Process Detection Event

Process Detection events report the detection and resolution of process threats or policy violations.
Name Attribute Group Requirement Type Description
Event ID event_id Classification Reserved Integer The event ID identifies the event's semantics, structure and outcome.
8027000Process Detection: UnknownDisposition is unknown.
8027001Process Detection: BlockedAction was blocked, with no further remediation. For example: process terminated.
8027002Process Detection: AllowedAction was allowed. Exception/Exclusion created by admin.
8027003Process Detection: No ActionRemediation action failed.
8027004Process Detection: LoggedLogged only. No action taken.
8027005Process Detection: Command Script RunEvent triggered a script to run in response to the detection. For example, the script mitigated the threat or launched a forensic investigation automatically.
8027006Process Detection: CorrectedRepaired. For example: cleaned.
8027007Process Detection: Partially CorrectedPartially repaired.
8027008Process Detection: UncorrectedStill infected.
8027010Process Detection: DelayedRequires reboot to finish the operation. Deprecated.
8027011Process Detection: DeletedCleaned by deletion.
8027012Process Detection: QuarantinedMoved to Quarantine.
8027013Process Detection: RestoredReleased from Quarantine.
8027014Process Detection: DetectedFinding is pending analysis.
8027015Process Detection: TerminatedProcess ended.
Severity severity_id Classification Required Integer The severity of the event.
0UnknownThe event severity is not known.
1InformationalPurely informational. No action needed.
2WarningThe user decides if action is needed.
3MinorAction is required but the situation is not serious at this time.
4MajorAction is required immediately.
5CriticalAction is required immediately and the scope is broad.
6FatalAn error occurred but it is too late to take remedial action.
Version version Classification Required String The event type version, in the form major.minor. For example: 1.7. Event consumers use the version to determine what the event attributes represent.
Type type_id Classification Required Integer The event type.
8027Process DetectionProcess Detection events report the detection and resolution of process threats or policy violations.
Category category_id Classification Required Integer The event type category.
1Security
Type StringЕxt type Classification Optional String The event type.
Disposition id Classification Required Integer The outcome of the event.
0UnknownDisposition is unknown.
1BlockedAction was blocked, with no further remediation. For example: process terminated.
2AllowedAction was allowed. Exception/Exclusion created by admin.
3No ActionRemediation action failed.
4LoggedLogged only. No action taken.
5Command Script RunEvent triggered a script to run in response to the detection. For example, the script mitigated the threat or launched a forensic investigation automatically.
6CorrectedRepaired. For example: cleaned.
7Partially CorrectedPartially repaired.
8UncorrectedStill infected.
10DelayedRequires reboot to finish the operation. Deprecated.
11DeletedCleaned by deletion.
12QuarantinedMoved to Quarantine.
13RestoredReleased from Quarantine.
14DetectedFinding is pending analysis.
15TerminatedProcess ended.
Operation operation Primary Optional String The OS operation that initiated the event; for example, "CreateRemoteThread" or "NtUserSetWinEventHook".
AttacksЕxt attacks Primary Optional Attack Array The array of attacks that are associated with the event.
Resource Registry Key resource_reg_key Primary Recommended Registry Key The registry key that was the target of suspicious or malicious activity by the event actor process.
Resource Type resource_type Primary Recommended String The type of the target of suspicious or malicious activity by the event actor process.
Actual PermissionsЕxt actual_permissions Primary Optional Integer Array The permissions that were granted to the process.
1Terminate (kill)
2Create Thread
3Set Session ID
4VM Operation
5VM Read
6VM Write
7Duplicate Handle
8Create Process
9Set Quota
10Set Information
11Query Information
12Suspend/Resume
13Query Limited Information
14Read Registers
15Write Registers
16Process Read
17Process Write
18Control
19Attach
20Privileges
Resource Connection resource_connection Primary Recommended Network Connection The connection that was the target of suspicious or malicious activity by the event actor process.
ReasonЕxt reason Primary Optional String The reason for the detection.
Reason reason_id Primary Recommended Integer The reason for the detection.
0Unknown
1Policy Violation
2Threat Detection
Correlation IDЕxt correlation_uid Primary Optional String The unique identifier used to correlate events.
Resource File resource_file Primary Recommended File The file that was the target of suspicious or malicious activity by the event actor process.
Resource Registry Value resource_reg_value Primary Recommended Registry Value The registry value that was the target of suspicious or malicious activity by the event actor process.
Scan IDЕxt scan_uid Primary Optional String The unique identifier of the scan that is associated with the event.
Detection VersionЕxt content_ver Primary Optional String The version of the detection engine or signature content.

