Search fields and descriptions

The table in this section lists the
Symantec EDR
search fields and their descriptions.
Search fields and descriptions
Field name
Type
Description
access_mask_ids
number
The access mask values; an array of one of more of the following: 1: GENERIC_READ, 2: GENERIC_WRITE, 3: GENERIC_EXECUTE, 4: GENERIC_ALL, 5: DELETE, 6: WRITE_DAC=6, 7: WRITE_OWNER, 8: SYNCHRONIZE, 9: READ_DATA (unix-read), 10: WRITE_DATA (unix-write), 11: APPEND_DATA, 12: READ_EXTENDED_ATTRIBUTES, 13: WRITE_EXTENDED_ATTRIBUTES, 14: EXECUTE (unix-exec), 15: DELETE_CHILD, 16: READ_ATTRIBUTES, 17: WRITE_ATTRIBUTES, 18: READ_CONTROL, 19: ACCESS_SYSTEM_SECURITY, 20: MAX_ALLOWED.
access_scope_id
number
Permitted activity. Values: 1: READ_ONLY, 2: WRITE, 3: OTHER.
action
number
The action was taken. Values: 0 = Unknown, 1 = Blocked, 2 = Allowed, 3 = No Action, 4 = Logged, 5 = Command Script Run, 6 = Corrected, 7 = Partially Corrected, 8 = Uncorrected, 10 = Delayed - Requires reboot to finish the operation, 11 = Deleted, 12 = Quarantined, 13 = Restored, 14 = Detected, 15 = Terminated
action_id
number
The action taken with respect to the underlying cause of the event. Values: 1: MONITOR, 0: BLOCK.
actor
string
The name of the group that undertook the targeted attack.
actual_action
string
The string version of the action taken on the risk.
actual_action_idx
number
The ID of the action that was taken on the risk.
actual_permissions
number
The permissions that were granted to the actor process; an array of one or more of the following: 1: TERMINATE (kill), 2: CREATE_THREAD, 3: SET_SESSION_ID, 4: VM_OPERATION, 5: VM_READ, 6: VM_WRITE, 7: DUP_HANDLE, 8: CREATE_PROCESS, 9: SET_QUOTA, 10: SET_INFORMATION, 11: QUERY_INFORMATION, 12: SUSPEND_RESUME, 13: QUERY_LIMITED_INFORMATION, 14: READ_REG (registers), 15: WRITE_REG (registers), 16: PROC_READ, 17: PROC_WRITE, 18: CONTROL, 19: ATTACH.
agent_version
string
The version of the client software.
alert
string
A hard-coded English string for lookup. Possible values, see below.
api_name
string
The API call that is detected.
app_name
string
The full path of the application involved. It may be empty if an unknown application is involved or if no application is involved. For example, the ping of death denial-of-service attack does not have an AppName because it attacks the operating system itself. Example: C:/PROGRAM FILES (X86)/GOOGLE/CHROME/APPLICATION/CHROME.EXE.
atp_node_role
number
Role in which the
Symantec EDR
appliance was configured in.
atp_protocol
string
Type of protocol requested.
av.cmd_line_source
number
In case of command line detections, the source of the command line.
av.date_detected
date
The threat file detection date.
av.date_quarantined
date
The threat file quarantined date.
av.threat_categories
string
Comma-separated list of threat categories.
bash.bash_data.process_lineage
string
Paths of ancestors of the current process. The first entry is the parent, the second entry is the grandparent, etc.
bash.disposition
number
The decision that BASH reached on the event, extracted from X-Bash-Disposition. Values: 0: Unknown, 1: Good, 2: Suspicious, 3: Bad.
bash.signature_version
string
The SONAR Signature version (e.g., 20110422.001).
bash.virus_id
string
The virus ID for the detection.
bash.virus_name
string
The virus name that is associated with the detection.
categories
string
The event category labels.
category_id
number
The event category id: Unknown (0), Security (1), Licensing (2), System (3), Audit (4), Policy (5).
command_name
string
The name of the command.
command_ref_uid
string
The ID that corresponds to the SEPM command.
command_uid
string
The command script identifier.
composite_id
number
Hardcoded to 2 for unpacking the results array.
confidence
string
The level of confidence. Low confidence indicators are based on automated analysis. High confidence is based on human analysis.
connection.bytes_download
long
The number of bytes downloaded from the source to the destination.
connection.bytes_upload
long
The number of bytes uploaded from the source to the destination.
connection.dst_name
string
The host name of the destination device.
connection.local
Boolean
True if a local connection was made between two endpoints on the same device. For example, src_ip is the same as dst_ip.
connection.protocol_id
number
The network protocol as defined by RFC1340. For example, [6] TCP or [17] UDP.
connection.src_name
string
The host name of the device that initiated the network connection.
connection.svc_name
string
The service name as defined by IANA, see http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtm.
connection.uid
string
The unique identifier of the connection.
connection_method
number
The connection method for WSS user. Required field if network_scanner_type = 1 (WSS). Values: 0: unknown, 1: roaming, 2: CSP, 3: direct.
correlation_uid
string
The identifier which correlates this event with other events involved in suspected attack.
country
string
The country from which the event originated.
customer_uid
string
The customer's unique ID.
cynic.cynic_task_id
string
The task ID that is returned when the file is submitted to Cynic.
cynic.targeted_data.is_targeted
Boolean
Indicates whether the event was determined to be a targeted threat.
cynic.verdict
string
The DMAS verdict for the file.
cynic.verdict_type
number
The type of verdiction. Values: 0: FULLANALYSIS, 1: INTELLIGENCE.
data.atp_service.action
string
Action taken on a service like started, stopped, terminated etc.
data.atp_service.pid
number
PID of the service for which an action was taken.
data.atp_service.service
string
Name of service on which an action like started, stopped, terminated etc. was triggered.
data.db_maintenance.endpoints_purged.device_ip
string
IP address
data.db_maintenance.endpoints_purged.device_name
string
Endpoint hostname
data.db_maintenance.endpoints_purged.device_uid
string
Device UID
data.db_maintenance.endpoints_purged.sep_mid
string
Unique SEP hardware key
data.db_maintenance.endpoints_purged_count
number
Number of endpoints purged
data.incident_details.incident_uuid
string
Universally unique identifier for an incident.
data.search_config.atp_command_id
string
Command ID to identify the search uniquely.
data.search_config.cmd_type
string
Type of search command. Cmd_type values - eoc_search, edr_search, fdr_search.
data.sepm_server.db_ip_address
string
The IP address of the SEPM database.
data.sepm_server.db_name
string
The name of the SEPM database.
data.sepm_server.db_port
number
The inbound port of the SEPM database.
data.sepm_server.db_type
string
Type of database - MSSQL or Sybase.
data.sepm_server.enabled
Boolean
SEPM server enabled: 1= True, 0= False.
data.sepm_server.sepm_name
string
User provided name for SEPM server.
data.sepm_server.status
string
The state of the database server: TRUE = enabled, FALSE = not enabled.
data.sepm_server.user_name
string
The name of the user associated with the SEPM server.
data_direction
number
The direction of the data source. Values: inbound, outbound, internal, pass-through.
data_source_ip
ip
The Source IP from which the file came. Values: IPv4, IPv6.
data_source_url
string
The URL from which the file was downloaded.
data_source_url_domain
string
The domain from which the file was downloaded.
data_source_url_referer
string
The referrer URL that was used in the download.
deepsight_domain
string
The domain reported and listed in Deepsight reputation.
detection_method
string
The detection technology that was used to detect conviction.
device_cap
string
Name of
Symantec EDR
appliance node configured during bootstrap.
device_cpu
string
Device processor type, (e.g., x86 Family 6 Model 37 Stepping 5). The recommended maximum string length is 64.
device_domain
string
The domain where the device resides, for example, internal.somecompany.com.
device_end_time
date
The end time of an event, used with the aggregation count field. Required if count > 1.
device_ip
ip
The IP address of the device that originated the event. IPv4 or IPv6 format; for endpoint, this is the ip address of the endpoint.
device_ipv6
ip
The IP address of the device that originated the event. IPv6 format; for endpoint, this is the IP address of the endpoint.
device_mac
string
The Media Access Control (MAC) address of the device that originated the event. For endpoint, this is the MAC address of the endpoint.
device_name
string
The name of the device originating the event.
