Skip to main content

Raw Events processing rules

The table below explains the XDR processing rules; specifically, which events are sent to the Control Center for further correlation and investigation, and which events are ignored.

It also specifies whether any aggregation is performed and the criteria behind it.

Event type

Category

Processing rules

Aggregation rules

All

All

Ignores all events generated by current process ID.

N/A

Create

File

Ignores all files located inside:

  • %System% and %Windir%\Prefetch

  • %Program Files%

  • %Program Files (x86)%

  • %Windir%

  • Windows.Old

  • .git

  • %ProgramData%\USOPrivate

Ignores font files (.ttf and .ttc).

Aggregates events based on:

  • PID

  • File path

Create

Process

N/A

N/A

Create key

Registry

Monitors only the following registry keys:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run

  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

  • HKLM\SYSTEM\CurrentControlSet\Control\hivelist

  • HKLM\SYSTEM\ControlSet002\Control\Session

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\boot

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

  • HKLM\SYSTEM\CurrentControlSet\services

  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

Aggregates events based on:

  • PID

  • Key path

Connection

Network

Ignores all DNS connections (destination port 53).

Aggregates events based on:

  • PID

  • source IP

  • destination IP

  • source port

  • destination port

Delete

File

N/A

Aggregates events based on:

  • PID

  • File path

Delete key

Registry

Monitors only the following registry keys:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run

  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

  • HKLM\SYSTEM\CurrentControlSet\Control\hivelist

  • HKLM\SYSTEM\ControlSet002\Control\Session

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\boot

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

  • HKLM\SYSTEM\CurrentControlSet\services

  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

Aggregates events based on:

  • PID

  • Key path

Delete value

Registry

Monitors only the following registry keys:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run

  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

  • HKLM\SYSTEM\CurrentControlSet\Control\hivelist

  • HKLM\SYSTEM\ControlSet002\Control\Session

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\boot

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

  • HKLM\SYSTEM\CurrentControlSet\services

  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

Aggregates events based on:

  • PID

  • Key path

  • Value

Logon

User

N/A

N/A

Logout

User

N/A

N/A

Modify

File

Ignores all files located inside:

  • %Program Files%

  • %Program Files (x86)%

  • %Windir%

  • Windows.Old

  • .git

  • %ProgramData%\USOPrivate

Ignores font files (.ttf and .ttc).

Aggregates events based on:

  • PID

  • File path

Modify value

Registry

Monitors only the following registry keys:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run

  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

  • HKLM\SYSTEM\CurrentControlSet\Control\hivelist

  • HKLM\SYSTEM\ControlSet002\Control\Session

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\system.ini\boot

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

  • HKLM\SYSTEM\CurrentControlSet\services

  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

  • HKLM\SYSTEM\CurrentControlSet\Control\Session Manager \Memory Management\PrefetchParameters

Aggregates events based on:

  • PID

  • Key path

  • Value

Move

File

N/A

N/A

Read

File

Ignores all files located inside:

  • %Program Files%

  • %Program Files (x86)%

  • %Windir%

  • Windows.Old

  • .git

  • %ProgramData%\USOPrivate

Ignores font files (.ttf and .ttc).

Aggregates events based on:

  • PID

  • File path

Terminate

Process

N/A

N/A