computer.
  • 1 (Logout) — Logout on the customer computer.
  • -1 (Unknown) — Unable to determine session type.

Enumeration

age

Date the file was last modified.

Date

blockreason

Reason for the pop-up message displayed on the computer:

  • 0 — The file was blocked because it is unknown and the WatchGuard EPDR or WatchGuard EDR advanced protection mode is set to Hardening or Lock.
  • 1 — The file was blocked by local rules.
  • 2 — The file was blocked because the source is untrusted.
  • 3 — The file was blocked by a context rule.
  • 4 — The file was blocked because it is an exploit.
  • 5 — The file was blocked after asking the user to close the process.

Enumeration

bytesreceived

Total bytes received by the monitored process.

Numeric value

bytessent

Total bytes sent by the monitored process.

Numeric value

callstack/sonsize

Size in bytes of the child file.

Numeric value

childattributes

Attributes of the child process:

  • 0x0000000000000001 (ISINSTALLER) — Self-extracting (SFX) file
  • 0x0000000000000002 (ISDRIVER) — Driver-type file
  • 0x0000000000000008 (ISRESOURCESDLL) — Resource DLL-type file
  • 0x0000000000000010 (EXTERNAL) — File from outside the computer
  • 0x0000000000000020 (ISFRESHUNK) — File recently added to the WatchGuard knowledge base

  • 0x0000000000000040 (ISDISSINFECTABLE) — File for which there is a recommended disinfection action

  • 0x0000000000000080 (DETEVENT_DISCARD) — The event-based context detection technology did not detect anything suspicious

  • 0x0000000000000100 (WAITED_FOR_VINDEX) — Execution of a file whose creation had not been registered

  • 0x0000000000000200 (ISACTIONSEND) — The endpoint agent did not detect malware in the file and it was sent to WatchGuard for classification

  • 0x0000000000000400 (ISLANSHARED) — File stored on a network drive.

  • 0x0000000000000800 (USERALLOWUNK) — File with permission to import unknown DLLs

  • 0x0000000000001000 (ISSESIONREMOTE) — Event that originated from a remote session

  • 0x0000000000002000 (LOADLIB_TIMEOUT) — The time elapsed between when the protection intercepted the loading of the library and when it was scanned exceeded 1 second. As a result, the scan changed from synchronous to asynchronous to avoid impacting performance.

  • 0x0000000000004000 (ISPE) — Executable file

  • 0x0000000000008000 (ISNOPE) — Non-executable file

  • 0x0000000000020000 (NOSHELL) — The agent did not detect the execution of a shell command on the system

  • 0x0000000000080000 (ISNETNATIVE) — NET Native file

  • 0x0000000000100000 (ISSERIALIZER) — Serializer file

  • 0x0000000000400000 (SONOFGWINSTALLER) — File created by an installer classified as goodware

  • 0x0000000000800000 (PROCESS_EXCLUDED): File not scanned because of the WatchGuard EPDR exclusions

  • 0x0000000001000000 (INTERCEPTION_TXF) — The intercepted operation was originated by an executable whose image on the disk is being modified

  • 0x0000000002000000 (HASMACROS) — Microsoft Office document with macros

  • 0x0000000008000000 (ISPEARM) — Executable file for ARM microprocessors

  • 0x0000000010000000 (ISDYNFILTERED) — The file was allowed on the computer because there are no technologies to classify it

  • 0x0000000020000000 (ISDISINFECTED) — The file was disinfected

  • 0x0000000040000000 (PROCESSLOST) — The operation was not logged

  • 0x0000000080000000 (OPERATION_LOST) — Operation with a pre-scan report for which the post-scan report has not been received yet

Enumeration

childblake

Blake2 signature of the child file.

Character string

childclassification

Classification of the child process that performed the logged action.

