TH API Docs

Queries

searchRecords

Description

This is the main serach query for indicators in the database Will return list of records that match the search conditions

Response

Returns an XDRRecords

Arguments
Name Description
indicators - [Indicator]! A list of indicators and operation mode to be used between indicators (AND, OR)
queryParam - QueryParam A list of parameter to tune the query, e.g: Date range etc...

Example

Query
query searchRecords(
  $indicators: [Indicator]!,
  $queryParam: QueryParam
) {
  searchRecords(
    indicators: $indicators,
    queryParam: $queryParam
  ) {
    pagination {
      ...PaginationFragment
    }
    metadata {
      ...XDRMetadataFragment
    }
    records {
      ... on EPRecord {
        ...EPRecordFragment
      }
      ... on MTARecord {
        ...MTARecordFragment
      }
      ... on GWStatsRecord {
        ...GWStatsRecordFragment
      }
      ... on LAASRecord {
        ...LAASRecordFragment
      }
      ... on MobileRecord {
        ...MobileRecordFragment
      }
    }
  }
}
Variables
{
  "indicators": [Indicator],
  "queryParam": QueryParam
}
Response
{
  "data": {
    "searchRecords": {
      "pagination": Pagination,
      "metadata": XDRMetadata,
      "records": [EPRecord]
    }
  }
}
Types

QueryParam

Fields
Input Field Description
dateRange - DateRange

Specify the query date range e.g: from: "2019-10-21", to: "2019-10-23" Note: Defaults to current day
pagination - PaginationRequest

Pagination request conatining page size and token for next page Note: Defaults 10 records page size
jobId - String

JobID to be used in query, when not provided will create a new job Note: Highly important to provide it when using PaginationRequest - about to be deprecated in Kusto
orderBy - OrderBy

Order of expected records (descending or ascending) based on a provided field
timeoutMs - Int

How long to wait for the query to complete, in milliseconds, before returning. Default is 60 seconds.
aggregations - Aggregations

Provided aggregations for the query fields
useRepCache - Boolean

Use reputation cache flag, default is false
recordTypes - [RecordType]

RecordTypes to run search on
dataSourceTypes - [DataSourceType]

dataSourceTypes to run search on
Example
{
  "dateRange": DateRange,
  "pagination": PaginationRequest,
  "jobId": "abc123",
  "orderBy": OrderBy,
  "timeoutMs": 123,
  "aggregations": Aggregations,
  "useRepCache": true,
  "recordTypes": ["Network"],
  "dataSourceTypes": ["endpoint"]
}
Types

DateRange

Fields
Input Field Description
from - String

Will query all avilable data from the given date, e.g: from: "2019-10-16"
to - String

Will limit the query to all avilable data up until the given date, e.g: to: "2019-10-16"
Example
{
  "from": "abc123",
  "to": "abc123"
}
Types

Pagination

Fields
Field Name Description
maxResults - Int Max records that were returned from the query (page size), e.g: 20
pageToken - String The token for the next page to be returned. This token needs to be provided in the PaginationRequest section e.g: PaginationRequest { maxResults: 10, pageToken: "BHBYUFXQNUAQAAASA4EAAEEAQCAAKGQEBAFBACRAWCXBK===" } see more info on BQ Paging
Example
{"maxResults": 123, "pageToken": "abc123"}
Types

PaginationRequest

Fields
Input Field Description
maxResults - Int

Max records that will be returned from the query (page size), e.g: 20
pageToken - String

The token for the next page to be returned. e.g: "BHBYUFXQNUAQAAASA4EAAEEAQCAAKGQEBAFBACRAWCXBK===" see more info on BQ Paging

Example
{"maxResults": 123, "pageToken": "xyz789"}
Types

XDRMetadata

Fields
Field Name Description
totalRows - Int
jobId - String
Example
{"totalRows": 987, "jobId": "xyz789"}
Types

EPRecord

Description

List of records retuned by the query Record my be of type (Process, Network, Registry etc...) RecordType field will indicate the record type Record contains the relevant object data under (Process, Network, Registry etc...) fields

Fields
Field Name Description
DataSource - String
OSName - String
OSVersion - String
HostType - String
ProductVersion - String
MachineName - String
UserName - String
MachineNameUnique - String
DomainName - String
EPGUID - String
HostIps - String
HostMacs - String
UUID - String Record Unique ID (MachineNameUnique-OpTime), e.g: 1e377906-0ef6dd15-ecdc0ed9-537e7d79-1571809237475
Base - RecordBase Base object should always exist (these props are found in each record)
Process - RecordPs Process object found in the query, will retun null if not a process record
Network - RecordNet Network object found in the query, will retun null if not a Network record
File - RecordFile File object found in the query, will retun null if not a File record
Inject - RecordInject Injection object found in the query, will retun null if not a Injection record
Dns - RecordDns Dns object found in the query, will retun null if not a Dns record
Registry - RecordReg Registry object found in the query, will retun null if not a Registry record
RemoteLogon - RecordRemoteLogon RemoteLogon object found in the query, will retun null if not a RemoteLogon record
Script - RecordScript Script object found in the query, will retun null if not a Script record
AdvancedActivity - RecordAdvancedActivity AdvancedActivity object found in the query, will retun null if not a AdvancedActivity record
IndirectExecution - RecordIndirectExecution IndirectExecution object found in the query, will retun null if not a IndirectExecution record
RemoteExecution - RecordRemoteExecution IndirectExecution object found in the query, will retun null if not a IndirectExecution record
DetectionEvent - RecordDetect DetectionEvent object found in the query, will retun null if not a DetectionEvent record
Email - RecordEmail Email object found in the query, will retun null if not a Email record
AggregationResults - [AggregationResult] List of aggregations retuned by the query
MitreInfo - [MitreInfo] Mitre info matched on the specific record
ShadowITInfo - [ShadowITInfo] ShadowIT info
Example
{
  "DataSource": "abc123",
  "OSName": "xyz789",
  "OSVersion": "xyz789",
  "HostType": "abc123",
  "ProductVersion": "xyz789",
  "MachineName": "abc123",
  "UserName": "abc123",
  "MachineNameUnique": "abc123",
  "DomainName": "abc123",
  "EPGUID": "xyz789",
  "HostIps": "xyz789",
  "HostMacs": "abc123",
  "UUID": "abc123",
  "Base": RecordBase,
  "Process": RecordPs,
  "Network": RecordNet,
  "File": RecordFile,
  "Inject": RecordInject,
  "Dns": RecordDns,
  "Registry": RecordReg,
  "RemoteLogon": RecordRemoteLogon,
  "Script": RecordScript,
  "AdvancedActivity": RecordAdvancedActivity,
  "IndirectExecution": RecordIndirectExecution,
  "RemoteExecution": RecordRemoteExecution,
  "DetectionEvent": RecordDetect,
  "Email": RecordEmail,
  "AggregationResults": [AggregationResult],
  "MitreInfo": [MitreInfo],
  "ShadowITInfo": [ShadowITInfo]
}
Types

OrderBy

Fields
Input Field Description
field - FieldType!

