File Detection Event

File Detection events report the detection and resolution of file threats or policy violations.
Name Attribute Group Requirement Type Description
Event ID event_id Classification Reserved Integer The event ID identifies the event's semantics, structure and outcome.
8031000File Detection: UnknownDisposition is unknown.
8031001File Detection: BlockedAction was blocked, with no further remediation. For example: access denied to file(s).
8031002File Detection: AllowedAction was allowed. Exception/Exclusion created by admin.
8031003File Detection: No ActionRemediation action failed.
8031004File Detection: LoggedLogged only, No action taken.
8031005File Detection: Command Script RunEvent triggered a script to run in response to the detection. For example: the script mitigated the threat or launched a forensic investigation automatically.
8031006File Detection: CorrectedRepaired. For example: cleaned.
8031007File Detection: Partially CorrectedPartially repaired.
8031008File Detection: UncorrectedStill infected.
8031010File Detection: DelayedRequires reboot to finish the operation. Deprecated.
8031011File Detection: DeletedCleaned by deletion.
8031012File Detection: QuarantinedMoved to Quarantine.
8031013File Detection: RestoredReleased from Quarantine.
8031014File Detection: DetectedFinding is pending analysis.
8031015File Detection: ExoneratedNo longer suspicious (re-scored).
8031016File Detection: TaggedMarked with extended attributes.
Severity severity_id Classification Required Integer The severity of the event.
0UnknownThe event severity is not known.
1InformationalPurely informational. No action needed.
2WarningThe user decides if action is needed.
3MinorAction is required but the situation is not serious at this time.
4MajorAction is required immediately.
5CriticalAction is required immediately and the scope is broad.
6FatalAn error occurred but it is too late to take remedial action.
Version version Classification Required String The event type version, in the form major.minor. For example: 1.7. Event consumers use the version to determine what the event attributes represent.
Type type_id Classification Required Integer The event type.
8031File DetectionFile Detection events report the detection and resolution of file threats or policy violations.
Category category_id Classification Required Integer The event type category.
1Security
Type StringЕxt type Classification Optional String The event type.
Disposition id Classification Required Integer The outcome of the event.
0UnknownDisposition is unknown.
1BlockedAction was blocked, with no further remediation. For example: access denied to file(s).
2AllowedAction was allowed. Exception/Exclusion created by admin.
3No ActionRemediation action failed.
4LoggedLogged only, No action taken.
5Command Script RunEvent triggered a script to run in response to the detection. For example: the script mitigated the threat or launched a forensic investigation automatically.
6CorrectedRepaired. For example: cleaned.
7Partially CorrectedPartially repaired.
8UncorrectedStill infected.
10DelayedRequires reboot to finish the operation. Deprecated.
11DeletedCleaned by deletion.
12QuarantinedMoved to Quarantine.
13RestoredReleased from Quarantine.
14DetectedFinding is pending analysis.
15ExoneratedNo longer suspicious (re-scored).
16TaggedMarked with extended attributes.
AttacksЕxt attacks Primary Optional Attack Array The array of attacks that are associated with the event.
EntityЕxt entity Primary Optional Managed Entity The managed entity that pertains to the event.
File DiffЕxt file_diff Primary Optional String File content differences used for change detection. For example, a common use case is to identify itemized changes within INI or configuration/property setting values.
ReasonЕxt reason Primary Optional String The reason for the detection.
Reason reason_id Primary Recommended Integer The reason for the detection.
0Unknown
1Policy Violation
2Threat Detection
File file Primary Recommended File The file that triggered the detection.
Correlation IDЕxt correlation_uid Primary Optional String The unique identifier used to correlate events.
Open ModeЕxt open_mode Primary Optional Boolean The mode in which the file was opened: 'Read' = false, 'Write' = true. Applicable to file open events.
Scan IDЕxt scan_uid Primary Optional String The application-generated unique ID of the scan, if applicable, that caused the detection event.
Detection VersionЕxt content_ver Primary Optional String The version of the detection engine or signature content.