  • 0 (Unknown) — File in the process of classification
  • 1 (Goodware) — File classified as goodware
  • 2 (Malware) — File classified as malware
  • 3 (Suspect) — The file is in the process of classification and it is highly likely to be malware
  • 4 (Compromised) — Process compromised by an exploit attack
  • 5 (GWNotConfirmed) — The file is in the process of classification and it is highly like to be malware
  • 6 (Pup) — File classified as an unwanted program
  • 7 (GwUnwanted) — Equivalent to PUP
  • 8 (GwRanked) — Process classified as goodware
  • -1 (Unknown)

Enumeration

childfiletime

Date of the child file logged by the agent.

Date

childfilesize

Size of the child file logged by the agent.

Numeric value

childmd5

Child file hash.

Character string

childpath

Path of the child file that performed the logged operation.

Character string

ChildPID

Child process ID.

Numeric value

childurl

File download URL.

Character string

childstatus

Child process status:

  • 0 (StatusOk) — Status OK
  • 1 (NotFound) — Item not found
  • 2 (UnexpectedError) — Unknown error
  • 3 (StaticFiltered) — File identified as malware using static information contained in the WatchGuard EDR or WatchGuard EPDR protection
  • 4 (DynamicFiltered) — File identified as malware using local technology implemented in WatchGuard EDR or WatchGuard EPDR
  • 5 (FileIsTooBig) — File too big
  • 6 (PEUploadNotAllowed) — File send was disabled
  • 11 (FileWasUploaded) — File sent to the cloud for analysis
  • 12 (FiletypeFiltered) — Resource DLL, NET Native, or Serializer-type file
  • 13 (NotUploadGWLocal) — Goodware file not saved to WatchGuard Cloud
  • 14 (NotUploadMWdisinfect) — Disinfected malware file not saved to WatchGuard Cloud

Enumeration

classname

Type of device where the process resides. It corresponds to the class specified in the .INF file associated with the device.

Character string

configstring

Version of the MVMF.xml file in use.

Character string

commandline

Command line configured as a task to be run via WMI.

Character string

confadvancedrules

WatchGuard EDR or WatchGuard EPDR advanced security policy settings.

Character string

copy

Name of the service that triggered the event.

Character string

details

Summary in the form of a group of relevant fields from the event.

Character string

description

Description of the USB device that performed the operation.

Character string

detectionid

Unique identifier of the detection .

Numeric value

devicetype

Type of drive where the process or file that triggered the logged operation resides:

  • 0 (UNKNOWN) — Unknown
  • 1 (CD_DVD) — CD or DVD drive
  • 2 (USB_STORAGE) — USB storage device
  • 3 (IMAGE) — Image file
  • 4 (BLUETOOTH) — Bluetooth device
  • 5 (MODEM) — Modem
  • 6 (USB_PRINTER) — USB printer
  • 7 (PHONE) — Mobile phone
  • 8 (KEYBOARD) — Keyboard
  • 9 (HID) — Mouse

Enumeration

direction

Network connection direction.

  • 0 (UnKnown) — Unknown
  • 1 (Incoming) — Connection established from outside the network to a computer on the customer network
  • 2 (Outgoing) — Connection established from a computer on the customer network to a computer outside the network
  • 3 (Bidirectional) — Bidirectional

Enumeration

domainlist

List of domains sent by the process to the DNS server for resolution and number of resolutions per domain.

{domain_name,n umber#domain_ name,number}

domainname

Name of the domain the process tries to access/resolve.

Character string

errorcode

Error code returned by the operating system when there is a failed login attempt:

  • 1073740781 (Firewall protected) — The computer you are logging in to is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine
  • 1073741074 (Session start error) — An error occurred during login
  • 1073741260 (Account blocked) — Access blocked
  • 1073741275 (Windows error (no risk)) — A bug in Windows and not a risk
  • 1073741276 (Password change required on reboot) — The user password must be changed on next boot
  • 1073741477 (Invalid permission) — The user has requested a type of login that has not been granted
  • 1073741421 (Account expired) — The account has expired
  • 1073741422 (Netlogon not initialized) — An attempt was made to log in, but the Netlogon service was not started
  • 1073741428 (Domains trust failed) — The login request failed because the trust relationship between the primary domain and the trusted domain failed
  • 1073741517 (Clock difference is too big) — The connected computers' clocks are too far out of sync
  • 1073741604 (Sam server is invalid) — The validation server has failed. Cannot perform operation.
  • 1073741710 (Account disabled) — Account disabled
  • 1073741711 (Password expired) — The password has expired
  • 1073741712 (Invalid workstation for login) — An attempt was made to log in from an unauthorized computer
  • 1073741713 (User account day restriction) — An attempt was made to log in at a restricted time
  • 1073741714 (Invalid username or password) — Unknown user name or wrong password
  • 1073741715 (Invalid username or authentication info) — The user name or the authentication information is wrong
  • 1073741718 (Invalid password) — The user name is correct but the password is incorrect
  • 1073741724 (Invalid username) — The user name does not exist
  • 1073741730 (Login server is unavailable) — The server required to validate the login is not available

Enumeration

errorstring

Character string with debug information on the security product settings.

Character string

eventtype

Event type logged by the agent:

  • 1 (ProcessOps) — The process performed operations on the computer hard disk
  • 14 (Download) — The process downloaded data
  • 22 (NetworkOps) — The process performed network operations
  • 26 (DataAccess) — The process accessed data files hosted on internal mass-storage devices
  • 27 (RegistryOps) — The process accessed the Windows Registry
  • 30 (ScriptOps) — Operation performed by a script- type process
  • 31 (ScriptOps) — Operation performed by a script- type process
  • 40 (Detection) — Detection made by the WatchGuard EDR active protections
  • 42 (BandwidthUsage) — Volume of information handled in each data transfer operation performed by the process
  • 45 (SystemOps) — Operation performed by the Windows operating system WMI engine
  • 46 (DnsOps) — The process accessed the DNS name server
  • 47 (DeviceOps) — The process accessed an external device
  • 50 (UserNotification) — Notification displayed to the user and response (if any)
  • 52 (LoginOutOps) — Login or logout operation performed by the user
  • 99 (RemediationOps) — Detection, blocking, and disinfection events from the WatchGuard EDR or WatchGuard EPDR agent
  • 100 (HeaderEvent) — Administrative event with information about the protection software settings and version, as well as computer and customer information
  • 199 (HiddenAction) — Detection event that did not trigger an alert

Enumeration

exploitorigin

Origin of the process exploit attempt:

  • 1 (URL) — URL address
  • 2 (FILE) — File

Enumeration

extendedinfo

Additional information about Type events:

  • 0 (Command line event creation) — Empty
  • 1 (Active script event creation) — Script file name
  • 2 (Event consumer to filter consumer) — Empty
  • 3 (Event consumer to filter query) — Empty
  • 4 (Create User) — Empty
  • 5 (Delete User) — Empty
  • 6 (Add user group) — Group SID
  • 7 (Delete user group) — Group SID
  • 8 (User group admin) — Group SID
  • 9 (User group rdp) — Group SID

Character string

failedqueries

Number of failed DNS resolution requests sent by the process in the last hour.

Numeric value

friendlyname

An easily readable device name.

Character string

firstseen

Date the file was first seen.

Date

hostname

Name of the computer that ran the process.

Character string

infodiscard

Quarantine file internal information.

Character string

ipv4status

IP address type:

  • 0 (Private)
  • 1 (Public)

Enumeration

isdenied

Indicates whether the reported action was denied.

Binary value

islocal

Indicates whether the task was created on the local computer or on a remote computer.

Binary value

Interactive

Indicates whether the login is an interactive login.

Binary value

idname

Device name.

Character string

key

Affected registry branch or key.

Character string

lastquery

Last query sent to the cloud by the WatchGuard EDR or WatchGuard EPDR agent.

Date

localip

Local IP address of the process.