Field on which we will order the records returned, e.g: OpTimeUTC
ascDesc - OrederByEnum

Descending or ascending order, e.g: DESC
Example
{"field": "OSName", "ascDesc": "DESC"}
Types

Aggregations

Fields
Input Field Description
selectDistinct - Boolean

Will query using select distinct on all requested fields
aggregationsArr - [Aggregation]

Will run the aggregation function for the provided fields in the array
Example
{
  "selectDistinct": false,
  "aggregationsArr": [Aggregation]
}
Types

XDRRecord

Types
Union Types

EPRecord

Example
EPRecord
Types

XDRRecords

Description

XDR type records used for match indicator V2

Fields
Field Name Description
pagination - Pagination
metadata - XDRMetadata
records - [XDRRecord]
Example
{
  "pagination": Pagination,
  "metadata": XDRMetadata,
  "records": [EPRecord]
}
Types

RecordBase

Fields
Field Name Description
RecordType - String Record type (Process, Network, File etc...)
Pid - Float Process ID
CreationTime - Float Process Creation Time
PidCreationTime - String Pid CreationTime concatenation
OpTimeLocal - Float Local time of the opration (ms resolution!)
OpTimeUTC - Float UTC time of the operation (ms resolution!)
OpTimeSecondsUTC - String Timestamp of the opration UTC (second resolution!)
ProcessDir - String Process directory
ProcessName - String Process name
ProcessMD5 - String Process MD5
ParentProcessDir - String Parent process directory
ParentProcessName - String Parent process name
ParentProcessMD5 - String Parent process MD5
ProcessArgs - String Process arguments used in process creation
ProcessSigner - String Process image signer (file signed by vendors like: microsoft, google, etc...)
ParentProcessSigner - String Parent process signer
ProcessClassification - String Process MD5 classification by reputation service
ParentProcessClassification - String Parent process MD5 classification by reputation service
LogSource - String The source product which uploaded the log
ProcessPPid - Int Parent PID
ProcessPCreationTime - Float Parent process CreationTime
ProcessPath - String Process Path (Process directory + Process name)
ParentProcessPath - String Parent Process Path (Parent Process directory + Parent Process name)
ProcessReputationInfo - ProcessReputationInfo Reputation info for the given process based on ProcessMD5
ParentProcessReputationInfo - ProcessReputationInfo Reputation info for the given process based on ProcessMD5
ProcessTerminationTime - Float Process termination time
Browser - String Browser info from Browser Extension
BrowserVersion - String
ProcessChildren - [EPRecord] children of the given process
Example
{
  "RecordType": "abc123",
  "Pid": 987.65,
  "CreationTime": 987.65,
  "PidCreationTime": "abc123",
  "OpTimeLocal": 123.45,
  "OpTimeUTC": 123.45,
  "OpTimeSecondsUTC": "xyz789",
  "ProcessDir": "xyz789",
  "ProcessName": "abc123",
  "ProcessMD5": "abc123",
  "ParentProcessDir": "xyz789",
  "ParentProcessName": "xyz789",
  "ParentProcessMD5": "abc123",
  "ProcessArgs": "xyz789",
  "ProcessSigner": "xyz789",
  "ParentProcessSigner": "xyz789",
  "ProcessClassification": "abc123",
  "ParentProcessClassification": "xyz789",
  "LogSource": "xyz789",
  "ProcessPPid": 987,
  "ProcessPCreationTime": 987.65,
  "ProcessPath": "abc123",
  "ParentProcessPath": "abc123",
  "ProcessReputationInfo": ProcessReputationInfo,
  "ParentProcessReputationInfo": ProcessReputationInfo,
  "ProcessTerminationTime": 123.45,
  "Browser": "xyz789",
  "BrowserVersion": "abc123",
  "ProcessChildren": [EPRecord]
}
Types

RecordAdvancedActivity

Fields
Field Name Description
ActivityType - String The type of the activity (Screen capture, Memory artifact etc...)
ActivityName - String Name of the activity
ActivityDetails - String More info related to the activity
ActivityTargetProcessDir - String Name of potential target
ActivityTargetProcessName - String Name of potential target
ActivityTargetProcessArgs - String Args of potential target
ActivityTargetPid - Float Target Pid
ActivityTargetCreationTime - Float Target CreationTime
ActivityTargetArgs - String Args of potential target
Example
{
  "ActivityType": "abc123",
  "ActivityName": "abc123",
  "ActivityDetails": "xyz789",
  "ActivityTargetProcessDir": "xyz789",
  "ActivityTargetProcessName": "xyz789",
  "ActivityTargetProcessArgs": "xyz789",
  "ActivityTargetPid": 987.65,
  "ActivityTargetCreationTime": 123.45,
  "ActivityTargetArgs": "abc123"
}
Types

RecordBase

Fields
Field Name Description
RecordType - String Record type (Process, Network, File etc...)
Pid - Float Process ID
CreationTime - Float Process Creation Time
PidCreationTime - String Pid CreationTime concatenation
OpTimeLocal - Float Local time of the opration (ms resolution!)
OpTimeUTC - Float UTC time of the operation (ms resolution!)
OpTimeSecondsUTC - String Timestamp of the opration UTC (second resolution!)
ProcessDir - String Process directory
ProcessName - String Process name
ProcessMD5 - String Process MD5
ParentProcessDir - String Parent process directory
ParentProcessName - String Parent process name
ParentProcessMD5 - String Parent process MD5
ProcessArgs - String Process arguments used in process creation
ProcessSigner - String Process image signer (file signed by vendors like: microsoft, google, etc...)
ParentProcessSigner - String Parent process signer
ProcessClassification - String Process MD5 classification by reputation service
ParentProcessClassification - String Parent process MD5 classification by reputation service
LogSource - String The source product which uploaded the log
ProcessPPid - Int Parent PID
ProcessPCreationTime - Float Parent process CreationTime
ProcessPath - String Process Path (Process directory + Process name)
ParentProcessPath - String Parent Process Path (Parent Process directory + Parent Process name)
ProcessReputationInfo - ProcessReputationInfo Reputation info for the given process based on ProcessMD5
ParentProcessReputationInfo - ProcessReputationInfo Reputation info for the given process based on ProcessMD5
ProcessTerminationTime - Float Process termination time
Browser - String Browser info from Browser Extension
BrowserVersion - String
ProcessChildren - [EPRecord] children of the given process
Example
{
  "RecordType": "abc123",
  "Pid": 987.65,
  "CreationTime": 987.65,
  "PidCreationTime": "abc123",
  "OpTimeLocal": 123.45,
  "OpTimeUTC": 123.45,
  "OpTimeSecondsUTC": "xyz789",
  "ProcessDir": "xyz789",
  "ProcessName": "abc123",
  "ProcessMD5": "abc123",
  "ParentProcessDir": "xyz789",
  "ParentProcessName": "xyz789",
  "ParentProcessMD5": "abc123",
  "ProcessArgs": "xyz789",
  "ProcessSigner": "xyz789",
  "ParentProcessSigner": "xyz789",
  "ProcessClassification": "abc123",
  "ParentProcessClassification": "xyz789",
  "LogSource": "xyz789",
  "ProcessPPid": 987,
  "ProcessPCreationTime": 987.65,
  "ProcessPath": "abc123",
  "ParentProcessPath": "abc123",
  "ProcessReputationInfo": ProcessReputationInfo,
  "ParentProcessReputationInfo": ProcessReputationInfo,
  "ProcessTerminationTime": 123.45,
  "Browser": "xyz789",
  "BrowserVersion": "abc123",
  "ProcessChildren": [EPRecord]
}
Types