For endpoint events, this is the endpoint's name. For conviction events, see appliance_name for the appliance's name.
device_name_md5
string
The MD5 hash of the lower-case device name.
device_networks.ipv4
ip
The IPv4 addresses associated with the device network interface.
device_networks.ipv6
ip
The IPv6 addresses associated with the device network interface.
device_networks.mac
string
The mac address associated with a particular NIC.
device_os_country
string
The device operating system country code as defined by the ISO 3166-1 standard (Alpha-2 code). The recommended maximum string length is 2.
device_os_lang
string
The language codes are two-letter lowercase ISO language codes (such as 'en') as defined by ISO 639-1. For example: en (English), de (German), fr (French).
device_os_name
string
The name of the OS running on the device that originated the event. Possible values: Windows 7 Home Basic, Mac OS X, iOS, Android.
device_os_type_id
number
The type of the operating system. Values: Unknown=0, Windows=100, Linux=200, Solaris=300, AIX=301, HP-UX=302, Macintosh=400, iOS=500, Android=501, Windows Mobile=502, Other=1001.
device_os_ver
string
The version of the OS running on the device that originated the event. Possible values: Windows: 7, 8.0, 8.1; OS X: 10.4, 10.7.
device_time
date
The timestamp that specifies the time at which the event occurred.
device_type
string
The type of the device that originated the event. Possible values: unknown, server, desktop, laptop, tablet, mobile, virtual, browser, other.
device_uid
string
The unique ID of the device that originated the event.
A
Symantec EDR
-generated GUID used to uniquely identify an endpoint that is sending events to the
Symantec EDR
appliance.
device_user_idle
Boolean
Indicates if the user was logged on at the time when the event was created.
device_vhost
string
The device virtual host. Values: unknown, none, kvm, hyper_v, qemu, virtualbox, vmware, xen.
direction
string
The direction of the email. Values: I: inbound, O: outbound.
directory.attribute_ids
number
An integer array that contains one or more of the following file attributes: Archive=1, Compressed=2, Directory=3, Encrypted=4, Hidden=5, Normal=6, Offline=7, Read only=8, Reparse Point=9, Sparse File=10, System=11, Temporary=12, Not Content Indexed=13, Block Special=14, Character Special=15, Executable=16, Driver=17.
directory.created
date
The time that the object was created, expressed as the number of milliseconds since 01 01 1970 00:00:00 UTC.
directory.desc
string
The description of the file, as returned by the file system. For example, the description as returned by the Unix command or the Windows file type.
directory.family_id
number
Top level classification of file type. Values: 0=Unknown, 1=Application, 2=Binary, 3=Audio, 4=Image, 5=Video.
directory.file_age
number
A code between 1 and 4 that represents the file's global age defined by the time the file was first reported to Mr. Clean: Years ago=1, Months ago=2, Weeks ago=3, Days ago=4.
directory.folder
string
The folder where the object resides.
directory.md5
string
The MD5 checksum of the file.
directory.mime_type
string
The MIME type of the file that is associated with the event.
directory.modified
date
The time when the file was last modified, expressed as the number of milliseconds since 01 01 1970 00:00:00 UTC.
directory.name
string
The human-readable name of the file that is associated with the event.
directory.normalized_path
string
The CSIDL normalized path name; for example, CSIDL_SYSTEM\svchost.exe.
directory.original_name
string
The original name of the file.
directory.path
string
The full path to the object; for example, c:\windows\system32\svchost.exe.
directory.prevalence_band
number
A code between 1 and 8 that represents the file's prevalence band: Less than 5 users=1, Less than 50 users=2, Less than 100 users=3, Hundreds of users=4, Thousands of users=5, Tens of thousands of users=6, Hundreds of thousands of users=7, Millions of users=8.
directory.reputation_band
number
A code between 1 and 6 that represents the file's reputation band. Symantec Trusted=1, Good=2, Trending Good=3, Unproven=4, Poor=5, Untrusted=6
directory.security_descriptor
string
The object security descriptor.
directory.sha1
string
The SHA-1 checksum of the file.
directory.sha2
string
The SHA256 checksum of the file.
directory.signature_company_name
string
The name of the company on the certificate.
directory.signature_issuer
string
The issuer of the signature.
directory.signature_level_id
number
A numeric representation of the signature level, as defined by STAR.
directory.signature_serial_number
string
The signature serial number.
directory.signature_value_ids
number
directory.size
number
The size of the file in bytes. Type is 64-bit long.
directory.type_id
number
The type of the object. Values: 1: FILE, 2: DIRECTORY, 3:LINK, 4: MOUNT, 5: NODE, 6: SYMLINK, 7: NAMED_PIPE, 8: SOCKET, 9: DEVICE.
directory.uid
string
The file unique identifier as defined by the storage system. For example, the file system file ID.
directory_result.attribute_ids
number
An integer array that contains one or more of the following file attributes: Archive=1, Compressed=2, Directory=3, Encrypted=4, Hidden=5, Normal=6, Offline=7, Read only=8, Reparse Point=9, Sparse File=10, System=11, Temporary=12, Not Content Indexed=13, Block Special=14, Character Special=15, Executable=16, Driver=17
directory_result.created
date
The time that the object was created, expressed as the number of milliseconds since 01 01 1970 00:00:00 UTC.
directory_result.desc
string
The description of the file, as returned by the file system. For example, the description as returned by the Unix command or the Windows file type.
directory_result.family_id
number
Top level classification of file type. Values: 0=Unknown, 1=Application, 2=Binary, 3=Audio, 4=Image, 5=Video.
directory_result.file_age
number
A code between 1 and 4 that represents the file's global age defined by the time the file was first reported to Mr. Clean: Years ago=1, Months ago=2, Weeks ago=3, Days ago=4.
directory_result.folder
string
The folder where the object resides.
directory_result.md5
string
The MD5 checksum of the file.
directory_result.mime_type
string
The mimetype of the file that is associated with the event.
directory_result.modified
date
The time when the file was last modified, expressed as the number of milliseconds since 01 01 1970 00:00:00 UTC.
directory_result.name
string
The human-readable name of the file that is associated with the event.
directory_result.normalized_path
string
The CSIDL normalized path name; for example, CSIDL_SYSTEM\svchost.exe.
directory_result.original_name
string
The original name of the file
directory_result.path
string
The full path to the object; for example, c:\windows\system32\svchost.exe.
directory_result.prevalence_band
number
A code between 1 and 8 that represents the file's prevalence band: Less than 5 users=1, Less than 50 users=2, Less than 100 users=3, Hundreds of users=4, Thousands of users=5, Tens of thousands of users=6, Hundreds of thousands of users=7, Millions of users=8.
directory_result.reputation_band
number
A code between 1 and 6 that represents the file's reputation band. Symantec Trusted=1, Good=2, Trending Good=3, Unproven=4, Poor=5, Untrusted=6.