Note: AV, SONAR, and IPS have differing version string formats.

EventsЕxt events Primary Optional JSON Array The additional events that pertain to the event or incident.
Detection IDЕxt detection_uid Primary Optional String The associated unique detection event identifier. For example: detection response events include the Detection ID of the original event.
Event Unique ID uuid Primary Reserved String The system-assigned unique identifier of an event occurrence.
ComponentЕxt component Primary Optional String The name or relative pathname of a subcomponent of the data object, if applicable. For example: attachment.doc, attachment.zip/bad.doc, or part.mime/part.cab/part.uue/part.doc.
LineageЕxt lineage Primary Optional String Array The lineage of the actor process.
Connection Reference IdentifierЕxt connection_ref_uid Primary Optional String The reference to the network connection object that pertains to the event.
Restart Required restart_required Primary Optional Boolean The device requires a restart in order to complete the disposition identified in the "id" field.
File ResultЕxt file_result Primary Optional File The resulting file object; for example, if a file operation is ALLOWED, the resulting file object can be included in the event.
CybOxЕxt cybox Primary Reserved Cyber Observable eXpression The Cyber Observable eXpression (CybOX TM) attributes.
AnalysisЕxt analysis Primary Optional String The anti-malware emulation analysis.
Create MaskЕxt create_mask_id Primary Optional Integer The Windows create file flag, applicable to System Activity File Create event.
1Create New
2Create Always
3Open Existing
4Open Always
5Truncate Existing
Policy policy Primary Recommended Policy The policy that pertains to the event.
Threat threat Primary Optional Threat The primary threat identified by the event.

Note: The primary threat may be the first threat found by the detection engine, or it may be the most severe threat found. The client determines the primary threat.

Access MaskЕxt access_mask Primary Optional Integer The access mask in platform-native format.
Quarantine IDЕxt quarantine_uid Primary Optional String If the event disposition is one of:
  • [12] QUARANTINED
  • [13] RESTORED (from quarantine)
include the unique identifier of the item that was quarantined or restored from quarantine.
System Activity activity_id Primary Optional Integer The file activity; one of:
1Create
2Delete
3Open
4Rename
5Modify
6Set Attributes
7Set Security
8Get Attributes
9Get Security
10Encrypt
11Decrypt
12Map to Memory
13Set Information
14Lock
Actor actor Primary Recommended Process The process that performed the operation or action on the target object. For example, the process that could have created a new file or violated a policy.
SessionsЕxt sessions Primary Optional Session Array The user sessions on the device.
Log NameЕxt log_name Primary Reserved String The name of the database, index, or archive where the event was logged.
Audit audit Primary Optional Boolean The audit mode of the event. When true, no remediation actions were performed.
Parent ProcessЕxt parent Primary Optional Process The parent process of the process associated with the event. See specific usage.
Responsible Actor responsible_actor Primary Recommended Process The process that is responsible for triggering the detection. For Example: The untrusted ancestor process or the process that injected a thread into the actor process.
ThreatsЕxt threats Primary Optional Threat Array The additional threats that were detected.
Net Detection IDЕxt net_detection_uid Primary Optional String The application-generated unique identifier of the network detection event that is associated with this detection event; for example, if you have an outbound network detection event that remediates an application, the same application would trigger a host detection event.
Access Mask ValuesЕxt access_mask_ids Primary Optional Integer Array The access mask values.
1Generic Read
2Generic Write
3Generic Execute
4Generic All
5Delete
6Write DAC
7Write Owner
8Synchronize
9Read Data (Unix read)
10Write Data (Unix write)
11Append Data
12Read Extended Attributes
13Write Extended Attributes
14Execute (Unix read)
15Delete Child
16Read Attributes
17Write Attributes
18Read Control
19Access System Security
20Max Allowed
Message IDЕxt message_id Message Optional String The numeric representation of the message, ordinarily used for translation purposes.
Message CodeЕxt message_code Message Optional String The coded string representation of the message, ordinarily used for trouble shooting.
Message message Message Recommended String The description of the event.
Composite EventЕxt composite Occurrence Optional Integer The type of composite event. See the Event Logging API for more information.
1IntactThe composite event is stored as-is.
2ExpandedThe composite event is expanded into multiple events.
Event Time time Occurrence Reserved Datetime The event occurrence time (Device Time) adjusted to the server clock.