RecordDetect

Fields
Field Name Description
DetectionIncidentId - String Incident ID for the detection
DetectionAttackStatus - String Status of the attack (Clean, Dormant, Blocked, etc...)
DetectionEnforcementMode - String The trigger blade enforcement mode
DetectionMalwareAction - String Action taken by the blade who triggered the detection
DetectionTriggeredBy - String Which blade triggered the detection
DetectionThirdPartyVendorName - String Third party vendor name who triggered the detection
DetectionMalwareFamily - String Malware family (Ryuk, Wannacry, etc...)
DetectionProtectionName - String Protection name (ransomware.win.honey, generic.trojan, etc...)
DetectionProtectionType - String Protection type detected by Forensics (Trojan, Riskware, Adware etc...)
DetectionIncidentConfidence - String Confidence of the incident calculated by Forensics
DetectionIncidentSeverity - String Severity of the incident calculated by Forensics
DetectionAttackTriggerProc - String The Process that triggered the attack (process that did the C&C, create the file etc...)
DetectionMaliciousPath - String The path that was triggered by the blade (C&C URL, malicious file path etc...)
DetectionMaliciousFileDir - String The malicious file directory (TE, Reputation etc.)
DetectionMaliciousFileName - String The malicious file name (TE, Reputation etc.)
DetectionMaliciousDomainName - String The malicious domain name (Anti-Bot etc.)
DetectionTriggerMD5 - String The MD5 of the Process that triggered the attack (process that did the C&C, create the file etc...)
DetectionEntryPointProc - String The initial process that started the attack
DetectionAttackRoot - String The first process in the attack execution tree
DetectionCreatingProcDir - String Directory of the process that created the malicious activity
DetectionCreatingProcName - String Name of the process that created the malicious activity
DetectionCreatingProcMD5 - String MD5 of the process that created the malicious activity
DetectionCreatingProcSigner - String Signer of the process that created the malicious activity
DetectionSuspiciousEvents - String List of all suspicious events found in the attack
WindowsFeatures - String List of all server roles and windows features that the machine provide
DetectionTotalProcs - Float Total number of procsess found in the attack
DetectionUniqueTotalProcs - Float Total number of unique procsess found in the attack
DetectionUniqueMalProcs - Float Total number of unique malicious procsess found in the attack
DetectionUniqueSuspProcs - Float Total number of unique suspicious procsess found in the attack
DetectionUniqueUnknownProcs - Float Total number of unique unknown procsess found in the attack
DetectionUniqueUnsignedProcs - Float Total number of unique unsigned procsess found in the attack
DetectionUniqueScriptProcs - Float Total number of unique script procsess (powershell, cmd, etc...) found in the attack
DetectionUniqueWinProcs - Float Total number of unique windows procsess (explorer, svchost, etc...) found in the attack
DetectionUniqueTotalFiles - Float Total number of unique files found in the attack
DetectionUniqueMalFiles - Float Total number of unique malicious procsess found in the attack
DetectionUniqueSuspFiles - Float Total number of unique suspicious files found in the attack
DetectionUniqueTotalUrls - Float Total number of unique URL's found in the attack
DetectionUniqueMalUrls - Float Total number of unique malicious URL's found in the attack
DetectionUniqueSuspUrls - Float Total number of unique suspicious URL's found in the attack
DetectionUniqueUnknownUrls - Float Total number of unique unknown URL's found in the attack
DetectionUniqueTotalIPs - Float Total number of unique IP's found in the attack
DetectionUniqueMalIPs - Float Total number of unique malicious IP's found in the attack
DetectionUniqueSuspIPs - Float Total number of unique suspicious IP's found in the attack
DetectionUniqueUnknownIPs - Float Total number of unique unknown IP's found in the attack
DetectionPolicyAutoRemidiation - Boolean Whether or not automatic remediation was applied by forensics
DetectionDescription - String Description of the detection event field is commonly used by alerts
DetectionGeneralInfo - String General info of the detection event field is commonly used by alerts
DetectionAttackUserDomain - String Domain name during the attack
DetectionAttackUserName - String User name during the attack
DetectionRemediationPolicy - String Summary of remediation action according to policy for this detection
DetectionAttackTree - String Json description of the attack tree with minimal info
DetectionCreatingProcPid - Float PID of the creating process
DetectionCreatingProcCreationTime - Float CreationTime of the creating process
DetectionFirstEPNet - String First entry-point network data
DetectionFirstEPNetType - String First entry-point network type
DetectionFirstEPURLReferrer - String First entry-point network URL Referrer
DetectionFirstEPFileName - String First entry-point File Name
DetectionFirstEPFileHash - String First entry-point File Hash
DetectionDetermined - String Is the event Determined
DetectionImpersonatedDomain - String Domain of the impersonated brand
DetectionImpersonatedType - String Impersonated brand type (media etc...)
DetectionImpersonatedBrand - String Impersonated well known brand (Netflix, Facebook etc...)
DetectionEmailMsgID - String Message ID of the detected Email
DetectionEmailSubject - String Subject of the detected Email
DetectionEmailFrom - String Source of the detected Email
DetectionEmailTo - String Destination of the detected Email
DetectionEmailAttachmentName - String Name of attachment on the detected Email
DetectionEmailEmbeddedURL - String Embedded URL of on the detected Email
DetectionEmailDateOfDelivery - Float Delivery date of the detected Email
Example
{
  "DetectionIncidentId": "abc123",
  "DetectionAttackStatus": "abc123",
  "DetectionEnforcementMode": "abc123",
  "DetectionMalwareAction": "xyz789",
  "DetectionTriggeredBy": "xyz789",
  "DetectionThirdPartyVendorName": "xyz789",
  "DetectionMalwareFamily": "abc123",
  "DetectionProtectionName": "xyz789",
  "DetectionProtectionType": "abc123",
  "DetectionIncidentConfidence": "xyz789",
  "DetectionIncidentSeverity": "xyz789",
  "DetectionAttackTriggerProc": "abc123",
  "DetectionMaliciousPath": "abc123",
  "DetectionMaliciousFileDir": "abc123",
  "DetectionMaliciousFileName": "abc123",
  "DetectionMaliciousDomainName": "abc123",
  "DetectionTriggerMD5": "xyz789",
  "DetectionEntryPointProc": "abc123",
  "DetectionAttackRoot": "xyz789",
  "DetectionCreatingProcDir": "xyz789",
  "DetectionCreatingProcName": "abc123",
  "DetectionCreatingProcMD5": "xyz789",
  "DetectionCreatingProcSigner": "xyz789",
  "DetectionSuspiciousEvents": "xyz789",
  "WindowsFeatures": "abc123",
  "DetectionTotalProcs": 987.65,
  "DetectionUniqueTotalProcs": 987.65,
  "DetectionUniqueMalProcs": 987.65,
  "DetectionUniqueSuspProcs": 123.45,
  "DetectionUniqueUnknownProcs": 987.65,
  "DetectionUniqueUnsignedProcs": 987.65,
  "DetectionUniqueScriptProcs": 123.45,
  "DetectionUniqueWinProcs": 123.45,
  "DetectionUniqueTotalFiles": 123.45,
  "DetectionUniqueMalFiles": 123.45,
  "DetectionUniqueSuspFiles": 123.45,
  "DetectionUniqueTotalUrls": 987.65,
  "DetectionUniqueMalUrls": 987.65,
  "DetectionUniqueSuspUrls": 123.45,
  "DetectionUniqueUnknownUrls": 987.65,
  "DetectionUniqueTotalIPs": 123.45,
  "DetectionUniqueMalIPs": 123.45,
  "DetectionUniqueSuspIPs": 987.65,
  "DetectionUniqueUnknownIPs": 123.45,
  "DetectionPolicyAutoRemidiation": true,
  "DetectionDescription": "xyz789",
  "DetectionGeneralInfo": "abc123",
  "DetectionAttackUserDomain": "abc123",
  "DetectionAttackUserName": "abc123",
  "DetectionRemediationPolicy": "abc123",
  "DetectionAttackTree": "abc123",
  "DetectionCreatingProcPid": 123.45,
  "DetectionCreatingProcCreationTime": 123.45,
  "DetectionFirstEPNet": "abc123",
  "DetectionFirstEPNetType": "abc123",
  "DetectionFirstEPURLReferrer": "xyz789",
  "DetectionFirstEPFileName": "abc123",
  "DetectionFirstEPFileHash": "xyz789",
  "DetectionDetermined": "abc123",
  "DetectionImpersonatedDomain": "abc123",
  "DetectionImpersonatedType": "abc123",
  "DetectionImpersonatedBrand": "abc123",
  "DetectionEmailMsgID": "abc123",
  "DetectionEmailSubject": "xyz789",
  "DetectionEmailFrom": "abc123",
  "DetectionEmailTo": "xyz789",
  "DetectionEmailAttachmentName": "xyz789",
  "DetectionEmailEmbeddedURL": "xyz789",
  "DetectionEmailDateOfDelivery": 123.45
}
Types