IP address

localport

Depends on the direction field:

  • Outgoing — The port of the process run on the computer protected with WatchGuard EDR and WatchGuard EPDR.
  • Incoming — The port of the process run on the remote computer.

Numeric value

localdatetime

The computer date (in UTC format) at the time the logged event occurred. This date depends on the computer settings. As a result, it can be incorrect.

Date

loggeduser

The user that was logged in to the computer at the time the event was generated.

Character string

machinename

Name of the computer that ran the process.

Character string

manufacturer

Device manufacturer.

Character string

MUID

Internal ID of the customer computer.

Character string

objectname

Unique name of the object within the WMI hierarchy.

Character string

opentstamp

Date of the WMI notification for WMI_CREATEPROC (54) events.

Bitmask

operation

Type of operation performed by the process:

  • 0 (CreateProc) — Process created
  • 1 (PECreat) — Executable program created
  • 2 (PEModif) — Executable program modified
  • 3 (LibraryLoad) — Library loaded
  • 4 (SvcInst) — Service installed
  • 5 (PEMapWrite) — Executable program mapped for write access
  • 6 (PEDelet) — Executable program deleted
  • 7 (PERenam) — Executable program renamed
  • 8 (DirCreate) — Folder created
  • 9 (CMPCreat) — Compressed file created
  • 10 (CMOpened) — Compressed file opened
  • 11 (RegKExeCreat) — A registry branch that points to an executable file was created
  • 12 (RegKExeModif) — A registry branch was modified, which now points to an executable file
  • 15 (PENeverSeen): Executable program never seen before by WatchGuard EPDR
  • 17 (RemoteThreadCreated): Remote thread created
  • 18 (ProcessKilled) — Process killed
  • 25 (SamAccess) — Access to the computer SAM
  • 30 (ExploitSniffer) — Sniffing exploit technique detected
  • 31 (ExploitWSAStartup) — WSAStartup exploit technique detected
  • 32 (ExploitInternetReadFile) — InternetReadFile exploit technique detected
  • 34 (ExploitCMD) — CMD exploit technique detected
  • 39 (CargaDeFicheroD16bitsPorNtvdm.exe) — 16-bit file loaded by ntvdm.exe

  • 43 (Heuhooks) — Anti-exploit technology detected

  • 54 (Create process by WMI) — Process created by a modified WMI

  • 55 (AttackProduct) — Attack detected on the agent service, a file, or registry key

  • 61 (OpenProcess LSASS) — LSASS process opened

Enumeration

operationflags/ integrityLevel

Indicates the integrity level assigned by Windows to the item:

  • 0x0000 Untrusted level
  • 0x1000 Low integrity level
  • 0x2000 Medium integrity level
  • 0x3000 High integrity level
  • 0x4000 System integrity level
  • 0x5000 Protected

Enumeration

operationstatus

Indicates whether the event must be sent to the Advanced Reporting Tool:

  • 0 — Send
  • 1 — Filtered by the agent
  • 2 — Do not send

Numeric value

origusername

User of the computer which performed the operation.

Character string

pandaid

Customer ID.

Numeric value

pandaorionstatus

Indicates the status of the customer computer time settings compared to the clock in WatchGuard Cloud:

  • 0 (Version not supported) — The customer computer does not support synchronization of its time settings to WatchGuard settings.
  • 1 (Recalculated WatchGuard Time) — The customer has fixed and synced the computer’s time settings to WatchGuard settings
  • 2 (WatchGuard Time OK) — The customer computer time settings are correct
  • 3 (WatchGuard Time Calculation Error) — Error fixing the computer time settings

Enumeration

pandatimestatus

Contents of the DateTime, Date, and LocalDateTime fields.