directory_result.security_descriptor
string
The object security descriptor.
directory_result.sha1
string
The SHA-1 checksum of the file.
directory_result.sha2
string
The SHA256 checksum of the file.
directory_result.signature_company_name
string
The name of the company on the certificate.
directory_result.signature_issuer
string
The issuer of the signature.
directory_result.signature_level_id
number
A numeric representation of the signature level, as defined by STAR.
directory_result.signature_serial_number
string
The signature serial number.
directory_result.signature_value_ids
number
directory_result.size
number
The size of the file in bytes. Type is 64-bit long.
directory_result.type_id
number
The type of the object. Values: 1: FILE, 2: DIRECTORY, 3:LINK, 4: MOUNT, 5: NODE, 6: SYMLINK, 7: NAMED_PIPE, 8: SOCKET, 9: DEVICE.
directory_result.uid
string
The file unique identifier as defined by the storage system. For example, the file system file ID.
domain_name
string
The domain name of the client computer at the time of the alert.
domain_threat_data.behavior
string
There are five behaviors. Attacks, Malware, CnC, Fraud, Phishing.
domain_threat_data.behavior_details.category
string
The behavior category.
domain_threat_data.behavior_details.description
string
The description of Attack. Only for Attack.
domain_threat_data.behavior_details.name
string
The name of behavior. It could be Attack name, CnC name, Malware name. Fraud and Phishing has no name. for example Mass Iframe Injection Attack.
domain_threat_data.behavior_details.urls.url
string
The malicious URL on the domain.
domain_threat_data.confidence
number
Our confidence on whether the listing is correct or not. Values range from 1-5 with higher values representing more confidence in the listing.
domain_threat_data.consecutive_listings
number
The number of days the domain was listed in sequence. The value is capped at 90.
domain_threat_data.first_seen
string
The first day the domain was listed on Deepsight reputation URL feed.
domain_threat_data.hostility
number
Values range from 1-5 with higher values representing a more hostile item. 0 means no data is provided from Deepsight.
domain_threat_data.ips_domain_hosted.address
string
IP address on which the domain is hosted.
domain_threat_data.ips_domain_hosted.anonymizer_status
string
Indicate if the IP has or is being used as a proxy. Possible values include: NULL, suspect, active, private, accessible, inactive.
domain_threat_data.ips_domain_hosted.carrier
string
Carrier/ISP name where the IP is located.
domain_threat_data.ips_domain_hosted.city
string
The city in which the IP is located.
domain_threat_data.ips_domain_hosted.country
string
The country in which the IP is located.
domain_threat_data.ips_domain_hosted.ip_routing
string
The IP routing type for the IP. Possible values include: proxy cache, satelite, aol, regional proxy, fixed, superpop, mobile gateway, and pop.
domain_threat_data.ips_domain_hosted.ip_version
number
Version of IP address. Value 4 is for IPv4.
domain_threat_data.ips_domain_hosted.latitude
string
GPS coordinates of the IP.
domain_threat_data.ips_domain_hosted.longitude
string
GPS coordinates of the IP.
domain_threat_data.ips_domain_hosted.organization
string
The organization that owns the IP address.
domain_threat_data.ips_domain_hosted.organization_type
string
The type of the organization that owns the IP address.
domain_threat_data.ips_domain_hosted.postal_code
string
The postal code where the IP is located.
domain_threat_data.ips_domain_hosted.proxy_last_detected
string
The last date the proxy was detected as a private proxy.
domain_threat_data.ips_domain_hosted.proxy_level
string
Lists the IP as one of the following: anonymous, distorting, elite, transparent.
domain_threat_data.ips_domain_hosted.proxy_type
string
Lists the IP as one of the type: http, service, socks, socks http, tor, unknown, web.
domain_threat_data.ips_domain_hosted.state
string
The state in which the IP is located.
domain_threat_data.last_seen
string
The last day the domain was listed on Deepsight reputation URL feed.
domain_threat_data.listing_ratio
number
The number of days the domain was listed in the past 90 days regardless of sequence.
domain_threat_data.reputation
number
A value range from 1-10 with higher value representing a worse reputation.
domain_uid
string
The Domain unique ID.
dynacat
number
The subcategory for the risk threat.
edr_data_protocols
string array
Data protocols used by the connection session.
edr_files
string array
Files transferred in the connection section.
email_action
string
The email action. Values: blocked, delivered or released from quarantine.
email_alert
boolean
Specify whether to send email alert.
email_received_date
date
The time when the email was received by MTA.
email_subject
string
The email subject.
end_time
date
For aggregate events, the device_end_time adjusted to the server clock.
enriched_data.category_id
number
Unique ID for a category for which this event belongs. Policy that controls which events to upload is based on category.
enriched_data.category_name
string
The short, descriptive name for the category.
enriched_data.event_group_id
string
A unique ID that can be used to join multiple events that are sent up by a single firing of a single rule. For example, the three events that make up a suspicious tri-gram will be associated with a unique EventGroupID.
enriched_data.extra_numeric_info.key_name
string
enriched_data.extra_numeric_info.value
number
enriched_data.extra_string_info.key_name
string
enriched_data.extra_string_info.value
string
enriched_data.rule_description
string
A description, if provided, for the source rule that generated this enrichment record.
enriched_data.rule_id
number
The unique ID for the source rule that generated this enrichment record. This ID is generated by the rule compiler.
enriched_data.rule_name
string
The unique name for the source rule that generated this enrichment record.
eoc_query
string
A free-form object that describes the EOC query request.
error_code
string
The error code.
event_actor.app_name
string
A label that may be associated with this process. For example, the name of the containment sandbox that is assigned to the process or, for login detection events, the login application (ssh, telnet, sql server, etc.).
event_actor.cmd_line
string
The command line that was used the launch the process.
event_actor.file.attribute_ids
number
An integer array that contains one or more of the following file attributes: Archive=1, Compressed=2, Directory=3, Encrypted=4, Hidden=5, Normal=6, Offline=7, Read only=8, Reparse Point=9, Sparse File=10, System=11, Temporary=12, No Content Indexed=13, Block Special=14, Character Special=15, Executable=16, Driver=17.
event_actor.file.created
date
The time that the object was created, expressed as the number of milliseconds since 01 01 1970 00:00:00 UTC.
event_actor.file.desc
string
The description of the file, as returned by the file system. For example, the description as returned by the Unix command or the Windows file type.
event_actor.file.family_id
number
Top level classification of file type. Values: 0=Unknown, 1=Application, 2=Binary, 3=Audio, 4=Image, 5=Video.
event_actor.file.file_age
number
A code between 1 and 4 that represents the file's global age defined by the time the file was first reported to Mr. Clean: Years ago=1, Months ago=2, Weeks ago=3, Days ago=4.
event_actor.file.folder
string
The folder where the object resides.
event_actor.file.md5
string
The MD5 checksum of the file.
event_actor.file.mime_type
string
The mimetype of the file that is associated with the event.
event_actor.file.modified
date
The time when the file was last modified, expressed as the number of milliseconds since 01 01 1970 00:00:00 UTC.
event_actor.file.name
string
The human-readable name of the file that is associated with the event.
event_actor.file.normalized_path
string
The CSIDL normalized path name; for example, CSIDL_SYSTEM\svchost.exe.
event_actor.file.original_name
string
The original name of the file
event_actor.file.path
string
The full path to the object; for example, c:\windows\system32\svchost.exe.