RecordDns

Fields
Field Name Description
DnsQueryName - String DNS query string that was used
DnsResponse - String Dns query response
DnsEventId - Float Dns event id
DomainReputationInfo - DomainReputationInfo Reputation info for the Domain that was accessed
Example
{
  "DnsQueryName": "xyz789",
  "DnsResponse": "abc123",
  "DnsEventId": 123.45,
  "DomainReputationInfo": DomainReputationInfo
}
Types

RecordEmail

Fields
Field Name Description
EmailAttachments - String File attachments
NetworkURL - String Mail Urls
EmailURLs - String Mail Urls
EmailType - String The type incoming or outgoing
EmailFrom - String The user from the mail arrive
EmailTo - String The user the mail arrive
EmailSubject - String The subject of the mail
EmailServerName - String The server from the mail arrive
EmailMessageId - String The ID of the mail
EmailCC - String The CC of the mail
EmailBCC - String The BCC of the mail
Example
{
  "EmailAttachments": "abc123",
  "NetworkURL": "abc123",
  "EmailURLs": "xyz789",
  "EmailType": "abc123",
  "EmailFrom": "xyz789",
  "EmailTo": "xyz789",
  "EmailSubject": "abc123",
  "EmailServerName": "abc123",
  "EmailMessageId": "abc123",
  "EmailCC": "abc123",
  "EmailBCC": "xyz789"
}
Types

RecordFile

Fields
Field Name Description
FileDir - String File directory
FileName - String File name
FileMD5 - String File MD5 (relevant only for file types supported by TE blade)
FileType - String File type (exe, zip etc... relevant only for file types supported by TE blade)
FileNewDir - String File directory for renamed files
FileNewFileName - String File name for renamed files
FileOpMask - Float Operation mask for the file activity
FileSize - Float The size of the file
FileEntropy - String File entropy calculation
FileSigner - String Signer (certificate) of a file
FileContent - String Content included in the file
OriginalFileClassification - String The original classification of the file
FilePath - String File Path (File directory + File name)
FileReputationInfo - FileReputationInfo Reputation info for the given file based on FileMD5
FileOp - [String] File operations based on FileOpMask
EmailFrom - String Attchment of Email info
EmailTo - String Attchment of Email info
EmailType - String Attchment of Email info
EmailSubject - String Attchment of Email info
EmailServerName - String Attchment of Email info
EmailMessageId - String Attchment of Email info
EmailCC - String Attchment of Email info
EmailBCC - String Attchment of Email info
Example
{
  "FileDir": "xyz789",
  "FileName": "abc123",
  "FileMD5": "xyz789",
  "FileType": "abc123",
  "FileNewDir": "abc123",
  "FileNewFileName": "abc123",
  "FileOpMask": 987.65,
  "FileSize": 123.45,
  "FileEntropy": "xyz789",
  "FileSigner": "abc123",
  "FileContent": "xyz789",
  "OriginalFileClassification": "xyz789",
  "FilePath": "xyz789",
  "FileReputationInfo": FileReputationInfo,
  "FileOp": ["abc123"],
  "EmailFrom": "xyz789",
  "EmailTo": "xyz789",
  "EmailType": "xyz789",
  "EmailSubject": "abc123",
  "EmailServerName": "xyz789",
  "EmailMessageId": "abc123",
  "EmailCC": "xyz789",
  "EmailBCC": "abc123"
}
Types

RecordIndirectExecution

Fields
Field Name Description
ExecutionType - String The type of the activity (Screen capture, Memory artifact etc...)
ExecutionName - String Name of the activity
ExecutionDetails - String More info related to the activity
ExecutionTargetProcessDir - String Name of potential target
ExecutionTargetProcessName - String Name of potential target
ExecutionTargetProcessArgs - String Args of potential target
ExecutionTargetPid - Float Target Pid
ExecutionTargetCreationTime - Float Target CreationTime
ExecutionRemoteSourceMachine - String Machine name of the remote source
ExecutionRemoteTargetUserName - String User name of the remote machine
ExecutionRemoteTargetUserDomain - String Domain name of the remote machine
Example
{
  "ExecutionType": "xyz789",
  "ExecutionName": "abc123",
  "ExecutionDetails": "xyz789",
  "ExecutionTargetProcessDir": "xyz789",
  "ExecutionTargetProcessName": "abc123",
  "ExecutionTargetProcessArgs": "abc123",
  "ExecutionTargetPid": 987.65,
  "ExecutionTargetCreationTime": 123.45,
  "ExecutionRemoteSourceMachine": "xyz789",
  "ExecutionRemoteTargetUserName": "xyz789",
  "ExecutionRemoteTargetUserDomain": "abc123"
}
Types

