Data Control Visualization — Data Fields

Applies To: WatchGuard Data Control

WatchGuard EPDR or WatchGuard EDR collect information about the processes run on all workstations and servers across the network. If those processes get access to files with Personally Identifiable Information (PII), the information is sent to the WatchGuard Data Control server, where it is organized into a table. Each line of the table is an event monitored by Data Control, and provides information such as when the event occurred, the computer where it took place and its IP address, and more.

ops

This data table stores all information related to the monitoring of files with PII.

Field Description Values

eventdate

Date when the event was logged on the Data Control server.

Date

serverdate

Date on the workstation or server when the event was generated.

Date

machineName

Workstation or server name.

String

machineIP

Workstation or server IP address.

IP address

user

User name of the process that operated on the file.

String

exfiltrationFlag

Indicates whether the file was the subject of an operation classified as data exfiltration, data infiltration, or both.

Infiltration

Exfiltration

Both

docSize

Size of the file with PII (in bytes).

Numeric

op

Operation performed on the file with PII.

Create

Modify

Open

Delete

Rename

Copy-Paste

OnDemand (search launched from the web UI by the administrator)

fatherHash

MD5 of the process that operated on the file with PII. This field will be empty if operation is On Demand.

String

fatherPath

Path of the process that operated on the file with PII. This field will be empty if operation is On Demand.

String

fatherCategory

Category of the process that operated on the file with PII. This field will be empty if operation is On Demand.

Goodware

Malware

Monitoring (unknown process in the process of classification)

PUP (unwanted program)

documentPath

Drive where the file with PII that was operated on resides, and its path, in this format: DEVICE TYPE|PATH

String

documentName

Name of the file that was operated on. In rename operations, this field displays the DocumentName value of the original file, and the DocumentName value of the renamed file, in this format:

TARGET_NAME|ORIGINAL_NAME

String

String | String

documentHash

Hash of the file that was operated on.

String

deviceType

Drive where the file with PII that was operated on resides.

0: UNKNOWN

1: NO_ROOT_DIR (path is invalid or does not exist)

2: REMOVABLE: Mobile device (external hard drive, card reader, USB device, etc.)

3: FIXED: Internal hard drive

5: CDROM

6: RAMDISK

String

creditCard

Indicates whether the credit card number data type was found in the file with PII.

Boolean

bankAccount

Indicates whether the bank account number data type was found in the file with PII.

Boolean

personalID

Indicates whether the ID card number data type was found in the file with PII.

Boolean

driveLic

Indicates whether the driver's license number data type was found in the file with PII.

Boolean

passPort

Indicates whether the passport number data type was found in the file with PII.

Boolean

SSId

Indicates whether the social security number data type was found in the file with PII.

Boolean

email

Indicates whether the email address data type was found in the file with PII.

Boolean

IP

Indicates whether the IP address data type was found in the file with PII.

Boolean

name

Indicates whether the first and last name data type was found in the file with PII.

Boolean

address

Indicates whether the physical address data type was found in the file with PII.

Boolean

phone

Indicates whether the phone number data type was found in the file with PII.

Boolean

estimatedNumPII

Estimated number of found data types.

Numeric

Reclassified

True: The file contained PII but no longer contains it.

False: The file has not been reclassified and therefore contains PII.

Boolean

usrrules

This data table stores all information collected from the files specified in rules defined by the administrator.

Field Description Values

eventdate

Date when the event was logged on the Data Control server.

Date

serverdate

Date on the workstation or server when the event was generated.

Date

machineName

Workstation or server name.

Character string

machineIP

Workstation or server IP address.

IP address

user

Name of the user who was logged in when the event was logged.

Character string

 

exfiltrationFlag

Indicates that the file has been the subject of an operation classified as data exfiltration, data infiltration, or both.

Infiltration

Exfiltration

Both

docSize

Size of the file in bytes.

Numeric

op

Operation performed on the file with PII.

Create

Modify

Open

Delete

Rename

Copy-Paste

fatherHash

MD5 of the process that operated on the file.

Character string

fatherPath

Path of the process that operated on the file.

Character string

fatherCat

Category of the process that operated on the file.

