Security Telemetry events sent to SIEM

This section explains what information security agents send to the SIEM solution (Splunk). The information is grouped by event type.

Process create

Field name	Description
cmdline	The command line that started the process.
company_id	Indicates the company ID in GravityZone.
ctc_version	The version of CTC security signatures
datetime	The date and time in Unix epoch time format
elevation	The numeric ID associated with the elevation level of the process
elevation_sz	Indicates whether the process ran with elevated privileges. Possible values: `elevated` `restricted`
event_name	The event name
event_version	Event version
hardware_id	An ID, generated by BEST, that uniquely identifies an endpoint.
integrity	The numeric ID associated with the integrity level
integrity_sz	The process integrity level. Possible values: `untrusted` `low` `medium` `high` `system` These values are the equivalent of mandatory integrity levels described here.
machine_name	The host name
mitre_ids	This field contains the following information related to Mitre attack and techniques: `name` - The Mitre technique name, as documented on the official website. For example: `Command and Scripting Interpreter`. `id` - The Mitre Technique ID, as documented on the official website. For example: `T1074`. `subtechniques` - This field contains the following information related to Mitre subtechniques: `name` - The Mitre subtechnique name `id` - The Mitre subtechnique ID. For example: `T1595.002`. `categories` - This field contains the following information: `categories` - The Mitre category, the Mitre mapping of kill chain phases
os_family	The type of operating system. Possible values: `windows` `linux` `macos`
os_platform	The type of OS architecture, `x86`, `x64`, or `arm64`.
os_type	Indicates whether the operating system fulfils the role of a client or a server.
os_version	The operating system version. For example: `Windows 11`.
parent_cmdline	The command line that started the parent process.
parent_elevation	The numeric ID associated with the elevation level of the parent process
parent_elevation_sz	Indicates whether the parent process ran with elevated privileges. Possible values: `elevated` `restricted`
parent_integrity	The numeric ID associated with the integrity level of the parent process
parent_integrity_sz	The integrity level of the parent process. Possible values: `untrusted` `low` `medium` `high` `system` These values are the equivalent of mandatory integrity levels described here.
parent_pid	The parent process identifier
parent_process_path	The file path of the parent process
parent_user_name	The username listed for the parent process
pid	The process identifier
process_md5	The MD5 hash of the process
process_path	The process path
process_sha	The SHA256 hash of the process
product_version	BEST product version
user_name	The user who started the process.
user_sid	The ID associated with the user account that started the process.

Terminate process

Field name	Description
company_id	Indicates the company ID in GravityZone.
ctc_version	The version of CTC security signatures
datetime	The date and time in Unix epoch time format
event_name	Event name
event_version	Event version
hardware_id	An ID, generated by BEST, that uniquely identifies an endpoint.
machine_name	The host name
os_family	The type of operating system. Possible values: `windows` `linux` `macos`
os_platform	The type of OS architecture, `x86`, `x64`, or `arm64`.
os_type	Indicates whether the operating system fulfils the role of a client or a server.
os_version	The operating system version. For example: `Windows 11`.
pid	The process identifier
product_version	BEST product version

Network connection

Field name	Description
bytes_sent	The number of bytes sent by the source endpoint
bytes_received	The number of bytes received by the destination endpoint
company_id	Indicates the company ID in GravityZone.
ctc_version	The version of CTC security signatures
datetime	The date and time in Unix epoch time format
direction	Indicates where the network connection originated, whether it was `inbound` or `outbound`.
event_name	Event name
event_version	Event version
hardware_id	An ID, generated by BEST, that uniquely identifies an endpoint.
ip_dest	The destination IP address
ip_source	The source IP address
machine_name	The host name
operation	Indicates the type of network operation performed. For example: `connect`, `disconnect`.
os_family	The type of operating system. Possible values: `windows` `linux` `macos`
os_platform	The type of OS architecture, `x86`, `x64`, or `arm64`.
os_type	Indicates whether the operating system fulfils the role of a client or a server.
os_version	The operating system version. For example: `Windows 11`.
pid	The process identifier
port_dest	The destination port
port_source	The source port
process_path	The process path
product_version	BEST product version

Logon

To receive logon events successfully, you must first enable the Audit Logon policy on the endpoint.