RecordInject

Fields
Field Name Description
InjectDstPid - Float Destination process id for process that was injected
InjectDstCreationTime - Float Destination process creation time for process that was injected
InjectClassification - String Injection classification (indicates successful injection)
InjectDstDir - String Destination directory of the process that was injected
InjectDstName - String Destination name of the process that was injected
InjectHookOperation - String The Hook operation that was used in the injection
InjectDstPath - String Inject Dst Path (Inject Dst Directory + Inject Dst Name)
Example
{
  "InjectDstPid": 987.65,
  "InjectDstCreationTime": 123.45,
  "InjectClassification": "xyz789",
  "InjectDstDir": "abc123",
  "InjectDstName": "abc123",
  "InjectHookOperation": "abc123",
  "InjectDstPath": "abc123"
}
Types

RecordNet

Fields
Field Name Description
NetworkProtocol - String Network protocol used in request (http, ftp, https)
NetworkType - String Network general type: (http, DNS, Socket)
NetworkLayer - String Network layer type: (Appliction, Transport)
NetworkDomain - String Network domain accessed in request
NetworkPath - String Network path accessed in request
NetworkQueryString - String Network query string used in request
NetworkHttpMethod - String Network request methods used (Get, Post etc...)
NetworkReferer - String Referer request header which contains the address of the previous web page from which a link to the currently requested page was followed
NetworkUserAgent - String User-Agent request header contains a characteristic string that allows the network protocol peers to identify the application type, OS etc...
NetworkResponseStatusCode - String Status codes of the request (indicate whether a specific HTTP request has been successfully completed)
NetworkSrcIP - String Source IP used in request
NetworkSrcPort - String Source Port used in request
NetworkDestIP - String Destination IP used in request
NetworkDestPort - String Destination Port used in request
NetworkIsListen - String Boolean indication whether a process is listening on a socket (can indicate reverse shell)
NetworkBytesReceived - Float The byte size of the received data in the connection
NetworkBytesSent - Float The byte size of the sent data in the connection
NetworkConnectionStartTime - Float The Epoch start time of the connection
NetworkConnectionCloseTime - Float The Epoch close time of the connection
NetworkConnectionDirection - String The direction of the connection (Incoming | Outgoing)
OriginalDomainClassification - String The original classification of the domain on http traffic
OriginalIPClassification - String The original classification of the IP traffic
NetworkIsIframe - Boolean Is the relevant URL represent an Iframe window
OriginalURLClassification - String The original classification of the URL
NetworkDisplayedUrl - String Parsed URL HyperLink from Email
NetworkURL - String Full URL including (Protocol Domain Path QueryString)
URLReputationInfo - URLReputationInfo Reputation info for the URL that was accessedL
DomainReputationInfo - DomainReputationInfo Reputation info for the Domain that was accessed
DestIPReputationInfo - IPReputationInfo Reputation info for the IP that was accessed
NetworkIsRemoteIpConnection - Boolean Boolean indication if the Dest IP is a remote connection or a local connection
FileName - String File name of downloaded file coming from extension
FileMD5 - String File MD5 of downloaded file coming from extension
EmailFrom - String Attchment of Email info
EmailTo - String Attchment of Email info
EmailType - String Attchment of Email info
EmailSubject - String Attchment of Email info
EmailServerName - String Attchment of Email info
EmailMessageId - String Attchment of Email info
EmailCC - String Attchment of Email info
EmailBCC - String Attchment of Email info
Example
{
  "NetworkProtocol": "abc123",
  "NetworkType": "xyz789",
  "NetworkLayer": "abc123",
  "NetworkDomain": "abc123",
  "NetworkPath": "abc123",
  "NetworkQueryString": "abc123",
  "NetworkHttpMethod": "abc123",
  "NetworkReferer": "xyz789",
  "NetworkUserAgent": "xyz789",
  "NetworkResponseStatusCode": "xyz789",
  "NetworkSrcIP": "abc123",
  "NetworkSrcPort": "abc123",
  "NetworkDestIP": "xyz789",
  "NetworkDestPort": "xyz789",
  "NetworkIsListen": "abc123",
  "NetworkBytesReceived": 987.65,
  "NetworkBytesSent": 123.45,
  "NetworkConnectionStartTime": 987.65,
  "NetworkConnectionCloseTime": 123.45,
  "NetworkConnectionDirection": "abc123",
  "OriginalDomainClassification": "xyz789",
  "OriginalIPClassification": "xyz789",
  "NetworkIsIframe": false,
  "OriginalURLClassification": "xyz789",
  "NetworkDisplayedUrl": "xyz789",
  "NetworkURL": "abc123",
  "URLReputationInfo": URLReputationInfo,
  "DomainReputationInfo": DomainReputationInfo,
  "DestIPReputationInfo": IPReputationInfo,
  "NetworkIsRemoteIpConnection": false,
  "FileName": "abc123",
  "FileMD5": "abc123",
  "EmailFrom": "xyz789",
  "EmailTo": "abc123",
  "EmailType": "abc123",
  "EmailSubject": "abc123",
  "EmailServerName": "xyz789",
  "EmailMessageId": "xyz789",
  "EmailCC": "xyz789",
  "EmailBCC": "abc123"
}
Types

RecordPs

Fields
Field Name Description
ProcessInvalidSigner - String Boolean indication whether a process image signature is not valid
ProcessPPid - Float Parent process ID
ProcessPCreationTime - Float Parent process creation time
ProcessPPidCreationTime - String Parent process Pid CreationTime concatenated string
ProcessOp - String Process operation (Started, Stopped)
ProcessIntegrityLevel - String Privilege of the process exectuted
ProcessLogonSession - Float Logon session number performed by process
ParentProcessIntegrityLevel - String Privilege of the parent process
ParentProcessArgs - String Parent process arguments used in process creation
ProcessAccount - String Owner of the process that was executed
ProcessOriginalName - String The original name of the process
ProcessTrustedSigner - Boolean Is the process signed by a trusted signer
Example
{
  "ProcessInvalidSigner": "xyz789",
  "ProcessPPid": 123.45,
  "ProcessPCreationTime": 987.65,
  "ProcessPPidCreationTime": "abc123",
  "ProcessOp": "abc123",
  "ProcessIntegrityLevel": "abc123",
  "ProcessLogonSession": 987.65,
  "ParentProcessIntegrityLevel": "xyz789",
  "ParentProcessArgs": "xyz789",
  "ProcessAccount": "xyz789",
  "ProcessOriginalName": "abc123",
  "ProcessTrustedSigner": false
}
Types