Date

parentattributes

Attributes of the parent process:

  • 0x0000000000000001 (ISINSTALLER) — Self-extracting (SFX) file
  • 0x0000000000000002 (ISDRIVER) — Driver-type file
  • 0x0000000000000008 (ISRESOURCESDLL) — Resource DLL-type file
  • 0x0000000000000010 (EXTERNAL) — File from outside the computer
  • 0x0000000000000020 (ISFRESHUNK) — File recently added to the knowledge base
  • 0x0000000000000040 (ISDISSINFECTABLE) — File for which there is a recommended disinfection action
  • 0x0000000000000080 (DETEVENT_DISCARD) — The event-based context detection technology did not detect anything suspicious

  • 0x0000000000000100 (WAITED_FOR_VINDEX) — Execution of a file whose creation had not been registered

  • 0x0000000000000200 (ISACTIONSEND) — The local technologies did not detect malware in the file and it was sent to WatchGuard for classification

  • 0x0000000000000400 (ISLANSHARED) — File stored on a network drive

  • 0x0000000000000800 (USERALLOWUNK) — File with permission to import unknown DLLs

  • 0x0000000000001000 (ISSESIONREMOTE) — Event originating from a remote session

  • 0x0000000000002000 (LOADLIB_TIMEOUT) — The time elapsed between when the protection intercepted the loading of the library and when it was scanned exceeded 1 second. As a result, the scan changed from synchronous to asynchronous to avoid impacting performance.

  • 0x0000000000004000 (ISPE) — Executable file

  • 0x0000000000008000 (ISNOPE) — Non-executable file

  • 0x0000000000020000 (NOSHELL) — The agent did not detect the execution of a shell command on the system

  • 0x0000000000080000 (ISNETNATIVE) — NET Native file

  • 0x0000000000100000 (ISSERIALIZER) — Serializer file

  • 0x0000000000400000 (SONOFGWINSTALLER) — File created by an installer classified as goodware

  • 0x0000000001000000 (INTERCEPTION_TXF) — The intercepted operation was originated by an executable whose image on the disk is being modified

  • 0x0000000002000000 (HASMACROS) — Microsoft Office document with macros

  • 0x0000000008000000 (ISPEARM) — Executable file for ARM microprocessors

  • 0x0000000010000000 (ISDYNFILTERED) — The file was allowed on the computer because there are no technologies to classify it

  • 0x0000000020000000 (ISDISINFECTED) — The file was disinfected

  • 0x0000000040000000 (PROCESSLOST) — The operation was not logged

  • 0x0000000080000000 (OPERATION_LOST) — Operation with a pre-scan report for which the post-scan report has not been received yet

Enumeration

parentblake

Blake2 signature of the parent file that performed the operation.

Character string

parentcount

Number of processes with DNS failures.

Numeric value

parentmd5

Parent file hash.

Character string

parentpath

Path of the parent file that performed the logged operation.

Character string

parentpid

Parent process ID.

Numeric value

parentstatus

Parent process status:

  • 0 (StatusOk) — Status OK
  • 1 (NotFound) — Item not found
  • 2 (UnexpectedError) — Unknown error
  • 3 (StaticFiltered) — File identified as malware using static information contained in the WatchGuard EDR or WatchGuard EPDR protection
  • 4 (DynamicFiltered) — File identified as malware using local technology implemented in WatchGuard EDR or WatchGuard EPDR
  • 5 (FileIsTooBig) — File too big
  • 6 (PEUploadNotAllowed) — File send was disabled
  • 11 (FileWasUploaded) — File sent to the cloud
  • 12 (FiletypeFiltered) — Resource DLL, NET Native, or Serializer-type file
  • 13 (NotUploadGWLocal) — Goodware file not saved to the cloud
  • 14 (NotUploadMWdisinfect) — Disinfected malware file not saved to the cloud

Enumeration

pecreationsource

Type of drive where the process was created:

  • (0) Unknown — The device type cannot be determined
  • (1) No root dir — The device path is invalid. For example, the external storage media was extracted.
  • (2) Removable media — Removable storage media
  • (3) Fixed media — Internal storage media
  • (4) Remote drive — Remote storage media (for example, a network drive)
  • (5) CD-ROM drive
  • (6) RAM disk

Numeric value

phonedescription

Phone description if the operation involved a device of this type.