Field name	Description
company_id	Indicates the company ID in GravityZone.
ctc_version	The version of CTC security signatures
datetime	The date and time in Unix epoch time format
event_name	Event name
event_version	Event version
hardware_id	An ID, generated by BEST, that uniquely identifies an endpoint.
ip_source	The source IP address
logon_type	The ID associated with the logon type. Possible values: `0`: correlates with `system` logon type `2`: correlates with `interactive` logon type `3`: correlates with `network` logon type `4`: correlates with `batch` logon type `5`: correlates with `service` logon type `7`: correlates with `unlock` logon type `8`: correlates with `networkcleartext` logon type `9`: correlates with `newcredentials` logon type `10`: correlates with `remoteinteractive` logon type `11`: correlates with `cachedinteractive` logon type `12`: correlates with `cachedremoteinteractive` logon type `13`: correlates with `cachedunlock` logon type `255`: correlates with `invalid` logon type
logon_type_sz	The type of login. Possible values: `system` `interactive` `network` `batch` `service` `unlock` `networkcleartext` `newcredentials` `remoteinteractive` `cachedinteractive` `cachedremoteinteractive` `cachedunlock` `invalid` To learn more about these logon types, refer to Logon types and descriptions.
machine_name	The host name
os_family	The type of operating system. Possible values: `windows` `linux` `macos`
os_platform	The type of OS architecture, `x86`, `x64`, or `arm64`.
os_type	Indicates whether the operating system fulfils the role of a client or a server.
os_version	The operating system version. For example: `Windows 11`.
product_version	BEST product version
user_name	The user that performed the login

Logoff

To receive logoff events successfully, you must first enable the Audit Logoff policy on the endpoint. Follow the steps depicted here. At step 3, open the Audit Logoff policy instead.

Field name	Description
company_id	Indicates the company ID in GravityZone.
ctc_version	The version of CTC security signatures
datetime	The date and time in Unix epoch time format
event_name	Event name
event_version	Event version
hardware_id	An ID, generated by BEST, that uniquely identifies an endpoint.
machine_name	The host name
os_family	The type of operating system. Possible values: `windows` `linux` `macos`
os_platform	The type of OS architecture, `x86`, `x64`, or `arm64`.
os_type	Indicates whether the operating system fulfils the role of a client or a server.
os_version	The operating system version. For example: `Windows 11`.
product_version	BEST product version
user_name	The user that logged off

Create file

Field name	Description
company_id	Indicates the company ID in GravityZone.
ctc_version	The version of CTC security signatures
datetime	The date and time in Unix epoch time format
event_name	Event name
event_version	Event version
hardware_id	An ID, generated by BEST, that uniquely identifies an endpoint.
machine_name	The host name
md5	The MD5 hash of the file
os_family	The type of operating system. Possible values: `windows` `linux` `macos`
os_platform	The type of OS architecture, `x86`, `x64`, or `arm64`.
os_type	Indicates whether the operating system fulfils the role of a client or a server.
os_version	The operating system version. For example: `Windows 11`.
path	The file path
pid	The process identifier
process_sha	The SHA256 hash of the process that generated the file
process_md5	The MD5 hash of the process that generated the file
process_path	The process path
product_version	BEST product version
sha	The SHA256 hash of the file
source_path	When a file is copied to a new location, this field indicates the initial file path. Otherwise, the field is empty.
user_name	The user who started the process that generated the file.

Delete file

Field name	Description
company_id	Indicates the company ID in GravityZone.
ctc_version	The version of CTC security signatures
datetime	The date and time in Unix epoch time format
event_name	Event name
event_version	Event version
hardware_id	An ID, generated by BEST, that uniquely identifies an endpoint.
is_remote	Indicates whether the change made on a file happened via remote connection
machine_name	The host name
os_family	The type of operating system. Possible values: `windows` `linux` `macos`
os_platform	The type of OS architecture, `x86`, `x64`, or `arm64`.
os_type	Indicates whether the operating system fulfils the role of a client or a server.
os_version	The operating system version. For example: `Windows 11`.
path	The file path of the deleted file
pid	The process identifier
process_sha	The SHA256 hash of the process that deleted the file
process_md5	The MD5 hash of the process that deleted the file
process_path	The process path
product_version	BEST product version
user_name	The user who started the process that deleted the file

