Raw Events processing rules
The table below explains the XDR processing rules; specifically, which events are sent to the Control Center for further correlation and investigation, and which events are ignored.
It also specifies whether any aggregation is performed and the criteria behind it.
Event type | Category | Processing rules | Aggregation rules |
---|---|---|---|
All | All | Ignores all events generated by current process ID. | N/A |
Create | File | Ignores all files located inside:
Ignores font files ( | Aggregates events based on:
|
Create | Process | N/A | N/A |
Create key | Registry | Monitors only the following registry keys:
| Aggregates events based on:
|
Connection | Network | Ignores all DNS connections (destination port 53). | Aggregates events based on:
|
Delete | File | N/A | Aggregates events based on:
|
Delete key | Registry | Monitors only the following registry keys:
| Aggregates events based on:
|
Delete value | Registry | Monitors only the following registry keys:
| Aggregates events based on:
|
Logon | User | N/A | N/A |
Logout | User | N/A | N/A |
Modify | File | Ignores all files located inside:
Ignores font files ( | Aggregates events based on:
|
Modify value | Registry | Monitors only the following registry keys:
| Aggregates events based on:
|
Move | File | N/A | N/A |
Read | File | Ignores all files located inside:
Ignores font files ( | Aggregates events based on:
|
Terminate | Process | N/A | N/A |