RecordReg

Fields
Field Name Description
RegistryKey - String Registry Key that was accessed by process
RegistryValue - String Registry value that was accessed by process
RegistryNewData - String Registry data that was created by process
RegistryOldData - String Registry previous data that was modified by process
RegistryOpMask - Float Operation mask for the registry activity (open, create, write, rename etc...)
RegistryOp - [String] Registry operations based on RegistryOpMask
Example
{
  "RegistryKey": "abc123",
  "RegistryValue": "abc123",
  "RegistryNewData": "xyz789",
  "RegistryOldData": "xyz789",
  "RegistryOpMask": 123.45,
  "RegistryOp": ["xyz789"]
}
Types

RecordRemoteExecution

Fields
Field Name Description
RemoteExecutionSourceIpAddress - String IP Address of the execution source
RemoteExecutionSourceMachineName - String Machine Name of the execution source
RemoteExecutionDestinationIpAddress - String IP Address of the target machine
RemoteExecutionSourcePort - Float Port from the source machine used for remote execution
RemoteExecutionUserName - String The authenticated user name
RemoteExecutionDomainName - String Domain name of the authenticated user
RemoteExecutionDestinationPort - Float Port from target machine used for remote execution
RemoteExecutionUserSID - String Authenticated user SID
RemoteExecutionType - String Type of remote execution
RemoteExecutionLogonId - Float Logon id of the session used for remote execution
Example
{
  "RemoteExecutionSourceIpAddress": "xyz789",
  "RemoteExecutionSourceMachineName": "abc123",
  "RemoteExecutionDestinationIpAddress": "abc123",
  "RemoteExecutionSourcePort": 123.45,
  "RemoteExecutionUserName": "xyz789",
  "RemoteExecutionDomainName": "abc123",
  "RemoteExecutionDestinationPort": 123.45,
  "RemoteExecutionUserSID": "xyz789",
  "RemoteExecutionType": "abc123",
  "RemoteExecutionLogonId": 987.65
}
Types

RecordRemoteLogon

Fields
Field Name Description
RemoteAttackerMachineName - String Machine name from which logon attempt was performed
RemoteOwnerUserName - String User name of the attacker machine (will be used for outbound network connections)
RemoteOwnerDomainName - String Domain name of the attacker machine (subject’s domain or computer name)
RemoteAttackerIpAddress - String IP address of machine from which logon attempt was performed
RemoteIpPort - Float Port used for remote
RemoteLogonType - String Windows remote logon type (may indicate the connection type)
EventType - String The type of user operation (Logon, Logoff...)
LogonOrigin - String Logon origin (Local, Remote)
RemoteStatus - Float Status of the logon event for failed event
RemoteSubStatus - Float Sub status of the logon event for failed event
RemoteStatusDescription - String Description of logon event status
RemoteSubStatusDescription - String Description of logon event Sub-Status
RemoteEventID - Float Event ID of the remote logon (indication of the event)
RemoteNumberOfConnections - Float Number Of events incrimented
LogonId - Float Logon operation id
LinkedLogonId - Float Linked logon id
RemoteLastOpTime - Float Last event for the same connection
RemoteProcessName - Float The Process name of that initiated the remote connection
LogonAccountType - String Logon account can be Local or Domain
RemoteEventDescription - String Text description of the Event ID
UserSID - String User SID performing the logon action
Example
{
  "RemoteAttackerMachineName": "abc123",
  "RemoteOwnerUserName": "xyz789",
  "RemoteOwnerDomainName": "xyz789",
  "RemoteAttackerIpAddress": "abc123",
  "RemoteIpPort": 987.65,
  "RemoteLogonType": "xyz789",
  "EventType": "abc123",
  "LogonOrigin": "xyz789",
  "RemoteStatus": 987.65,
  "RemoteSubStatus": 987.65,
  "RemoteStatusDescription": "xyz789",
  "RemoteSubStatusDescription": "abc123",
  "RemoteEventID": 987.65,
  "RemoteNumberOfConnections": 987.65,
  "LogonId": 123.45,
  "LinkedLogonId": 987.65,
  "RemoteLastOpTime": 123.45,
  "RemoteProcessName": 987.65,
  "LogonAccountType": "abc123",
  "RemoteEventDescription": "xyz789",
  "UserSID": "xyz789"
}
Types

RecordScript

Fields
Field Name Description
ScriptData - LengthAtMost
Example
{"ScriptData": LengthAtMost}
Types

RecordType

Values
Enum Value Description

Network

Process

File

Registry

NamedObject

Inject

Dns

RemoteLogon

Script

WmiExecution

KeyLogger

Link

PassTheHash

Extension

DetectionEvent

AdvancedActivity

IndirectExecution

RemoteExecution

Email

Application

NetworkRoaming
Example
"Network"
Types

URLReputationInfo

Fields
Field Name Description
ReputationType - String Type of the reputation record (MD5, URL, IP etc...)
Resource - String URL of the indicator
URLClassification - String URL Rep classification
URLRepPositives - Float Number of VT detection positives
URLRepRisk - Float Risk of the resource, See Risk Threshold Guide ( https://wiki.checkpoint.com/confluence/display/GlobalPO/Reputation+Service)
URLRepTotal - Float Url reputation total
URLRepConfidence - String Confidence of the classification (Low, Medium, High)
URLRepSeverity - String Severity of the classification (Low, Medium, High)
URLRepMalwareFamily - String Malware family associated with the resource
URLRepProtectionName - String Malware protection name associated with the resource
URLRepRegistrant - String URL Registrant associated with the URL
VTLink - String Virus Total link
Example
{
  "ReputationType": "xyz789",
  "Resource": "abc123",
  "URLClassification": "abc123",
  "URLRepPositives": 987.65,
  "URLRepRisk": 123.45,
  "URLRepTotal": 123.45,
  "URLRepConfidence": "xyz789",
  "URLRepSeverity": "xyz789",
  "URLRepMalwareFamily": "xyz789",
  "URLRepProtectionName": "xyz789",
  "URLRepRegistrant": "abc123",
  "VTLink": "xyz789"
}
Types

DomainReputationInfo

Fields
Field Name Description
ReputationType - String Type of the reputation record (MD5, URL, IP etc...)
Resource - String Domain of the indicator
DomainClassification - String Domain Rep classification
DomainRepPositives - Float Number of VT detection positives
DomainRepRisk - Float Risk of the resource, See Risk Threshold Guide ( https://wiki.checkpoint.com/confluence/display/GlobalPO/Reputation+Service)
DomainRepTotal - Float Domain reputation total
DomainRepConfidence - String Confidence of the classification (Low, Medium, High)
DomainRepSeverity - String Severity of the classification (Low, Medium, High)
DomainRepMalwareFamily - String Malware family associated with the resource
DomainRepProtectionName - String Malware protection name associated with the resource
DomainRepRegistrant - String Domain Registrant associated with the Domain
VTLink - String Virus Total link
Example
{
  "ReputationType": "abc123",
  "Resource": "abc123",
  "DomainClassification": "abc123",
  "DomainRepPositives": 123.45,
  "DomainRepRisk": 123.45,
  "DomainRepTotal": 987.65,
  "DomainRepConfidence": "abc123",
  "DomainRepSeverity": "xyz789",
  "DomainRepMalwareFamily": "abc123",
  "DomainRepProtectionName": "abc123",
  "DomainRepRegistrant": "xyz789",
  "VTLink": "xyz789"
}
Types