Note: The internal time format is the number of milliseconds since 01/01/1970 00:00:00 UTC.

CountЕxt count Occurrence Optional Integer For aggregated events, the number of times that the event occurred during the Device Time to Device End Time period.
Sequence NumberЕxt seq_num Occurrence Recommended Integer A 32-bit positive number that indicates the order of events sent by the client.

Note: The first event that a client sends has a Sequence Number of 1 and the client increments the Sequence Number with each subsequent event. For UNPACK (2) composite events, each event in the events array must have a unique seq_num, such as events[i+1].seq_num = events[i].seq_num + 1. When the sequence number wraps around, based on java.lang.Integer.MAX_VALUE, it must start from 1. The event service records sequence numbers to detect lost events.

End TimeЕxt end_time Occurrence Reserved Datetime For aggregate events, the Device End Time adjusted to the server clock.
Device Time device_time Occurrence Required Datetime The time that the event occurred at the device.

Note: The time submission format is the number of milliseconds since 01/01/1970 00:00:00 UTC. The event producer or the event collection agent that detects the event provides the event Device Time.

Collected TimeЕxt log_time Occurrence Reserved Datetime The time that the system collected the event.

Note: The internal time format is the number of milliseconds since 01/01/1970 00:00:00 UTC.

Device End TimeЕxt device_end_time Occurrence Optional Datetime The time of the last aggregated event.

Note: The time submission format is the number of milliseconds since 01/01/1970 00:00:00 UTC, and this value must be greater than or equal to the Device Time (device_time) value.

Time Zone timezone Occurrence Recommended Integer Returns a Long value that represents the difference in minutes of between the local time in this time zone and the Coordinated Universal Time (UTC).

Ex: In a state adopting daylight time in the Pacific time zone, the Bias is 480 minutes and DaylightBias is -60 minutes. To determine the time in UTC for June 11, 2 A.M. PST, add a Bias of (480/60) hours and a DaylightBias of -(60/60) hours to the local time June 11, 2 A.M. The time in UTC is June 11, 9 A.M.

Device Virtual Host TypeЕxt device_vhost_id Origination Optional Integer The device virtual host type.
0Unknown
1None
10VMware
11Hyper-V®
12Xen
13KVM
14QEMU
15VirtualBox
16Solaris Zones
30AWS
31Azure
32GCP
33OCP
50Docker
51Cloud Foundry
52LXC
Feature IDЕxt feature_uid Origination Recommended String The unique identifier of the feature originating the event.
Device OS Country CodeЕxt device_os_country Origination Optional String The operating system country code as defined by the ISO 3166-1 standard (Alpha-2 code). For the complete list of country codes, see ISO 3166-1 alpha-2 codes.
Domain IDЕxt domain_uid Origination Recommended String The unique domain identifier.
Impersonator Customer IDЕxt impersonator_customer_uid Origination Optional String The unique customer identifier of the impersonating agent.
ContainerЕxt container Origination Optional Container The container that pertains to the event.
Device OS Service Pack VersionЕxt device_os_sp_ver Origination Optional String The version number of the latest Service Pack.
Impersonator Domain IDЕxt impersonator_domain_uid Origination Optional String The unique domain identifier of the impersonating agent.
Device Network InformationЕxt device_networks Origination Recommended Network Info Array The network information objects that are associated with the device, one for each MAC address/IP address combination.