Note: AV, SONAR, and IPS have differing version string formats.

EventsЕxt events Primary Optional JSON Array The additional events that pertain to the event or incident.
Detection IDЕxt detection_uid Primary Optional String The associated unique detection event identifier. For example: detection response events include the Detection ID of the original event.
Event Unique ID uuid Primary Reserved String The system-assigned unique identifier of an event occurrence.
LineageЕxt lineage Primary Optional String Array The lineage of the actor process.
Restart Required restart_required Primary Optional Boolean The device requires a restart in order to complete the disposition identified in the "id" field.
CybOxЕxt cybox Primary Reserved Cyber Observable eXpression The Cyber Observable eXpression (CybOX TM) attributes.
Resource Identifier resource_type_id Primary Recommended Integer The identifier of the target of suspicious or malicious activity by the event actor process.
0Resource connection
1Resource directory
2Resource file
3Resource registry key
4Resource registry value
AnalysisЕxt analysis Primary Optional String The anti-malware emulation analysis.
Policy policy Primary Recommended Policy The policy that pertains to the event.
Requested PermissionsЕxt requested_permissions Primary Optional Integer Array The permissions requested by the actor process.
1Terminate (kill)
2Create Thread
3Set Session ID
4VM Operation
5VM Read
6VM Write
7Duplicate Handle
8Create Process
9Set Quota
10Set Information
11Query Information
12Suspend/Resume
13Query Limited Information
14Read Registers
15Write Registers
16Process Read
17Process Write
18Control
19Attach
20Privileges
Threat threat Primary Optional Threat The primary threat identified by the event.

Note: The primary threat may be the first threat found by the detection engine, or it may be the most severe threat found. The client determines the primary threat.

Quarantine IDЕxt quarantine_uid Primary Optional String If the event id is one of:
  • [12] Quarantined
  • [13] Restored
the unique identifier of the item that was quarantined or restored from quarantine.
Data SizeЕxt data_size Primary Optional Integer The size of the data prior to truncation.
System ActivityЕxt activity_id Primary Optional Integer The process activity.
1Launch
2Terminate
3Open
4Inject
5Set User ID
Actor actor Primary Recommended Process The process that performed the operation or action on the target object. For example, the process that could have created a new file or violated a policy.
SessionsЕxt sessions Primary Optional Session Array The user sessions on the device.
Injection TypeЕxt injection_type_id Primary Optional Integer The process injection method.
0Unknown
1Remote Thread
2Accessibility APIs
3Process Manipulation APIs
Data data Primary Recommended String The data that was scanned.
Log NameЕxt log_name Primary Reserved String The name of the database, index, or archive where the event was logged.
Resource Directory resource_directory Primary Recommended File The directory that was the target of suspicious or malicious activity by the event actor process.
Audit audit Primary Optional Boolean The audit mode of the event. When true, no remediation actions were performed.
Parent ProcessЕxt parent Primary Optional Process The parent process of the process associated with the event. See specific usage.
Responsible Actor responsible_actor Primary Recommended Process The process that is responsible for triggering the detection. For Example: The untrusted ancestor process or the process that injected a thread into the actor process.
ThreatsЕxt threats Primary Optional Threat Array The additional threats that were detected.
Process process Primary Recommended Process The process that triggered the detection.
Resource resource Primary Recommended String The target resource.
Message IDЕxt message_id Message Optional String The numeric representation of the message, ordinarily used for translation purposes.
Message CodeЕxt message_code Message Optional String The coded string representation of the message, ordinarily used for trouble shooting.
Message message Message Recommended String The description of the event.
Composite EventЕxt composite Occurrence Optional Integer The type of composite event. See the Event Logging API for more information.
1IntactThe composite event is stored as-is.
2ExpandedThe composite event is expanded into multiple events.
Event Time time Occurrence Reserved Datetime The event occurrence time (Device Time) adjusted to the server clock.