event_actor.file.prevalence_band
number
A code between 1 and 8 that represents the file's prevalence band: Less than 5 users=1, Less than 50 users=2, Less than 100 users=3, Hundreds of users=4, Thousands of users=5, Tens of thousands of users=6, Hundreds of thousands of users=7, Millions of users=8.
event_actor.file.reputation_band
number
A code between 1 and 6 that represents the file's reputation band. Symantec Trusted=1, Good=2, Trending Good=3, Unproven=4, Poor=5, Untrusted=6.
event_actor.file.security_descriptor
string
The object security descriptor.
event_actor.file.sha1
string
The SHA-1 checksum of the file.
event_actor.file.sha2
string
The SHA256 checksum of the file.
event_actor.file.signature_company_name
string
The name of the company on the certificate.
event_actor.file.signature_issuer
string
The issuer of the signature.
event_actor.file.signature_level_id
number
A numeric representation of the signature level, as defined by STAR
event_actor.file.signature_serial_number
string
The signature serial number.
event_actor.file.signature_value_ids
number
event_actor.file.size
number
The size of the file in bytes. Type is 64-bit long.
event_actor.file.type_id
number
The type of the object. Values: 1: FILE, 2: DIRECTORY, 3:LINK, 4: MOUNT, 5: NODE, 6: SYMLINK, 7: NAMED_PIPE, 8: SOCKET, 9: DEVICE.
event_actor.file.uid
string
The file unique identifier as defined by the storage system. For example, the file system file ID.
event_actor.integrity_id
number
The process integrity level (Windows only)
event_actor.loaded_modules
string
An array of loaded module names (DLL).
event_actor.module.attribute_ids
number
An integer array that contains one or more of the following file attributes: Archive=1, Compressed=2, Directory=3, Encrypted=4, Hidden=5, Normal=6, Offline=7, Read only=8, Reparse Point=9, Sparse File=10, System=11, Temporary=12, Not Content Indexed=13, Block Special=14, Character Special=15, Executable=16, Driver=17.
event_actor.module.created
date
The time that the object was created, expressed as the number of milliseconds since 01 01 1970 00:00:00 UTC.
event_actor.module.desc
string
The description of the file, as returned by the file system. For example, the description as returned by the Unix command or the Windows file type.
event_actor.module.family_id
number
Top level classification of file type. Values: 0=Unknown, 1=Application, 2=Binary, 3=Audio, 4=Image, 5=Video.
event_actor.module.file_age
number
A code between 1 and 4 that represents the file's global age defined by the time the file was first reported to Mr. Clean: Years ago=1, Months ago=2, Weeks ago=3, Days ago=4.
event_actor.module.folder
string
The folder where the object resides.
event_actor.module.md5
string
The MD5 checksum of the file.
event_actor.module.mime_type
string
The mimetype of the file that is associated with the event.
event_actor.module.modified
date
The time when the file was last modified, expressed as the number of milliseconds since 01 01 1970 00:00:00 UTC.
event_actor.module.name
string
The human-readable name of the file that is associated with the event.
event_actor.module.normalized_path
string
The CSIDL normalized path name; for example, CSIDL_SYSTEM\svchost.exe.
event_actor.module.original_name
string
The original name of the file
event_actor.module.path
string
The full path to the object; for example, c:\windows\system32\svchost.exe.
event_actor.module.prevalence_band
number
A code between 1 and 8 that represents the file's prevalence band: Less than 5 users=1, Less than 50 users=2, Less than 100 users=3, Hundreds of users=4, Thousands of users=5, Tens of thousands of users=6, Hundreds of thousands of users=7, Millions of users=8.
event_actor.module.reputation_band
number
A code between 1 and 6 that represents the file's reputation band. Symantec Trusted=1, Good=2, Trending Good=3, Unproven=4, Poor=5, Untrusted=6.
event_actor.module.security_descriptor
string
The object security descriptor.
event_actor.module.sha1
string
The SHA-1 checksum of the file.
event_actor.module.sha2
string
The SHA256 checksum of the file.
event_actor.module.signature_company_name
string
The name of the company on the certificate.
event_actor.module.signature_issuer
string
The issuer of the signature.
event_actor.module.signature_level_id
number
A numeric representation of the signature level, as defined by STAR.
event_actor.module.signature_serial_number
string
The signature serial number.
event_actor.module.signature_value_ids
number
event_actor.module.size
number
The size of the file in bytes. Type is 64-bit long.
event_actor.module.type_id
number
The type of the object. Values: 1: FILE, 2: DIRECTORY, 3:LINK, 4: MOUNT, 5: NODE, 6: SYMLINK, 7: NAMED_PIPE, 8: SOCKET, 9: DEVICE.
event_actor.module.uid
string
The file unique identifier as defined by the storage system. For example, the file system file ID.
event_actor.pid
number
The process unique identifier, as reported by the operating system.
event_actor.session_id
number
The user session ID from which the process was launched (Windows only).
event_actor.signature_level_id
number
A numeric representation of the signature level, as defined by STAR.
event_actor.start_time
date
The time the process started.
event_actor.tid
number
The identifier of the thread that is associated with the event.
event_actor.uid
string
The unique identifier of the process
event_actor.user.domain
string
The domain where the user is defined. For example, the LDAP or Active Directory domain.
event_actor.user.groups
string
A string array of the administrative groups to which the user belongs.
event_actor.user.is_present
Boolean
Indicates if the user is logged on at the console.
event_actor.user.logon_name
string
The name of the authenticated principal that is associated with the event. If the event originates from a feature on a computer, the logon_name is the name of the user that the software feature is running as, for example, root or admin. If the event originates from a mobile device, the logon_name is the user name reported by the OS.
event_actor.user.name
string
The name of the user that originated or caused the event (if the event involves a user) or the user on whose behalf the event occurred.
event_actor.user.sid
string
The user security identifier.
event_actor.xattributes.is_trusted
Boolean
True for trusted processes
event_actor.xattributes.symc_injected
Boolean
True when Symantec EDR is able to inject into the process
event_desc
string
A description of the event. The first line of the description is usually treated as a summary. Example: [SID: 28274] Audit: Weak Export Cipher Suite attack.
event_id
number
The event ID as reported by SEP Security Log.
external_ip
ip
external_port
string
The port number that is identified as the target port in packets that were sent to the target device.
feature_name
string
The feature that originated the event.
file.accessed
date
The threat file last accessed date.
file.app_name
string
Application name.
file.attribute_ids
number
An integer array that contains one or more of the following file attributes: Archive=1, Compressed=2, Directory=3, Encrypted=4, Hidden=5, Normal=6, Offline=7, Read only=8, Reparse Point=9, Sparse File=10, System=11, Temporary=12, Not Content Indexed=13, Block Special=14, Character Special=15, Executable=16, Driver=17.
file.company_name
string
The company name.
file.created
date
The threat file creation date.
file.desc
string
The file type (text, exe, etc.).
file.family_id
number
Top level classification of file type. Values: 0=Unknown, 1=Application, 2=Binary, 3=Audio, 4=Image, 5=Video.
file.file_age
number
A code between 1 and 4 that represents the file's global age defined by the time the file was first reported to Mr. Clean: Years ago=1, Months ago=2, Weeks ago=3, Days ago=4.
file.folder
string
The folder where the file resides.
file.md5
string
The MD5 checksum of the file.
file.mime_type
string
The mimetype of the file that is associated with the event.
file.modified
date
The threat file modified date.
file.name
string
The name of the file.
file.normalized_path
string
The CSIDL normalized path name; for example, CSIDL_SYSTEM\svchost.exe.