Character string

protocol

Communications protocol used by the process:

  • 1 (ICMP)
  • 2 (IGMP)
  • 3 (RFCOMM)
  • 6 (TCP)
  • 12 (RDP)
  • 17 (UDP)
  • 58 (ICMPV6)
  • 113 (RM)

Enumeration

querieddomaincount

Number of different domains sent by the process for which there was a DNS resolution failure in the last hour.

Numeric value

regaction

Type of operation performed on the Windows registry of the computer:

  • 0 (CreateKey) — A new registry branch was created
  • 1 (CreateValue) — A value was assigned to a registry branch
  • 2 (ModifyValue) — A registry branch value was modified

Enumeration

remediationresult

User’s response to the pop-up message shown by WatchGuard EPDR or EDR:

  • 0 (Ok) — The customer accepted the message
  • 1 (Timeout) — The pop-up message disappeared due to lack of action by the user
  • 2 (Angry) — The user chose the option to not block the item from the pop-up message displayed
  • 3 (Block) — The item was blocked because the user did not reply to the pop-up message
  • 4 (Allow) — The user accepted the solution
  • -1 (Unknown)

Enumeration

remoteip

IP address of the computer that started the remote session.

IP address

remotemachinename

Name of the computer that started the remote session.

Character string

remoteport

Depends on the direction field:

  • Incoming — The port of the process run on the computer protected with WatchGuard EDR or WatchGuard EPDR
  • Outcoming — The port of the process run on the remote computer

Numeric value

remoteusername

Name of the computer that started the remote session.

Character string

sessiondate

Date the antivirus service was last started or last time it was started since the last update.

Date

sessiontype

Login type:

  • 0 (System Only) — Session started with a system account
  • 2 (Local) — Session created physically through a keyboard or through KVM over IP
  • 3 (Remote) — Session created remotely in shared folders or printers. This login type uses secure authentication.
  • 4 (Scheduled) — Session created by the Windows task scheduler
  • -1 (Unknown)
  • 5 (Service) — Session created when a service that needs to run in the user session is launched. The session is deleted when the service stops.
  • 7 (Blocked) — Session created when a user tries to join a previously blocked session
  • 8 (Remote Unsecure) — Same as type 3 but the password is sent in plain text
  • 9 (RunAs) — Session created when the “RunAs” command is used under an account other than the account used to log in, and the “/netonly” parameter is specified. If the “/netonly” parameter is not specified, a type 2 session is created.
  • 10 (TsClient) — Session created when accessing through “Terminal Service”, “Remote Desktop” or “Remote Assistance”. It identifies a remote user connection.
  • 11 (Domain Cached) — User session created with domain credentials cached on the machine, but with no connection to the domain controller

Enumeration

servicelevel

Agent execution mode:

  • 0 (Learning) — The agent does not block any items but monitors all running processes
  • 1 (Hardening) — The agent blocks all unclassified programs coming from an untrusted source, and items classified as malware
  • 2 (Block) — The agent blocks all unclassified executables and items classified as malware
  • -1 (N/A)

Enumeration

timeout

The local scan took too long to complete and the process was delegated to other mechanisms that do not impact performance.

Boolean

times

Number of times the same communication event occurred in the last hour.

Numeric value

timestamp

Timestamp of the action detected on the customer computer that generated the indicator.