Note: The internal time format is the number of milliseconds since 01/01/1970 00:00:00 UTC.

CountЕxt count Occurrence Optional Integer For aggregated events, the number of times that the event occurred during the Device Time to Device End Time period.
Sequence NumberЕxt seq_num Occurrence Recommended Integer A 32-bit positive number that indicates the order of events sent by the client.

Note: The first event that a client sends has a Sequence Number of 1 and the client increments the Sequence Number with each subsequent event. For UNPACK (2) composite events, each event in the events array must have a unique seq_num, such as events[i+1].seq_num = events[i].seq_num + 1. When the sequence number wraps around, based on java.lang.Integer.MAX_VALUE, it must start from 1. The event service records sequence numbers to detect lost events.

End TimeЕxt end_time Occurrence Reserved Datetime For aggregate events, the Device End Time adjusted to the server clock.
Device Time device_time Occurrence Required Datetime The time that the event occurred at the device.

Note: The time submission format is the number of milliseconds since 01/01/1970 00:00:00 UTC. The event producer or the event collection agent that detects the event provides the event Device Time.

Collected TimeЕxt log_time Occurrence Reserved Datetime The time that the system collected the event.

Note: The internal time format is the number of milliseconds since 01/01/1970 00:00:00 UTC.

Device End TimeЕxt device_end_time Occurrence Optional Datetime The time of the last aggregated event.

Note: The time submission format is the number of milliseconds since 01/01/1970 00:00:00 UTC, and this value must be greater than or equal to the Device Time (device_time) value.

Time Zone timezone Occurrence Recommended Integer Returns a Long value that represents the difference in minutes of between the local time in this time zone and the Coordinated Universal Time (UTC).

Ex: In a state adopting daylight time in the Pacific time zone, the Bias is 480 minutes and DaylightBias is -60 minutes. To determine the time in UTC for June 11, 2 A.M. PST, add a Bias of (480/60) hours and a DaylightBias of -(60/60) hours to the local time June 11, 2 A.M. The time in UTC is June 11, 9 A.M.

Device Virtual Host TypeЕxt device_vhost_id Origination Optional Integer The device virtual host type.
0Unknown
1None
10VMware
11Hyper-V®
12Xen
13KVM
14QEMU
15VirtualBox
16Solaris Zones
30AWS
31Azure
32GCP
33OCP
50Docker
51Cloud Foundry
52LXC
Feature IDЕxt feature_uid Origination Recommended String The unique identifier of the feature originating the event.
Device OS Country CodeЕxt device_os_country Origination Optional String The operating system country code as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes.
Domain IDЕxt domain_uid Origination Recommended String The unique domain identifier.
Impersonator Customer IDЕxt impersonator_customer_uid Origination Optional String The unique customer identifier of the impersonating agent.
ContainerЕxt container Origination Optional Container The container that pertains to the event.
Device OS Service Pack VersionЕxt device_os_sp_ver Origination Optional String The version number of the latest Service Pack.
Impersonator Domain IDЕxt impersonator_domain_uid Origination Optional String The unique domain identifier of the impersonating agent.
Device Network InformationЕxt device_networks Origination Recommended Network Info Array The network information objects that are associated with the device, one for each MAC address/IP address combination.

Note: The first element of the array is the network information that pertains to the event.