file.original_name
string
The original name of the file
file.path
string
The full path to the object; for example, c:\windows\system32\svchost.exe.
file.prevalence_band
number
A code between 1 and 8 that represents the file's prevalence band: Less than 5 users=1, Less than 50 users=2, Less than 100 users=3, Hundreds of users=4, Thousands of users=5, Tens of thousands of users=6, Hundreds of thousands of users=7, Millions of users=8.
file.reputation_band
number
A code between 1 and 6 that represents the file's reputation band. Symantec Trusted=1, Good=2, Trending Good=3, Unproven=4, Poor=5, Untrusted=6.
file.scanner
string
The name of the scanner that detected the malware.
file.security_descriptor
string
The object security descriptor.
file.sha1
string
The SHA-1 checksum of the file.
file.sha2
string
The SHA256 checksum of the file.
file.signature_company_name
string
The name of the company on the certificate.
file.signature_issuer
string
The issuer of the signature.
file.signature_level_id
number
A numeric representation of the signature level, as defined by STAR.
file.signature_serial_number
string
The signature serial number.
file.signature_value_ids
number
file.size
number
The size of the file, in bytes.
file.targeted_attack
Boolean
Indicates whether the event was determined to be a targeted attack.
file.type_id
number
The type of the object. Values: 1: FILE, 2: DIRECTORY, 3:LINK, 4: MOUNT, 5: NODE, 6: SYMLINK, 7: NAMED_PIPE, 8: SOCKET, 9: DEVICE.
file.uid
string
The file unique identifier as defined by the storage system. For example, the file system file ID.
file.url
string
URL from where the file was downloaded.
file.url_domain
string
Domain of URL from where the file was downloaded
file.version
string
The application file version.
file_result.attribute_ids
number
An integer array that contains one or more of the following file attributes: Archive=1, Compressed=2, Directory=3, Encrypted=4, Hidden=5, Normal=6, Offline=7, Read only=8, Reparse Point=9, Sparse File=10, System=11, Temporary=12, Not Content Indexed=13, Block Special=14, Character Special=15, Executable=16, Driver=17.
file_result.created
date
The time that the object was created, expressed as the number of milliseconds since 01 01 1970 00:00:00 UTC.
file_result.desc
string
The description of the file, as returned by the file system. For example, the description as returned by the Unix command or the Windows file type.
file_result.family_id
number
Top level classification of file type. Values: 0=Unknown, 1=Application, 2=Binary, 3=Audio, 4=Image, 5=Video.
file_result.file_age
number
A code between 1 and 4 that represents the file's global age defined by the time the file was first reported to Mr. Clean: Years ago=1, Months ago=2, Weeks ago=3, Days ago=4.
file_result.folder
string
The folder where the object resides.
file_result.md5
string
The MD5 checksum of the file.
file_result.mime_type
string
The mimetype of the file that is associated with the event.
file_result.modified
date
The time when the file was last modified, expressed as the number of milliseconds since 01 01 1970 00:00:00 UTC.
file_result.name
string
The human-readable name of the file that is associated with the event.
file_result.normalized_path
string
The CSIDL normalized path name; for example, CSIDL_SYSTEM\svchost.exe.
file_result.original_name
string
The original name of the file
file_result.path
string
The full path to the object; for example, c:\windows\system32\svchost.exe.
file_result.prevalence_band
number
A code between 1 and 8 that represents the file's prevalence band: Less than 5 users=1, Less than 50 users=2, Less than 100 users=3, Hundreds of users=4, Thousands of users=5, Tens of thousands of users=6, Hundreds of thousands of users=7, Millions of users=8.
file_result.reputation_band
number
A code between 1 and 6 that represents the file's reputation band. Symantec Trusted=1, Good=2, Trending Good=3, Unproven=4, Poor=5, Untrusted=6.
file_result.security_descriptor
string
The object security descriptor.
file_result.sha1
string
The SHA-1 checksum of the file.
file_result.sha2
string
The SHA256 checksum of the file.
file_result.signature_company_name
string
The name of the company on the certificate.
file_result.signature_issuer
string
The issuer of the signature.
file_result.signature_level_id
number
A numeric representation of the signature level, as defined by STAR.
file_result.signature_serial_number
string
The signature serial number.
file_result.signature_value_ids
number
file_result.size
number
The size of the file in bytes. Type is 64-bit long.
file_result.type_id
number
The type of the object. Values: 1: FILE, 2: DIRECTORY, 3:LINK, 4: MOUNT, 5: NODE, 6: SYMLINK, 7: NAMED_PIPE, 8: SOCKET, 9: DEVICE.
file_result.uid
string
The file unique identifier as defined by the storage system. For example, the file system file ID.
first_seen
date
The time the URL was first observed to be infected. This is expressed in UTC.
group_id
number
WSS Group ID, corresponding to column PolicyGroupAssignmentID of WSS WebScannerEventLog table.
hid_level
number
The cumulative risk rating of the threat as defined by the Foresight policy.
host_name
string
The host name of the client computer.
id
number
The event id uniquely identifies the event within the type classification.
infected
Boolean
Indicates whether the customer computer is infected.
injection_type_id
number
The injection type ID. Values 0: Unknown, 1: Remote Thread, 2: Accessibility APIs, 3: Process Manipulation APIs.
internal_hostname
string
The hostname of the internal device or computer that is used for the connection.
internal_ip
ip
The IP address of the internal device or computer that is used for the connection.
internal_port
string
The port number of the internal device or computer that is used for the connection.
intrusion.attacker_local_remote
string
The direction of the attack. Values: 0: unknown, 1: local, 2: remote.
intrusion.date_detected
date
The time when the Intrusion Prevention System ping was detected.
intrusion.detail_id
string
The signature sub-identifier.
intrusion.protocol_id
string
The layer 4 Protocol. Values: TCP, UDP, ICMP.
intrusion.signature_properties
string
The signature properties as specified in the metadata.
intrusion_url
string
The URL from which a malicious script was loaded. Internet Browser Protection uses this URL. Example:
www.eicar.org/download/eicar.com.txt
is_targeted
Boolean
Indicates whether the attack was targeted.
kernel.name
string
The name of the kernel resource.
kernel.type_id
number
The type of the object. Values: 0: Unknown, 1: MUTEX, 2: SYSTEM_CALL.
last_seen
date
The time the URL was last observed to be infected. This is expressed in UTC.
link_following.origin_url
string
The origin URL link that was found in the email.
link_following.redirect_urls.redirect_url
string
The redirect URL.
link_following.redirect_urls.url_type
string
The type of redirect link, e.g. javascript, html.
local_host_mac
string
The MAC address of the local computer.
location.city
string
The city in which the external IP is located.
location.country
string
The country in which the external IP is located.
log_name
string
The name of the log (database, index, archive, etc.) where the event was logged (written) by the Event service. Use this attribute as an opaque value.
log_time
date
The time the event was logged by the event service. While this is a required field, it is added by the event service so any value provided will be overwritten.
malware
string
The name of the malware being used.
manual_submit
Boolean
A user-generated DMAS submission.
message
string
An event message or description of the event.
message_id
string
The unique ID of the email message.
mitre.tactic
string
The tactic that was used in the attack based on MITRE's ATT'CKmodel. 
Possible values are:
  • Initial access
  • Execution
  • Persistence
  • Privilege escalation
  • Defense evasion
  • Credential access
  • Discovery
  • Lateral movement
  • Collection
  • Exfiltration
  • Command and control
mitre.technique_id
string
This string is the letter "T" followed by a four-digit number. The four-digit number is the technique identification number as defined by MITRE's Technique_Matrix for the technique that was used in the attack.