IPReputationInfo

Fields
Field Name Description
ReputationType - String Type of the reputation record (MD5, URL, IP etc...)
Resource - String IP of the indicator
IPClassification - String IP Rep classification
IPRepPositives - Float Number of VT detection positives
IPRepRisk - Float Risk of the resource, See Risk Threshold Guide ( https://wiki.checkpoint.com/confluence/display/GlobalPO/Reputation+Service)
IPRepTotal - Float Ip reputation total
IPRepConfidence - String Confidence of the classification (Low, Medium, High)
IPRepSeverity - String Severity of the classification (Low, Medium, High)
IPRepMalwareFamily - String Malware family associated with the resource
IPRepGeoLocation - String IP Geo Location associated with the IP
VTLink - String Virus Total link
Example
{
  "ReputationType": "xyz789",
  "Resource": "xyz789",
  "IPClassification": "xyz789",
  "IPRepPositives": 123.45,
  "IPRepRisk": 123.45,
  "IPRepTotal": 987.65,
  "IPRepConfidence": "abc123",
  "IPRepSeverity": "xyz789",
  "IPRepMalwareFamily": "xyz789",
  "IPRepGeoLocation": "abc123",
  "VTLink": "xyz789"
}
Types

FileReputationInfo

Fields
Field Name Description
ReputationType - String Type of the reputation record (MD5, URL, IP etc...)
Resource - String MD5 of the indicator (Process, File)
FileClassification - String File Rep classification
FileRepPositives - Float Number of VT detection positives
FileRepTotal - Float Number of VT vendors who scanned this file
FileRepRisk - Float Risk of the resource, See Risk Threshold Guide ( https://wiki.checkpoint.com/confluence/display/GlobalPO/Reputation+Service)
FileRepConfidence - String Confidence of the classification (Low, Medium, High)
FileRepSeverity - String Severity of the classification (Low, Medium, High)
FileRepMalwareFamily - String Malware family associated with the resource
FileRepMalwareTypes - String Malware types based on VT scans
FileRepProtectionName - String Protection name returned from Malware Service / AntiVirus
VTLink - String Virus Total link
Example
{
  "ReputationType": "xyz789",
  "Resource": "abc123",
  "FileClassification": "abc123",
  "FileRepPositives": 123.45,
  "FileRepTotal": 987.65,
  "FileRepRisk": 987.65,
  "FileRepConfidence": "abc123",
  "FileRepSeverity": "xyz789",
  "FileRepMalwareFamily": "abc123",
  "FileRepMalwareTypes": "xyz789",
  "FileRepProtectionName": "abc123",
  "VTLink": "xyz789"
}
Types

LengthAtMost

Example
LengthAtMost
Types

AggregationResult

Fields
Field Name Description
aggregateFunction - String Function that was used when aggregating the results e.g: MIN
aggregationField - String Field on which the aggregation was done. e.g: OpTimeUTC
aggregationName - String Name for the aggregation requested by the client e.g: MIN(OpTimeUTC) AS myAggregationName.
aggregateResult - String Result of the aggregation e.g: for MIN(OpTimeUTC) the result will be the min value 1571746744174
Example
{
  "aggregateFunction": "abc123",
  "aggregationField": "abc123",
  "aggregationName": "abc123",
  "aggregateResult": "xyz789"
}
Types

MitreInfo

Fields
Field Name Description
tacticID - String mitre tactic ID
tacticName - String mitre tactic Name
techniqueID - String mitre technique ID
techniqueName - String mitre technique Name
Example
{
  "tacticID": "abc123",
  "tacticName": "xyz789",
  "techniqueID": "xyz789",
  "techniqueName": "xyz789"
}
Types

ShadowITInfo

Fields
Field Name Description
applicationName - String shadowIT application name
categoryName - String shadowIT category name
subCategoryName - String shadowIT subCategory name
Example
{
  "applicationName": "xyz789",
  "categoryName": "abc123",
  "subCategoryName": "xyz789"
}
Types

Indicator

Description

Indicator input for search

Fields
Input Field Description
fieldArr - [String]!
fieldType - FieldType!
operator - Operator!
escaped - Boolean
Example
{
  "fieldArr": ["xyz789"],
  "fieldType": "OSName",
  "operator": "Is",
  "escaped": false
}
Types

Operator

Values
Enum Value Description

Is

IsNot

Contains

DoesNotContain

IsOneOf

IsNotOneOf

Exists

DoesNotExist

IsLeastFrequent

IsMostFrequent

IsLeastFrequentBy

IsMostFrequentBy

GreaterThan

LessThan
Example
"Is"
Types

Aggregation

Fields
Input Field Description
aggregateFunction - AggregateFunction!

Function to be used when aggregating the results e.g: MIN
aggregationField - String!

Field on which to aggregate on. e.g: OpTimeUTC
aggregationName - String

Name for the aggregation to return e.g: MIN(OpTimeUTC) AS myAggregationName.
Example
{
  "aggregateFunction": "SUM",
  "aggregationField": "abc123",
  "aggregationName": "xyz789"
}
Types