User IDЕxt user_uid Origination Recommended String The unique identifier of the user associated with the event.
Compliant DeviceЕxt device_is_compliant Origination Optional Boolean The event occurred on a compliant device.
Device Virtual Host Type StringЕxt device_vhost Origination Optional String The device virtual host type string.
Device SubnetЕxt device_subnet Origination Optional IP Address The subnet IP address. For example: "255.0.0.0".
Feature PathЕxt feature_path Origination Recommended String The path of the feature originating the event.
Feature TypeЕxt feature_type Origination Recommended String The type of feature.

Device GroupЕxt device_group Origination Optional String The full path of the group to which the device belongs. For example: West Coast\Windows Laptops.
Product Version product_ver Origination Recommended String The version of the product.

Note: The version is as defined by the product SKU, originating the event. For example: "2013.1.3-beta".

Product LanguageЕxt product_lang Origination Recommended String The two letter lower case language codes as defined by ISO 639-1. For example: "en" (English), "de" (German), or "fr" (French).
Device BIOS ManufacturerЕxt device_hw_bios_manufacturer Origination Optional String The BIOS manufacturer. For example: "LENOVO".
Device Org Unit IDЕxt org_unit_uid Origination Recommended String The unique identifier of the organizational unit.
Device Org UnitЕxt device_org_unit Origination Recommended String The name of the org unit to which the device belongs.
Device OS TypeЕxt device_os_type_id Origination Recommended Integer The type of the operating system.
0Unknown
100Windows
200Linux
300Solaris
301AIX
302HP-UX
400Macintosh
500iOS
501Android
502Windows Mobile
503iPadOS
1001Other
Device DomainЕxt device_domain Origination Recommended String The network domain where the device resides. For example: "internal.somecompany.com".
Personal DeviceЕxt device_is_personal Origination Optional Boolean The event occurred on a personal device.
User PresentЕxt is_user_present Origination Optional Boolean The indication of whether the user was logged on at event generation time.
Device OS LanguageЕxt device_os_lang Origination Optional String The lowercase two-letter ISO language code as defined by ISO 639-1. For example: "en", "de", or "fr".
Product DataЕxt product_data Origination Optional JSON The event attributes that are specific to the reporting product.
Device OS BuildЕxt device_os_build Origination Optional String The operating system build number.
User Name user_name Origination Recommended String The name of the user that originated or caused the event (if the event involves a user) or the user on whose behalf the event occurred.
Product IDЕxt product_uid Origination Recommended String The unique identifier of the product originating the event.
Device AliasЕxt device_alias_name Origination Optional String The alternate device name, ordinarily as assigned by an administrator.
Device IMEIЕxt device_imei Origination Optional String The International Mobile Station Equipment Identifier that is associated with the device.
Device CaptionЕxt device_cap Origination Optional String A short description or caption of the device. For example: "ATP Scanner 1 " or " CSP Manager".
Device GatewayЕxt device_gateway Origination Optional IP Address The gateway IP address. For example: "10.0.0.1".
Impersonator User IDЕxt impersonator_user_uid Origination Optional String The unique user identifier of the impersonating agent.
Device BIOS DateЕxt device_hw_bios_date Origination Optional String The BIOS date. For example: "03/31/16".
Device TypeЕxt device_type Origination Recommended String The type of device originating the event. For example: "unknown", "server", "desktop", "laptop", "tablet", "mobile", "virtual", "browser", or "other".
Device LocationЕxt device_location Origination Optional Location The location of the device at the time of the event.
Device MAC AddressesЕxt device_mac Origination Optional String The Media Access Control (MAC) address that is associated with the device.
Device OS BitsЕxt device_os_bits Origination Optional Integer The number of processor bits. For example: 64 or 128.
Device SiteЕxt device_site Origination Recommended String The name of the site to which the device belongs.
Reference Event Log TimeЕxt ref_log_time Origination Optional Datetime The log time of the reference event.