Click on the identification number hyperlink to go to the MITRE webpage that provides more detailed information about the technique.
mitre.technique_name
string
The technique that was used in the attack based on MITRE's Technique_Matrix. This field is a hyperlink that goes to the same webpage as mitre.technique_id.
network_protocol
number
The network protocol as reported by SEP.
network_scanner_type
number
The type of network scanner that detected the event. Values: 0 for
Symantec EDR
:N on-prem scanner, 1 for WSS .cloud scanner. If this field is missing, then it is
Symantec EDR
:N scanner.
no_of_viruses
number
The number of events for the aggregated event record. This number can be due to client-side aggregation, server-side compression, or both.
on_premises
Boolean
Specifies the event received from on-premises SEPM or SEPM Cloud.
open_mode
Boolean
The mode in which the file was opened. Values: R: false, W: true.
operation
number
The event ID. Values: 1: CREATE, 2: READ, 3: DELETE.
org_unit_uid
string
The unique identifier for the organizational unit associated with an event or action.
orig_message_header_id
string
The message header ID.
parent_file_sha2
string
The SHA256 checksum of the parent file.
ping_submit
Boolean
Submit PING data to STAR if ping_submit flag is set.
process.app_name
string
A label that may be associated with this process. For example, the name of the containment sandbox that is assigned to the process or, for login detection events, the login application (ssh, telnet, sql server, etc.).
process.cmd_line
string
The command line that was used the launch the process.
process.file.attribute_ids
number
An integer array that contains one or more of the following file attributes: Archive=1, Compressed=2, Directory=3, Encrypted=4, Hidden=5, Normal=6, Offline=7, Read only=8, Reparse Point=9, Sparse File=10, System=11, Temporary=12, Not Content Indexed=13, Block Special=14, Character Special=15, Executable=16, Driver=17.
process.file.created
date
The time that the object was created, expressed as the number of milliseconds since 01 01 1970 00:00:00 UTC.
process.file.desc
string
The description of the file, as returned by the file system. For example, the description as returned by the Unix command or the Windows file type.
process.file.family_id
number
Top level classification of file type. Values: 0=Unknown, 1=Application, 2=Binary, 3=Audio, 4=Image, 5=Video.
process.file.file_age
number
A code between 1 and 4 that represents the file's global age defined by the time the file was first reported to Mr. Clean: Years ago=1, Months ago=2, Weeks ago=3, Days ago=4.
process.file.folder
string
The folder where the object resides.
process.file.md5
string
The MD5 checksum of the file.
process.file.mime_type
string
The mimetype of the file that is associated with the event.
process.file.modified
date
The time when the file was last modified, expressed as the number of milliseconds since 01 01 1970 00:00:00 UTC.
process.file.name
string
The human-readable name of the file that is associated with the event.
process.file.normalized_path
string
The CSIDL normalized path name; for example, CSIDL_SYSTEM\svchost.exe.
process.file.original_name
string
The original name of the file
process.file.path
string
The full path to the object; for example, c:\windows\system32\svchost.exe.
process.file.prevalence_band
number
A code between 1 and 8 that represents the file's prevalence band: Less than 5 users=1, Less than 50 users=2, Less than 100 users=3, Hundreds of users=4, Thousands of users=5, Tens of thousands of users=6, Hundreds of thousands of users=7, Millions of users=8.
process.file.reputation_band
number
A code between 1 and 6 that represents the file's reputation band. Symantec Trusted=1, Good=2, Trending Good=3, Unproven=4, Poor=5, Untrusted=6.
process.file.security_descriptor
string
The object security descriptor.
process.file.sha1
string
The SHA-1 checksum of the file.
process.file.sha2
string
The SHA256 checksum of the file.
process.file.signature_company_name
string
The name of the company on the certificate.
process.file.signature_issuer
string
The issuer of the signature.
process.file.signature_level_id
number
A numeric representation of the signature level, as defined by STAR.
process.file.signature_serial_number
string
The signature serial number.
process.file.signature_value_ids
number
process.file.size
number
The size of the file in bytes. Type is 64-bit long.
process.file.type_id
number
The type of the object. Values: 1: FILE, 2: DIRECTORY, 3:LINK, 4: MOUNT, 5: NODE, 6: SYMLINK, 7: NAMED_PIPE, 8: SOCKET, 9: DEVICE.
process.file.uid
string
The file unique identifier as defined by the storage system. For example, the file system file ID.
process.integrity_id
number
The process integrity level (Windows only)
process.loaded_modules
string
An string array of loaded module names (DLL).
process.module.attribute_ids
number
An integer array that contains one or more of the following file attributes: Archive=1, Compressed=2, Directory=3, Encrypted=4, Hidden=5, Normal=6, Offline=7, Read only=8, Reparse Point=9, Sparse File=10, System=11, Temporary=12, Not Content Indexed=13, Block Special=14, Character Special=15, Executable=16, Driver=17.
process.module.created
date
The time that the object was created, expressed as the number of milliseconds since 01 01 1970 00:00:00 UTC.
process.module.desc
string
The description of the file, as returned by the file system. For example, the description as returned by the Unix command or the Windows file type.
process.module.family_id
number
Top level classification of file type. Values: 0=Unknown, 1=Application, 2=Binary, 3=Audio, 4=Image, 5=Video.
process.module.file_age
number
A code between 1 and 4 that represents the file's global age defined by the time the file was first reported to Mr. Clean: Years ago=1, Months ago=2, Weeks ago=3, Days ago=4.
process.module.folder
string
The folder where the object resides.
process.module.md5
string
The MD5 checksum of the file.
process.module.mime_type
string
The mimetype of the file that is associated with the event.
process.module.modified
date
The time when the file was last modified, expressed as the number of milliseconds since 01 01 1970 00:00:00 UTC.
process.module.name
string
The human-readable name of the file that is associated with the event.
process.module.normalized_path
string
The CSIDL normalized path name; for example, CSIDL_SYSTEM\svchost.exe.
process.module.original_name
string
The original name of the file
process.module.path
string
The full path to the object; for example, c:\windows\system32\svchost.exe.
process.module.prevalence_band
number
A code between 1 and 8 that represents the file's prevalence band: Less than 5 users=1, Less than 50 users=2, Less than 100 users=3, Hundreds of users=4, Thousands of users=5, Tens of thousands of users=6, Hundreds of thousands of users=7, Millions of users=8.
process.module.reputation_band
number
A code between 1 and 6 that represents the file's reputation band. Symantec Trusted=1, Good=2, Trending Good=3, Unproven=4, Poor=5, Untrusted=6.
process.module.security_descriptor
string
The object security descriptor.
process.module.sha1
string
The SHA-1 checksum of the file.
process.module.sha2
string
The SHA256 checksum of the file.
process.module.signature_company_name
string
The name of the company on the certificate.
process.module.signature_issuer
string
The issuer of the signature.
process.module.signature_level_id
number
A numeric representation of the signature level, as defined by STAR
process.module.signature_serial_number
string
The signature serial number.
process.module.signature_value_ids
number
process.module.size
number
The size of the file in bytes. Type is 64-bit long.
process.module.type_id
number
The type of the object. Values: 1: FILE, 2: DIRECTORY, 3:LINK, 4: MOUNT, 5: NODE, 6: SYMLINK, 7: NAMED_PIPE, 8: SOCKET, 9: DEVICE.
process.module.uid
string
The file unique identifier as defined by the storage system. For example, the file system file ID.
