JSON fields

attack_type

The malware type.

Possible values:

ctc_version

The EDR version

detection_hd_category

The type of alert.

Possible values:

extra_info.added_service_file_path

The file path of the added service

extra_info.added_service_name

The name of the added service

extra_info.extra_info_1

Extra information, specific to certain events

extra_info.extra_info_2

Extra information, specific to certain events

extra_info.file_packer_name

The file packer name

extra_info.file_vinfo_company_name

The company name field listed in the metadata of the executable file

extra_info.file_vinfo_product_name

The product name field listed in the metadata of the executable file

extra_info.ldap_distinguished_name

The Distinguished name of the LDAP Object

extra_info.lnk_path

The direct download link of the file

extra_info.new_hardware_device_name

The device name

extra_info.process_injection_target_commandline

The command line of the injected process

extra_info.process_read_memory_target_commandline

The command line of the injected process

extra_info.process_read_memory_target_path

The command line of the process that was read from memory

extra_info.process_read_memory_target_pid

The ID of the process that was read from memory

extra_info.requester_system_name

The source host name

extra_info.smb_host_name

The host name of the SMB connection

extra_info.smb_user

The user of the SMB connection

extra_info.winrm_connection_user_agent

The User agent used in the Windows Remote Management connection.

extra_info.wmi_execute_method_class_name

The Windows Management Instrumentation (WMI) class name

extra_info.wmi_execute_method_method_name

The Windows Management Instrumentation (WMI) function name

extra_info.wmi_interface

The Windows Management Instrumentation (WMI) interface used for interaction with the API

malware_family

The malware family

malware_type

The malware type

severity

The severity level