Note: The time submission format is the number of milliseconds since 01/01/1970 00:00:00 UTC.

Feature NameЕxt feature_name Origination Recommended String The name of the feature originating the event.

Note: The Feature Name is ordinarily defined by the product SKU, but it could be any other name that identifies the software component originating the event. For example: "Live Update".

Raw DataЕxt raw_data Origination Optional String The event data as received.
Unmanaged DeviceЕxt device_is_unmanaged Origination Optional Boolean The event occurred on an unmanaged device.
Device Group NameЕxt device_group_name Origination Optional String The name of the leaf group to which the device belongs. For example: Windows Laptops.
Device Cloud VMЕxt device_cloud_vm Origination Optional Cloud Hosted VM The cloud-hosted virtual machine.
Customer IDЕxt customer_uid Origination Recommended String The unique customer identifier.
Device IDЕxt device_uid Origination Recommended String The unique identifier of the device.
Device Proxy NameЕxt device_proxy_name Origination Optional String The proxy host name. For example: "localproxy".
SourceЕxt source Origination Optional Event Source The monitored source that originated the event.
Device Reference IDЕxt device_ref_uid Origination Optional String The unique reference identifier of the device.
Device MD5Еxt device_name_md5 Origination Optional String The MD5 hash of the device name.

Note: The hash must be of the lower-case device name.

Device OS EditionЕxt device_os_edition Origination Optional String The operating system edition. For example: "Professional".
Device Domain IDЕxt device_domain_uid Origination Recommended String The unique identifier of the domain where the device resides.
Device IP Address device_ip Origination Recommended IP Address The IP address that pertains to the event, in either IPv4 or IPv6 format.

Note: Because the IP address of a device can change, the IP address must be captured when the event occurs, which may be different from when the event is sent. If additional network information is pertinent to the event, also populate Device Network Information (device_networks).

Original DataЕxt orig_data Origination Reserved String The pre-normalized event data.
Product Name product_name Origination Recommended String The name of the product originating the event.
User user Origination Recommended User The user that pertains to the event. Can be used to provide information in addition to User Name.
Device DescriptionЕxt device_desc Origination Optional String The description of the device, ordinarily as reported by the operating system.
Device Processor TypeЕxt device_hw_cpu_type Origination Optional String The processor type. For example: "x86 Family 6 Model 37 Stepping 5".
Device Proxy IPЕxt device_proxy_ip Origination Optional IP Address The proxy IP address.
Device OS Service PackЕxt device_os_sp_name Origination Optional String The name of the latest Service Pack.
Device BIOS VersionЕxt device_hw_bios_ver Origination Optional String The BIOS version. For example: "LENOVO G5ETA2WW (2.62)".
Feature VersionЕxt feature_ver Origination Recommended String The version of the feature originating the event. For example: "2014.1.3.64".
Reference Event Log NameЕxt ref_log_name Origination Optional String The log name of the reference event.
Device Public IPЕxt device_public_ip Origination Reserved IP Address The public IP address.

Note: The Device Public IP is populated with the value of the x-forwarded-for message header, if present.

.
Device OS VersionЕxt device_os_ver Origination Optional String The version of the OS running on the device that originated the event. For example: "Windows 10", "OS X 10.7", or "iOS 9".
Original Event IDЕxt ref_orig_uid Origination Optional String The unique identifier of the external event that corresponds to Reference Event ID (ref_uid) ,if applicable.
Sub-feature NameЕxt subfeature_name Origination Optional String The name of the sub-feature originating the event.
Customer Registry IDЕxt customer_registry_uid Origination Optional String The unique Symantec customer registry identifier.
Reference Event IDЕxt ref_uid Origination Optional String The unique external original message or event identifier that was used to record the event. For example: the Windows Event Log Event ID, the SEPM event UID, or the SYSLOG msgid.
Device Name device_name Origination Recommended String The name of the device originating the event.