Note: The first element of the array is the network information that pertains to the event.

User IDЕxt user_uid Origination Recommended String The unique identifier of the user associated with the event.
Compliant DeviceЕxt device_is_compliant Origination Optional Boolean The event occurred on a compliant device.
Device Virtual Host Type StringЕxt device_vhost Origination Optional String The device virtual host type string.
Device SubnetЕxt device_subnet Origination Optional IP Address The subnet IP address. For example: "255.0.0.0".
Feature PathЕxt feature_path Origination Recommended String The path of the feature originating the event.
Feature TypeЕxt feature_type Origination Recommended String The type of feature.

Device GroupЕxt device_group Origination Optional String The full path of the group to which the device belongs. For example: West Coast\Windows Laptops.
Product Version product_ver Origination Recommended String The version of the product.

Note: The version is as defined by the product SKU, originating the event. For example: "2013.1.3-beta".

Product LanguageЕxt product_lang Origination Recommended String The two letter lower case language codes as defined by ISO 639-1. For example: "en" (English), "de" (German), or "fr" (French).
Device BIOS ManufacturerЕxt device_hw_bios_manufacturer Origination Optional String The BIOS manufacturer. For example: "LENOVO".
Device Org Unit IDЕxt org_unit_uid Origination Recommended String The unique identifier of the organizational unit.
Device Org UnitЕxt device_org_unit Origination Recommended String The name of the org unit to which the device belongs.
Device OS TypeЕxt device_os_type_id Origination Recommended Integer The type of the operating system.
0Unknown
100Windows
200Linux
300Solaris
301AIX
302HP-UX
400Macintosh
500iOS
501Android
502Windows Mobile
503iPadOS
1001Other
Device DomainЕxt device_domain Origination Recommended String The network domain where the device resides. For example: "internal.somecompany.com".
Personal DeviceЕxt device_is_personal Origination Optional Boolean The event occurred on a personal device.
User PresentЕxt is_user_present Origination Optional Boolean The indication of whether the user was logged on at event generation time.
Device OS LanguageЕxt device_os_lang Origination Optional String The lowercase two-letter ISO language code as defined by ISO 639-1. For example: "en", "de", or "fr".
Product DataЕxt product_data Origination Optional JSON The event attributes that are specific to the reporting product.
Device OS BuildЕxt device_os_build Origination Optional String The operating system build number.
User Name user_name Origination Recommended String The name of the user that originated or caused the event (if the event involves a user) or the user on whose behalf the event occurred.
Product IDЕxt product_uid Origination Recommended String The unique identifier of the product originating the event.
Device AliasЕxt device_alias_name Origination Optional String The alternate device name, ordinarily as assigned by an administrator.
Device IMEIЕxt device_imei Origination Optional String The International Mobile Station Equipment Identifier that is associated with the device.
Device CaptionЕxt device_cap Origination Optional String A short description or caption of the device. For example: "ATP Scanner 1 " or " CSP Manager".
Device GatewayЕxt device_gateway Origination Optional IP Address The gateway IP address. For example: "10.0.0.1".
Impersonator User IDЕxt impersonator_user_uid Origination Optional String The unique user identifier of the impersonating agent.
Device BIOS DateЕxt device_hw_bios_date Origination Optional String The BIOS date. For example: "03/31/16".
Device TypeЕxt device_type Origination Recommended String The type of device originating the event. For example: "unknown", "server", "desktop", "laptop", "tablet", "mobile", "virtual", "browser", or "other".
Device LocationЕxt device_location Origination Optional Location The location of the device at the time of the event.
Device MAC AddressesЕxt device_mac Origination Optional String The Media Access Control (MAC) address that is associated with the device.
Device OS BitsЕxt device_os_bits Origination Optional Integer The number of processor bits. For example: 64 or 128.
Device SiteЕxt device_site Origination Recommended String The name of the site to which the device belongs.
Reference Event Log TimeЕxt ref_log_time Origination Optional Datetime The log time of the reference event.