AggregateFunction

Values
Enum Value Description

SUM

AVG

COUNT

MIN

MAX

COUNT_DISTINCT
Example
"SUM"
Types

RecordType

Values
Enum Value Description

Network

Process

File

Registry

NamedObject

Inject

Dns

RemoteLogon

Script

WmiExecution

KeyLogger

Link

PassTheHash

Extension

DetectionEvent

AdvancedActivity

IndirectExecution

RemoteExecution

Email

Application

NetworkRoaming
Example
"Network"
Types

DataSourceType

Values
Enum Value Description

endpoint

mta

gwstats

laas

mobile

maasgw
Example
"endpoint"
Types

FieldType

Values
Enum Value Description

OSName

OSVersion

HostType

ProductVersion

MachineName

MachineNameUnique

UserName

DomainName

EPGUID

ModuleVersion

HostIps

HostMacs

fileLocation

fileLineNumber

RecordType

Pid

CreationTime

PidCreationTime

OpTimeLocal

OpTimeUTC

OpTimeSecondsUTC

ProcessDir

ProcessName

ProcessMD5

ParentProcessDir

ParentProcessName

ParentProcessMD5

ProcessArgs

ProcessSigner

ParentProcessSigner

ProcessClassification

ParentProcessClassification

LogSource

ContainerId

ContainerImageId

ContainerImageName

Browser

BrowserVersion

DnsQueryName

DnsResponse

DnsEventId

FileDir

FileName

FileMD5

FileType

FileNewDir

FileNewFileName

FileOpMask

FileSize

FileEntropy

FileSigner

FileContent

OriginalFileClassification

InjectDstPid

InjectDstCreationTime

InjectClassification

InjectDstDir

InjectDstName

InjectHookOperation

NamedObject

NetworkProtocol

NetworkType

NetworkLayer

NetworkDomain

NetworkPath

NetworkQueryString

NetworkHttpMethod

NetworkReferer

NetworkUserAgent

NetworkResponseStatusCode

NetworkSrcIP

NetworkSrcPort

NetworkDestIP

NetworkDestPort

NetworkIsListen

NetworkBytesReceived

NetworkBytesSent

NetworkConnectionStartTime

NetworkConnectionCloseTime

NetworkConnectionDirection

OriginalDomainClassification

OriginalIPClassification

NetworkIsIframe

OriginalURLClassification

NetworkDisplayedUrl

ProcessInvalidSigner

ProcessPPid

ProcessPCreationTime

ProcessPPidCreationTime

ProcessOp

ProcessIntegrityLevel

ProcessLogonSession

ParentProcessIntegrityLevel

ParentProcessArgs

ProcessAccount

ProcessOriginalName

ProcessTrustedSigner

RegistryKey

RegistryValue

RegistryNewData

RegistryOldData

RegistryOpMask

RemoteAttackerMachineName

RemoteOwnerUserName

RemoteOwnerDomainName

RemoteAttackerIpAddress

RemoteIpPort

RemoteLogonType

EventType

LogonOrigin

RemoteStatus

RemoteSubStatus

RemoteStatusDescription

RemoteSubStatusDescription

RemoteEventID

RemoteNumberOfConnections

LogonId

LinkedLogonId

RemoteLastOpTime

RemoteProcessName

LogonAccountType

ScriptData

WmiCommandLine

WmiCreatedProcessId

WmiCreatedProcessCreationTime

WmiAttackerMachineName

WmiVictimDomainName

WmiVictimUserName

WmiClientProcessId

WmiClientProcessCreationTime

WmiIsLocal

WmiCreatedProcessDir

WmiCreatedProcessName

WmiClientProcessDir

WmiClientProcessName

KeyLoggerTargetPID

KeyLoggerTargetCreationTime

KeyLoggerFunctionName

KeyLoggerTargetDir

KeyLoggerTargetName

LnkFileOpMask

LnkFileSize

LnkFileName

LnkFileDir

LnkFileTargetName

LnkFileTargetDir

LnkFileArgs

MitreInfoFrom

MitreInfoTo

MitreInfoContent

PassTheHashSubjectUserName

PassTheHashSubjectDomainName

PassTheHashLogonId

PassTheHashTargetUserName

PassTheHashTargetDomainName

PassTheHashTargetServerName

PassTheHashTargetIpAddress

PassTheHashType

ActivityType

ActivityName

ActivityDetails

ActivityTargetProcessDir

ActivityTargetProcessName

ActivityTargetProcessArgs

ActivityTargetPid

ActivityTargetCreationTime

ActivityTargetArgs

ExecutionType

ExecutionName

ExecutionDetails

ExecutionTargetProcessDir

ExecutionTargetProcessName

ExecutionTargetProcessArgs

ExecutionTargetPid

ExecutionTargetCreationTime

ExecutionRemoteSourceMachine

ExecutionRemoteTargetUserName

ExecutionRemoteTargetUserDomain

UserOperation

UserSID

DetectionIncidentId

DetectionAttackStatus

DetectionEnforcementMode

DetectionMalwareAction

DetectionTriggeredBy

DetectionThirdPartyVendorName

DetectionMalwareFamily

DetectionProtectionName

DetectionProtectionType

DetectionIncidentConfidence

DetectionIncidentSeverity

DetectionAttackTriggerProc

DetectionMaliciousPath

DetectionMaliciousFileDir

DetectionMaliciousFileName

DetectionMaliciousDomainName

DetectionTriggerMD5

DetectionEntryPointProc

DetectionAttackRoot

DetectionCreatingProcDir

DetectionCreatingProcName

DetectionCreatingProcMD5

DetectionCreatingProcSigner

DetectionSuspiciousEvents

WindowsFeatures

DetectionTotalProcs

DetectionUniqueTotalProcs

DetectionUniqueMalProcs

DetectionUniqueSuspProcs

DetectionUniqueUnknownProcs

DetectionUniqueUnsignedProcs

DetectionUniqueScriptProcs

DetectionUniqueWinProcs

DetectionUniqueTotalFiles

DetectionUniqueMalFiles

DetectionUniqueSuspFiles

DetectionUniqueTotalUrls

DetectionUniqueMalUrls

DetectionUniqueSuspUrls

DetectionUniqueUnknownUrls

DetectionUniqueTotalIPs

DetectionUniqueMalIPs

DetectionUniqueSuspIPs

DetectionUniqueUnknownIPs

DetectionPolicyAutoRemidiation

DetectionDescription

DetectionGeneralInfo

DetectionAttackUserDomain

DetectionAttackUserName

DetectionRemediationPolicy

DetectionAttackTree

DetectionCreatingProcPid

DetectionCreatingProcCreationTime

DetectionFirstEPNet

DetectionFirstEPNetType

DetectionFirstEPURLReferrer

DetectionFirstEPFileName

DetectionFirstEPFileHash

DetectionDetermined

DetectionImpersonatedDomain

DetectionImpersonatedType

DetectionImpersonatedBrand

DetectionEmailMsgID

DetectionEmailSubject

DetectionEmailFrom

DetectionEmailTo

DetectionEmailAttachmentName

DetectionEmailEmbeddedURL

DetectionEmailDateOfDelivery

RemoteExecutionSourceIpAddress

RemoteExecutionSourceMachineName

RemoteExecutionDestinationIpAddress

RemoteExecutionSourcePort

RemoteExecutionUserName

RemoteExecutionDomainName

RemoteExecutionDestinationPort

RemoteExecutionUserSID

RemoteExecutionType

RemoteExecutionLogonId

ReputationClassification

ReputationPositives

ReputationTotal

ReputationVTPositives

ReputationRisk

ReputationConfidence

ReputationMalwareFamily

ReputationMalwareTypes

ReputationProtectionName

ReputationRegistrant

ReputationSeverity

EmailAttachments

NetworkURL

EmailURLs

EmailType

EmailFrom

EmailTo

EmailSubject

EmailServerName

EmailMessageId

EmailCC

EmailBCC

id

EmailRecipientsNum

EmailStatus

EmailSourceCountry

EmailSender

ProcessPath

ParentProcessPath

FilePath

KeyLoggerTargetPath

InjectDstPath

WmiCreatedProcessPath

WmiClientProcessPath

LnkFilePath

DomainClassification

URLClassification

FileClassification

FileOp

LnkFileOp

RegistryOp

GatewayBlade

DeviceID

NetworkEventType
Example
"OSName"
Documentation by Anvil SpectaQL