Note: The Device Name is ordinarily the host name, but could be any other string that helps to identify the device, such as a phone number; for example "computer.domain" or "310.555.1234".

Trusted DeviceЕxt device_is_trusted Origination Optional Boolean The event occurred on a trusted device.
Device OSЕxt device_os_name Origination Recommended String The name of the operating system running on the device from which the event originated. For example: "Windows 10 Home Basic", "Mac OS X", "iOS", or "Android".
Log LevelЕxt log_level Status Optional String The log level as reported by the logger subsystem.
Stack TraceЕxt status_stack_trace Status Optional String The list of calls that the application was making when an exception was thrown.
Status DetailsЕxt status_detail Status Optional String The status details.
OS Code SourceЕxt status_os_src Status Optional Integer The indication of whether the OS Code (status_os) returned to the application for the requested operation was returned by the OS (0) or generated by the security product (1).
OS CodeЕxt status_os Status Optional String The operating system result code.
Thread NameЕxt status_thread_name Status Optional String The name of the thread that pertains to the status.
Status status_id Status Optional Integer The cross-platform event status.
0Unknown
1Success
2Failure
3In Progress
4Partial Success
RemediationЕxt remediation Remediation Optional String The remediation information.
Remediation ReferenceЕxt remediation_ref Remediation Optional String The reference to remediation information.

Note: The information can be either internal or external to the reporting product.

Remediation IDЕxt remediation_uid Remediation Optional String The unique identifier of the remediation information.
RemediatedЕxt remediated Remediation Optional Boolean The indication of whether the event was remediated.
Logging Device TimeЕxt logging_device_post_time Collector Optional Datetime The time when the event was logged by the logging device.

Note: The time submission format is the number of milliseconds since 01/01/1970 00:00:00 UTC.

Logging Device IPЕxt logging_device_ip Collector Optional IP Address The IP address of the device that logged the event.
Collector Device NameЕxt collector_device_name Collector Optional String The name of the collector device.
Logging Device NameЕxt logging_device_name Collector Optional String The name of the device that logged the event.
Collector IDЕxt collector_uid Collector Optional String The unique identifier of the collector.
Collector NameЕxt collector_name Collector Optional String The name of the collector.
Logging Device IDЕxt logging_device_ref_uid Collector Optional String The unique identifier of the device that collects logs from other devices.
Proxy Device IPЕxt proxy_device_ip Collector Optional IP Address The IP address of the proxy device that is collecting events from other devices. For example: the IP address of a Windows Domain controller. The format is either IPv4 or IPv6.
Collector Device IPЕxt collector_device_ip Collector Optional IP Address The IP address of the collector device in either IPv4 or IPv6 format.
Proxy Device NameЕxt proxy_device_name Collector Optional String The name of the proxy device that is collecting events from other devices.
STIC VersionЕxt stic_version STIC Optional String The version of the STIC library.
STIC Hardware IDsЕxt stic_legacy_hw_uids STIC Optional String Array The list of Hardware IDs that have been associated with the device.
STIC Control Data IDЕxt stic_schema_id STIC Optional String The telemetry submission control data identifier, represented as an 8 byte hexadecimal string.
STIC Enterprise IDsЕxt stic_legacy_ent_uids STIC Optional String Array The list of Enterprise IDs (related to license entitlement) that have been associated with the device.
STIC PIIЕxt stic_has_pii STIC Optional Boolean The indication of whether the event has any Personally Identifiable Information (PII).
STIC Hardware IDЕxt stic_hw_uid STIC Optional String The device hardware ID.
STIC Machine IDsЕxt stic_legacy_uids STIC Optional String Array The list of Machine IDs that have been associated with the device.
STIC IP HashЕxt stic_ip_hash STIC Optional String The STIC hash of the IP address.
STIC Machine IDЕxt stic_uid STIC Optional String The device Machine ID.
Constraints
Only one attribute can be present: resource_connection, resource_directory, resource_file, resource_reg_key, resource_reg_value