Goodware

Malware

Monitoring (unknown process in the process of classification)

PUP (unwanted program)

documentPath

Drive where the file that was operated on resides, and its path, in this format: DEVICE TYPE|PATH

Character string

documentName

Name of the file that was operated on. In rename operations, this field displays the documentName value of the original file and the documentName value of the renamed file, in this format: TARGET_NAME|ORIGINAL_NAME

Character string

Character string | Character string

documentHash

Hash of the file that was operated on.

Character string

deviceType

Drive where the file with PII that was operated on resides.

0:UNKNOWN

1:NO_ROOT_DIR (path is invalid or does not exist)

2:REMOVABLE(portable device, external hard drive, card reader, USB device, etc.)

3: FIXED (internal hard drive)

5: CDROM

6: RAMDISK

Character string

usrRules

Names of the rules entered in the WatchGuard Endpoint Security web UI that monitor the file. They are separated with the | (pipe) character.

Character string | Character string | Character string

usrrulesmail

This data table stores all information collected from email messages that contain files monitored as specified in the rules defined by the administrator.

Field Description Values

eventdate

Date when the event was logged on the Data Control server.

Date

serverdate

Date on the workstation or server when the event was generated.

Date

machineName

Workstation or server name.

Character string

machineIP

Workstation or server IP address.

IP address

loggeduser

Name of the user who was logged in when the event was logged.

Character string

msgID

Unique ID of the message.

Character string

msgTo

Email address of the message recipient.

Character string

msgFrom

Email address of the message sender.

Character string

msgSentDate

Date the message was sent. In received messages, this field is Null.

Date

msgSubject

Message subject.

Character string

msgReceivedDate

Date the message was received. In sent messages, this field is Null.

Character string

msgElement

Monitored item in the message.

“Attachment” character string

msgElementSize

Size of the monitored file.

Numeric

msgElementName

Name of the monitored file.

Character string

msgElementHash

MD5 of the monitored file.

Character string

msgExfiltrationFlag

Indicates that the file has been the subject of an operation classified as data exfiltration, data infiltration, or both.

INFILTRATION

EXFILTRATION

BOTH

usrRules

Names of the rules entered in the WatchGuard Endpoint Security web UI that monitor the file. They are separated with the | (pipe) character.

Character string |

Character string | Character string...

mail

This data table stores all information collected from the email messages that contain files classified as PII, as well as the characteristics of the files with personal data.

Field Description Values

eventdate

Date when the event was logged on the Data Control server.

Date

serverdate

Date on the workstation or server when the event was generated.

Date

machineName

Workstation or server name.

Character string

machineIP

Workstation or server IP address.

IP address

LoggedUser

Name of the logged-in user when the event was logged.

Character string

msgID

Unique ID of the message.

Character string

msgTo

Email address of the message recipient.

Character string

msgFrom

Email address of the message sender.

Character string

msgSentDate

Date the message was sent. In received messages, this field is Null.

Date

msgSubject

Message subject.

Character string

msgReceivedDate

Date the message was received. In sent messages, this field is Null.

Character string

msgElement

Monitored item in the message.

“Attachment” character string

msgElementSize

Size of the monitored file.

Numeric

msgElementName

Name of the monitored file.

Character string

msgElementHash

MD5 of the monitored file.

Character string

msgExfiltrationFlag

Indicates that the file has been the subject of an operation classified as data exfiltration, data infiltration, or both.

INFILTRATION

EXFILTRATION

BOTH

creditCard

Indicates whether the credit card number data type was found in the file with PII.

Boolean

bankAccount

Indicates whether the bank account number data type was found in the file with PII.

Boolean

personalID

Indicates whether the personal ID number data type was found in the file with PII.

Boolean

driveLic

Indicates whether the driver’s license number data type was found in the file with PII.

Boolean

passPort

Indicates whether Passport number data type was found in the file with PII.

Boolean

SSId

Indicates whether the social security number data type was found in the file with PII.

Boolean

email

Indicates whether the email address data type was found in the file with PII.

Boolean

IP

Indicates whether IP address data type was found in the file with PII.

Boolean

name

Indicates whether the first and last name data type was found in the file with PII.

Boolean

address

Indicates whether the physical address data type was found in the file with PII.

Boolean

phone

Indicates whether phone number data type was found in the file with PII.

Boolean

estimatedNumPII

Estimated number of found data types.

Numeric

See Also

About Data Tables