process.pid
number
The process unique identifier, as reported by the operating system.
process.session_id
number
The user session ID from which the process was launched (Windows only).
process.signature_level_id
number
A numeric representation of the signature level, as defined by STAR.
process.start_time
date
The time the process started.
process.tid
number
The identifier of the thread that is associated with the event.
process.uid
string
The unique identifier of the process
process.user.domain
string
The domain where the user is defined. For example, the LDAP or Active Directory domain.
process.user.groups
string
A string array of administrative groups the user belongs to.
process.user.is_present
Boolean
Indicates if the user is logged on at the console.
process.user.logon_name
string
The name of the authenticated principal that is associated with the event. If the event originates from a feature on a computer, the logon_name is the name of the user that the software feature is running as, for example, root or admin. If the event originates from a mobile device, the logon_name is the user name reported by the OS.
process.user.name
string
The name of the user that originated or caused the event (if the event involves a user) or the user on whose behalf the event occurred.
process.user.sid
string
The user security identifier.
process.xattributes.is_trusted
Boolean
True for trusted processes
process.xattributes.symc_injected
Boolean
True when Symantec EDR is able to inject into the process
protocol
number
The protocol of this network connection. Values: 0: unknown, 1: HTTP, 2: HTTPS, 3: FTP.
reason
number
The reason why file was blocked. Values: 0: BY_FILE_DENYLIST_SHA2, 1: BY_FILE_DENYLIST_MD5.
receivers.delivered
Boolean
Indicates whether the email was delivered to the Enterprise mail server.
receivers.email_address
string
The receiver's email address.
receivers.internal
Boolean
Indicates whether the sender is within the Enterprise or not.
receivers.released_from_quarantine
Boolean
Indicates whether this user released this email from the quarantine storage.
ref_uid
string
The original message or event identifier that was used to record the event. for example, the Windows Event Log Event id, the SEPM event UID, or the SYSLOG msgid.
reg_key.path
string
The full path to the registry key.
reg_key.security_descriptor
string
The security descriptor of the registry key.
reg_key_result.path
string
The full path to the registry key.
reg_key_result.security_descriptor
string
The security descriptor of the registry key.
reg_value.data
string
The data of the registry value; PII for those that are known PII. Binary data encoded as a hex string.
reg_value.is_default_value
Boolean
Indicates that the value is from a default value name, i.e. the value name is missing.
reg_value.name
string
The name of the registry value.
reg_value.path
string
The full path to the registry value.
reg_value.type_id
number
The Windows-defined value type, as defined in winnt.h. Possible values: 0:REG_NONE, 1:REG_SZ, 2:REG_EXPAND_SZ, 3:REG_BINARY, 4:REG_DWORD, 5:REG_DWORD_BIG_ENDIAN, 6:REG_LINK, 7:REG_MULTI_SZ, 8:REG_RESOURCE_LIST, 9:REG_FULL_RESOURCE_DESCRIPTOR, 10:REG_RESOURCE_REQUIREMENTS_LIST, 11:REG_QWORD.
reg_value_result.data
string
The data of the registry value; PII for those that are known PII. Binary data encoded as a hex string.
reg_value_result.is_default_value
Boolean
Indicates that the value is from a default value name, i.e. the value name is missing.
reg_value_result.name
string
The name of the registry value.
reg_value_result.path
string
The full path to the registry value.
reg_value_result.type_id
number
The Windows-defined value type, as defined in winnt.h. Possible values: 0:REG_NONE, 1:REG_SZ, 2:REG_EXPAND_SZ, 3:REG_BINARY, 4:REG_DWORD, 5:REG_DWORD_BIG_ENDIAN, 6:REG_LINK, 7:REG_MULTI_SZ, 8:REG_RESOURCE_LIST, 9:REG_FULL_RESOURCE_DESCRIPTOR, 10:REG_RESOURCE_REQUIREMENTS_LIST, 11:REG_QWORD.
registration.city
string
The city where the domain was registered
registration.country
string
The country where the domain was registered.
registration.create_date
string
The date on which the domain was registered.
registration.email
string
Email address of the person who registered the domain reported by the event.
registration.organization
string
The organization that registered the domain reported by the event.
registration.person
string
Name of the person who registered the domain reported by the event.
registration.state
string
The state where the domain was registered.
registration.update_date
string
The date on which the registration of domain was updated.
remediated
Boolean
The indication of whether an event was remediated. 
For actions take on endpoints running the Windows operating system, this field is blank.  For endpoints running the Mac operating system, this field reflects the action of remediation. 
remediation
string
An English statement describing how to fix the issue, if applicable. If it is a certificate invalid error for a server, the server certificate needs to be updated from it's configuration page.
remote_host_mac
string
The MAC address of the remote computer.
request_source
string
Indicate where the request hash/file comes from. default empty value means request comes from
Symantec EDR
:N file_inspection.
requested_permissions
number
The permissions requested by the actor process; an array of one or more of the following: 1: TERMINATE (kill), 2: CREATE_THREAD, 3: SET_SESSION_ID, 4: VM_OPERATION, 5: VM_READ, 6: VM_WRITE, 7: DUP_HANDLE, 8: CREATE_PROCESS, 9: SET_QUOTA, 10: SET_INFORMATION, 11: QUERY_INFORMATION, 12: SUSPEND_RESUME, 13: QUERY_LIMITED_INFORMATION, 14: READ_REG (registers), 15: WRITE_REG (registers), 16: PROC_READ, 17: PROC_WRITE, 18: CONTROL, 19: ATTACH=19.
result
number
The result after the command was executed.
1: COMPLETED, 2: PARTIALLY COMPLETED, 3: REQUESTED FILE DOES NOT EXIST, 4: EXECUTION FAILED, 5: UNSUPPORTED.
rule_id
string
The
Symantec EDR
rule identifier for endpoint deny list and allow list. 
rule_name
string
Application and Device Control rule name.
rule_version
number
The
Symantec EDR
rule version for endpoint deny list and allow list.
sandbox_service
string
The sandboxing service used for suspicious file analysis. This could be either the Symantec Cynic Cloud service or BlueCoat on-prem Malware Analysis appliance.
scan.signatures_version
string
The DefSet version.
scan_type
string
A hard-coded English string that is used as a lookup key for scan types.
scanner_name
string
The name of the endpoint device conducting a scan.
sender.email_address
string
The sender's email address.
sender.internal
Boolean
Indicates whether the sender is within the Enterprise or not.
sender.sender_ip
ip
The sender's IP address.
service.file.attribute_ids
number
An integer array of one or more service file attributes: Archive=1, Compressed=2, Directory=3, Encrypted=4, Hidden=5, Normal=6, Offline=7, Read only=8, Reparse Point=9, Sparse File=10, System=11, Temporary=12, Not Content Indexed=13, Block Special=14, Character Special=15, Executable=16, Driver=17.
service.file.created
date
The time that the object was created, expressed as the number of milliseconds since 01 01 1970 00:00:00 UTC.
service.file.desc
string
The description of the file, as returned by the file system. For example, the description as returned by the Unix command or the Windows file type.
service.file.family_id
number
Top level classification of file type. Values: 0=Unknown, 1=Application, 2=Binary, 3=Audio, 4=Image, 5=Video.
service.file.file_age
number
A code between 1 and 4 that represents the file's global age defined by the time the file was first reported to Mr. Clean: Years ago=1, Months ago=2, Weeks ago=3, Days ago=4.
service.file.folder
string
The folder where the object resides.
service.file.md5
string
The MD5 checksum of the file.
service.file.mime_type
string
The mimetype of the file that is associated with the event.