Note: The time submission format is the number of milliseconds since 01/01/1970 00:00:00 UTC.

Feature NameЕxt feature_name Origination Recommended String The name of the feature originating the event.

Note: The Feature Name is ordinarily defined by the product SKU, but it could be any other name that identifies the software component originating the event. For example: "Live Update".

Raw DataЕxt raw_data Origination Optional String The event data as received.
Unmanaged DeviceЕxt device_is_unmanaged Origination Optional Boolean The event occurred on an unmanaged device.
Device Group NameЕxt device_group_name Origination Optional String The name of the leaf group to which the device belongs. For example: Windows Laptops.
Device Cloud VMЕxt device_cloud_vm Origination Optional Cloud Hosted VM The cloud-hosted virtual machine.
Customer IDЕxt customer_uid Origination Recommended String The unique customer identifier.
Device IDЕxt device_uid Origination Recommended String The unique identifier of the device.
Device Proxy NameЕxt device_proxy_name Origination Optional String The proxy host name. For example: "localproxy".
SourceЕxt source Origination Optional Event Source The monitored source that originated the event.
Device Reference IDЕxt device_ref_uid Origination Optional String The unique reference identifier of the device.
Device MD5Еxt device_name_md5 Origination Optional String The MD5 hash of the device name.

Note: The hash must be of the lower-case device name.

Device OS EditionЕxt device_os_edition Origination Optional String The operating system edition. For example: "Professional".
Device Domain IDЕxt device_domain_uid Origination Recommended String The unique identifier of the domain where the device resides.
Device IP Address device_ip Origination Recommended IP Address The IP address that pertains to the event, in either IPv4 or IPv6 format.

Note: Because the IP address of a device can change, the IP address must be captured when the event occurs, which may be different from when the event is sent. If additional network information is pertinent to the event, also populate Device Network Information (device_networks).

Original DataЕxt orig_data Origination Reserved String The pre-normalized event data.
Product Name product_name Origination Recommended String The name of the product originating the event.
User user Origination Recommended User The user that pertains to the event. Can be used to provide information in addition to User Name.
Device DescriptionЕxt device_desc Origination Optional String The description of the device, ordinarily as reported by the operating system.
Device Processor TypeЕxt device_hw_cpu_type Origination Optional String The processor type. For example: "x86 Family 6 Model 37 Stepping 5".
Device Proxy IPЕxt device_proxy_ip Origination Optional IP Address The proxy IP address.
Device OS Service PackЕxt device_os_sp_name Origination Optional String The name of the latest Service Pack.
Device BIOS VersionЕxt device_hw_bios_ver Origination Optional String The BIOS version. For example: "LENOVO G5ETA2WW (2.62)".
Feature VersionЕxt feature_ver Origination Recommended String The version of the feature originating the event. For example: "2014.1.3.64".
Reference Event Log NameЕxt ref_log_name Origination Optional String The log name of the reference event.
Device Public IPЕxt device_public_ip Origination Reserved IP Address The public IP address.

Note: The Device Public IP is populated with the value of the x-forwarded-for message header, if present.

.
Device OS VersionЕxt device_os_ver Origination Optional String The version of the OS running on the device that originated the event. For example: "Windows 10", "OS X 10.7", or "iOS 9".
Original Event IDЕxt ref_orig_uid Origination Optional String The unique identifier of the external event that corresponds to Reference Event ID (ref_uid) ,if applicable.
Sub-feature NameЕxt subfeature_name Origination Optional String The name of the sub-feature originating the event.
Customer Registry IDЕxt customer_registry_uid Origination Optional String The unique Symantec customer registry identifier.
Reference Event IDЕxt ref_uid Origination Optional String The unique external original message or event identifier that was used to record the event. For example: the Windows Event Log Event ID, the SEPM event UID, or the SYSLOG msgid.
Device Name device_name Origination Recommended String The name of the device originating the event.