Date

totalresolutiontime

Indicates the time it took the cloud to respond, and whether the error code query failed:

  • 0 — The cloud was not queried
  • >0 — Time in milliseconds it took the cloud to respond to the query
  • <0 — Cloud query error code

Numeric value

type

Type of WMI operation performed by the process:

  • 0 (Command line event creation) — WMI launched a command line in response to a change in the database
  • 1 (Active script event creation) — A script was run in response to receiving an event
  • 2 (Event consumer to filter consumer) — This event is generated whenever a process subscribes to receive notifications. The name of the created filter is received.
  • 3 (Event consumer to filter query) — This event is generated whenever a process subscribes to receive notifications. The query run by the process to subscribe is received.
  • 4 (Create User) — A user account was added to the operating system
  • 5 (Delete User) — A user account was deleted from the operating system
  • 6 (Add user group) — A group was added to the operating system
  • 7 (Delete user group) — A group was deleted from the operating system
  • 8 (User group admin) — A user was added to the admin group
  • 9 (User group rdp): A user was added to the RDP group

Enumeration

uniqueid

Unique ID of the device.

Character string

url

Download URL launched by the process that generated the logged event.

Character string

value

Type of operation performed on the Windows registry of the computer:

  • 0 (CreateKey) — A new registry branch was created
  • 1 (CreateValue) — A value was assigned to a registry branch
  • 2 (ModifyValue) — A registry branch value was modified

Enumeration

valuedata

Data type of the value contained in the registry branch:

  • 00 (REG_NONE)
  • 01 (REG_SZ)
  • 02 (REG_EXPAND_SZ)
  • 03 (REG_BINARY)
  • 04 (REG_DWORD)
  • 05 (REG_DWORD_BIG_ENDIAN)
  • 06 (REG_LINK)
  • 07 (REG_MULTI_SZ)
  • 08 (REG_RESOURCE_LIST)
  • 09 (REG_FULL_RESOURCE_DESCRIPTOR)
  • 0A (REG_RESOURCE_REQUIREMENTS_LIST)
  • 0B (REG_QWORD)
  • 0C (REG_QWORD_LITTLE_ENDIAN)

Enumeration

vdetevent

Deteven.dll DLL version.

Character string

version

Operating system version of the computer that ran the vulnerable software.

Character string

versionagent

Installed agent version.

Character string

versioncontroller

Psnmvctrl.dll DLL version.

Character string

vtabledetevent

TblEven.dll DLL version.

Character string

vtableramsomevent

TblRansomEven.dll DLL version.

Character string

vramsomevent

RansomEvent.dll DLL version.

Character string

vantiexploit

Anti-exploit technology version.

Character string

vtfilteraxtiexploit

Anti-exploit technology filter version.

Character string

versionproduct

Installed protection product version.

Character string

winningtech

WatchGuard EPDR or WatchGuard EDR endpoint agent technology that raised the event:

  • 0 (Unknown)
  • 1 (Cache) — Locally cached classification
  • 2 (Cloud) — Classification downloaded from the cloud
  • 3 (Context) — Local context rule
  • 4 (Serializer) — Binary type
  • 5 (User) — The user was asked about the action to take
  • 6 (LegacyUser) — The user was asked about the action to take
  • 7 (NetNative) — Binary type
  • 8 (CertifUA) — Detection by digital certificates
  • 9 (LocalSignature) — Local signature
  • 10 (ContextMinerva) — Cloud-hosted context rule
  • 11 (Blockmode) — The agent was in Hardening or Lock mode when the process was blocked from running
  • 12 (Metasploit) — Attack created with the Metasploit Framework
  • 13 (DLP) — Data Leak Prevention technology
  • 14 (AntiExploit) — Technology that identifies attempts to exploit vulnerable processes
  • 15 (GWFilter) — Technology that identifies goodware processes
  • 16 (Policy) — WatchGuard EPDR advanced security policies
  • 17 (SecAppControl) — Security app control technologies
  • 18 (ProdAppControl) — Productivity app control technologies
  • 19 (EVTContext) — Linux contextual technology
  • 20 (RDP) — Technology to detect/block RDP (Remote Desktop Protocol) intrusions and attacks
  • 21 (AMSI) — Technology to detect malware in AMSI notifications
  • -1 (Unknown)

Enumeration

wsdocs

Base-64 encoded list of all documents that were open when an exploit detection occurred.

Character string

See Also

About Attack Graphs