service.file.modified
date
The time when the file was last modified, expressed as the number of milliseconds since 01 01 1970 00:00:00 UTC.
service.file.name
string
The human-readable name of the file that is associated with the event.
service.file.normalized_path
string
The CSIDL normalized path name; for example, CSIDL_SYSTEM\svchost.exe.
service.file.original_name
string
The original name of the file
service.file.path
string
The full path to the object; for example, c:\windows\system32\svchost.exe.
service.file.prevalence_band
number
A code between 1 and 8 that represents the file's prevalence band: Less than 5 users=1, Less than 50 users=2, Less than 100 users=3, Hundreds of users=4, Thousands of users=5, Tens of thousands of users=6, Hundreds of thousands of users=7, Millions of users=8.
service.file.reputation_band
number
A code between 1 and 6 that represents the file's reputation band. Symantec Trusted=1, Good=2, Trending Good=3, Unproven=4, Poor=5, Untrusted=6.
service.file.security_descriptor
string
The object security descriptor.
service.file.sha1
string
The SHA-1 checksum of the file.
service.file.sha2
string
The SHA256 checksum of the file.
service.file.signature_company_name
string
The name of the company on the certificate.
service.file.signature_issuer
string
The issuer of the signature.
service.file.signature_level_id
number
A numeric representation of the signature level, as defined by STAR
service.file.signature_serial_number
string
The signature serial number.
service.file.signature_value_ids
number
service.file.size
number
The size of the file in bytes. Type is 64-bit long.
service.file.type_id
number
The type of the object. Values: 1: FILE, 2: DIRECTORY, 3:LINK, 4: MOUNT, 5: NODE, 6: SYMLINK, 7: NAMED_PIPE, 8: SOCKET, 9: DEVICE.
service.file.uid
string
The file unique identifier as defined by the storage system. For example, the file system file ID.
service.loaded_module_name
string
The name of the loaded module.
service.name
string
The unique name of the service.
service.reg_path
string
The registry path of the service.
service.run_state_id
number
The current running state of service. Values: Unknown=0 (The service type is unknown), Stopped=1 (Service is not running), Start Pending=2 (The service is starting), Stop Pending=3 (The service is stopping), Running=4 (The service is running), Continue Pending=5 (The service continue is pending), Pause Pending=6 (The service pause is pending), Paused=7 (The service is paused).
service.start_id
number
The start type of the service. Values: Unknown=0 (The service startup is unknown), Auto=1 (A service started automatically by the service control manager during system startup), Boot=2 (A device driver started by the system loader. This value is valid only for driver services), Demand=3 (A service started by the service control manager when a process calls the StartService function), System=4 (A device driver started by the IoInitSystem function. This value is valid only for driver services), Disabled=5 (The service is disabled).
service.type_id
number
The type of service. Values: Unknown=0 (The service type is unknown), Adapter=1 (Adapter service?), File System Driver=2 (The service is a file system driver), Kernel Driver=3 (The service is a device driver), Recognized Driver=4 (Recognized Driver), Own Process=5 (The service runs in its own process), Shared Process=6 (The service shares a process with other services), Interactive Service=7 (The service can interact with the desktop), Other=8 (U/X, OS X service).
service.type_ids
number
Array of service types. Values: 0: Unknown, 1: Adapter, 2: File System Driver, 3: Kernel Driver, 4: Recognized Driver, 5: Own Process, 6: Shared Process, 7: Interactive Service, 8: Other.
session.admin
Boolean
True for admin/root sessions.
session.id
number
The unique session identifier, as reported by the operating system. Until the user logs off, the session identifier uniquely identifies the session.
session.remote
Boolean
True for remote sessions.
session.user.domain
string
The domain where the user is defined. For example, the LDAP or Active Directory domain.
session.user.groups
string
A string array listing the groups that the user belongs to.
session.user.is_present
Boolean
Indicates if the user is logged on at the console.
session.user.logon_name
string
The name of the authenticated principal that is associated with the event. If the event originates from a feature on a computer, the logon_name is the name of the user that the software feature is running as, for example, root or admin. If the event originates from a mobile device, the logon_name is the user name reported by the OS.
session.user.name
string
The name of the user that originated or caused the event (if the event involves a user) or the user on whose behalf the event occurred.
session.user.sid
string
The user security identifier.
severity
number
The seriousness of the event. 0 is most serious.
severity_id
number
The importance of the event. Default value is 1.
sha256
string
The SHA256 checksum of the malicious file.
sid
string
The NDC signature ID. SID is parsed out of the event_desc.
signature_id
string
The ID of the NDC signature.
signature_name
string
The signature name that is associated with the signature_id.
silent
Boolean
Event details are not sent to Telemetry, Syslog and Email if silent flag is set.
source
number
The party who defines the information that
Symantec EDR
uses to determine whether traffic is suspicious. Values: 0: CUSTOMERSUPPLIED, 1: Symantec deny list.
source_ip
ip
source_port
number
The remote (attacker) port number.
status_code
number
Whether the endpoint successfully received the command.
Submitted=1, Queued=2, Started=3, Cancel_Requested=4, Completed=5, Cancelled=6, Error=7.
status_detail
string
String representing the type of failure that may have occurred. For example, service_failure, service_unavailable, network_error, certificate_error, sw_update_error, internal_error, protected_not_remediated (Mac OS only), etc.
status_exception
string
low level exception message if available.
status_id
number
The overall success or failure of the action reported by the event.
[0] UNKOWN, [1] SUCCESS, [2] FAILURE.
status_stack_trace
string
exception stack trace if available.
symc_device_action
number
Actual action taken on the risk on the endpoint. Possible values are 1: Blocked 2: Detected.
taa_ip
string
The IP address from Network Indicator.
taa_title
string
The title from Network Indicator. This matches the NDC signature name.
taa_url
string
The URL from Network Indicator.
target_ip
ip
target_port
number
The local (victim) port number.
targeted_attack_type
string
The type of conviction that was detected.
threat.category
string
The malware category as detected by the scanning engine.
threat.category_id
number
The virus category ID as reported by the scanning engine.
threat.detection_engine
string
The detection engine category reported by the scanning engine.
threat.id
number
The virus ID.
threat.name
string
The virus name as reported by the scanning engine.
threat.quarantine_id
string
Internal reference that is used by the Virus Release process.
threat.risk
number
The cumulative risk rating.
time
date
The event occurrence date and time (device_time) that is adjusted to the event service server clock.
timezone
number
The timezone offset in minutes. For UTC this will always be 0.
traffic_direction
number
The direction of the network traffic. Values: 0: unknown, 1: inbound, 2: outbound.
ttl
number
The number of hours starting at firstSeen that this URL should be considered infected.
type
string
A string token that describes the event. For instance eoc_scan_results, event_query_results, etc.
type_id
number
The type ID. For instance: 4096.
user_domain
string
The domain where the user is defined. For example, the LDAP or Active Directory domain.
user_id
string
The WSS end user ID. The LDAP user name in the format of DOMAIN\UserName; it corresponds to the UserID column of the WSS WebScannerEventLog table.
user_name
string
The user name or ID that originated or caused the event.
user_sid
string
The user security identifier.
user_uid
string
The unique ID of the user that originated or caused the event or the user on whose behalf the event occurred. Usually, the unique ID of a user object defined in the asset service.
uuid
string
A unique (within an event type) ID that identifies events within a single event type.
virus_def
string
The version number for this content.
virus_name
string
The name of the virus.
vlan_id
number
The unique ID for the VLAN on which the event took place.