Note: The Device Name is ordinarily the host name, but could be any other string that helps to identify the device, such as a phone number; for example "computer.domain" or "310.555.1234".

Trusted DeviceЕxt device_is_trusted Origination Optional Boolean The event occurred on a trusted device.
Device OSЕxt device_os_name Origination Recommended String The name of the operating system running on the device from which the event originated. For example: "Windows 10 Home Basic", "Mac OS X", "iOS", or "Android".
Log LevelЕxt log_level Status Optional String The log level as reported by the logger subsystem.
Stack TraceЕxt status_stack_trace Status Optional String The list of calls that the application was making when an exception was thrown.
Status DetailsЕxt status_detail Status Optional String The status details.
OS Code SourceЕxt status_os_src Status Optional Integer The indication of whether the OS Code (status_os) returned to the application for the requested operation was returned by the OS (0) or generated by the security product (1).
OS CodeЕxt status_os Status Optional String The operating system result code.
Thread NameЕxt status_thread_name Status Optional String The name of the thread that pertains to the status.
Status status_id Status Optional Integer The cross-platform event status.
0Unknown
1Success
2Failure
3In Progress
4Partial Success
RemediationЕxt remediation Remediation Optional String The remediation information.
Remediation ReferenceЕxt remediation_ref Remediation Optional String The reference to remediation information.

Note: The information can be either internal or external to the reporting product.

Remediation IDЕxt remediation_uid Remediation Optional String The unique identifier of the remediation information.
RemediatedЕxt remediated Remediation Optional Boolean The indication of whether the event was remediated.
Logging Device TimeЕxt logging_device_post_time Collector Optional Datetime The time when the event was logged by the logging device.

Note: The time submission format is the number of milliseconds since 01/01/1970 00:00:00 UTC.

Logging Device IPЕxt logging_device_ip Collector Optional IP Address The IP address of the device that logged the event.
Collector Device NameЕxt collector_device_name Collector Optional String The name of the collector device.
Logging Device NameЕxt logging_device_name Collector Optional String The name of the device that logged the event.
Collector IDЕxt collector_uid Collector Optional String The unique identifier of the collector.
Collector NameЕxt collector_name Collector Optional String The name of the collector.
Logging Device IDЕxt logging_device_ref_uid Collector Optional String The unique identifier of the device that collects logs from other devices.
Proxy Device IPЕxt proxy_device_ip Collector Optional IP Address The IP address of the proxy device that is collecting events from other devices. For example: the IP address of a Windows Domain controller. The format is either IPv4 or IPv6.
Collector Device IPЕxt collector_device_ip Collector Optional IP Address The IP address of the collector device in either IPv4 or IPv6 format.
Proxy Device NameЕxt proxy_device_name Collector Optional String The name of the proxy device that is collecting events from other devices.
STIC VersionЕxt stic_version STIC Optional String The version of the STIC library.
STIC Hardware IDsЕxt stic_legacy_hw_uids STIC Optional String Array The list of Hardware IDs that have been associated with the device.
STIC Control Data IDЕxt stic_schema_id STIC Optional String The telemetry submission control data identifier, represented as an 8 byte hexadecimal string.
STIC Enterprise IDsЕxt stic_legacy_ent_uids STIC Optional String Array The list of Enterprise IDs (related to license entitlement) that have been associated with the device.
STIC PIIЕxt stic_has_pii STIC Optional Boolean The indication of whether the event has any Personally Identifiable Information (PII).
STIC Hardware IDЕxt stic_hw_uid STIC Optional String The device hardware ID.
STIC Machine IDsЕxt stic_legacy_uids STIC Optional String Array The list of Machine IDs that have been associated with the device.
STIC IP HashЕxt stic_ip_hash STIC Optional String The STIC hash of the IP address.
STIC Machine IDЕxt stic_uid STIC Optional String The device Machine ID.