Modify file

Field name	Description
bytes_written	A buffer (up to 64K) of the first bytes written
company_id	Indicates the company ID in GravityZone.
ctc_version	The version of CTC security signatures
datetime	The date and time in Unix epoch time format
entropy	The file entropy value
event_name	Event name
event_version	Event version
extra_keys	Keys for extra information to be displayed in the generated incident
extra_values	Values corresponding to the extra_keys field.
hardware_id	An ID, generated by BEST, that uniquely identifies an endpoint.
is_remote	Indicates whether the change made on a file happened via remote connection
machine_name	The host name
md5	The MD5 hash of the file
os_family	The type of operating system. Possible values: `windows` `linux` `macos`
os_platform	The type of OS architecture, `x86`, `x64`, or `arm64`.
os_type	Indicates whether the operating system fulfils the role of a client or a server.
os_version	The operating system version. For example: `Windows 11`.
path	The file path
pid	The process identifier
process_sha	The SHA256 hash of the process that generated the file
process_md5	The MD5 hash of the process that generated the file
process_path	The process path
product_version	BEST product version
sha	The SHA256 hash of the file
type	The ID associated with the file type. Possible values: `0`: correlates with `executable` file type `1`: correlates with `document` file type `2`: correlates with `archive` file type `3`: correlates with `script` file type `4`: correlates with `media` file type `5`: correlates with `possibleimportantformat` file type `999`: correlates with `unknown` file type
type_sz	The file type. Possible values: `executable` `document` `archive` `script` `media` `possibleimportantformat` `unknown` `possibleimportantformat` is an umbrella term. It keeps records of files that may be important for security investigation later on due to a possible data exfiltration. The targeted file extensions are: `.3dm`, `.3ds`, `.3g2`, `.3gp`, `.7z`, `.aac`, `.accdb`, `.ai`, `.aif`, `.asd`, `.asf`, `.avi`, `.bmp`, `.bz2`, `.cbr`, `.cda`, `.csv`, `.db`, `.dbf`, `.dds`, `.doc`, `.docx`, `.dwg`, `.dxf`, `.email`, `.eml`, `.emlx`, `.eps`, `.fdb`, `.flac`, `.flv`, `.frm`, `.gif`, `.gpx`, `.gslides"`, `.gz`, `.h264`, `.heic`, `.ico`, `.iff`, `.jpg`, `.kexi`, `.key`, `.kml`, `.kmz`, `.log`, `.lz`, `.m3u`, `.m4a`, `.m4v`, `.max`, `.md`, `.mdb`, `.mde`, `.mdf`, `.mid`, `.midi`, `.mkv`, `.mov`, `.mp3`, `.mp4`, `.mpa`, `.mpeg`, `.mpg`, `.msg`, `.obj`, `.odp`, `.ods`, `.odt`, `.oft`, `.ogg`, `.opus`, `.ost`, `.pdb`, `.pdf`, `.pez`, `.png`, `.pot`, `.pps`, `.ppt`, `.pptx`, `.psd`, `.pspimage`, `.pst`, `.rar`, `.rm`, `.rtf`, `.sqlite`, `.srt`, `.svg`, `.swf`, `.tar`, `.tar.gz`, `.tar.xz`, `.tex`, `.tga`, `.thm`, `.tif`, `.tiff`, `.vcf`, `.vob`, `.wav`, `.wdb`, `.wma`, `.wmv`, `.wpd`, `.wps`, `.xlr`, `.xls`, `.xls`, `.xlsm`, `.xlsx`, `.xz`, `.yuv`, `.zip`, and `.zipx`.
user_name	The user who started the process that modified the file.

Read from file

Field name	Description
bytes_read	The number of bytes read from file
company_id	Indicates the company ID in GravityZone.
ctc_version	The version of CTC security signatures
datetime	The date and time in Unix epoch time format
entropy	The file entropy value
event_name	Event name
event_version	Event version
extra_keys	Keys for extra information to be displayed in the generated incident
extra_values	Values corresponding to the extra_keys field.
hardware_id	An ID, generated by BEST, that uniquely identifies an endpoint.
is_remote	Indicates whether the file was read via remote connection
machine_name	The host name
os_family	The type of operating system. Possible values: `windows` `linux` `macos`
os_platform	The type of OS architecture, `x86`, `x64`, or `arm64`.
os_type	Indicates whether the operating system fulfils the role of a client or a server.
os_version	The operating system version. For example: `Windows 11`.
path	The file path
pid	The process identifier
process_md5	The MD5 hash of the process
process_path	The process path
process_sha	The SHA256 hash of the process
product_version	BEST product version
type	The ID associated with the file type. Possible values: `0`: correlates with `executable` file type `1`: correlates with `document` file type `2`: correlates with `archive` file type `3`: correlates with `script` file type `4`: correlates with `media` file type `5`: correlates with `possibleimportantformat` file type `999`: correlates with `unknown` file type
type_sz	The file type. Possible values: `executable` `document` `archive` `script` `media` `possibleimportantformat` `unknown` `possibleimportantformat` is an umbrella term. It keeps records of files that may be important for security investigation later on due to a possible data exfiltration. The targeted file extensions are: `.3dm`, `.3ds`, `.3g2`, `.3gp`, `.7z`, `.aac`, `.accdb`, `.ai`, `.aif`, `.asd`, `.asf`, `.avi`, `.bmp`, `.bz2`, `.cbr`, `.cda`, `.csv`, `.db`, `.dbf`, `.dds`, `.doc`, `.docx`, `.dwg`, `.dxf`, `.email`, `.eml`, `.emlx`, `.eps`, `.fdb`, `.flac`, `.flv`, `.frm`, `.gif`, `.gpx`, `.gslides"`, `.gz`, `.h264`, `.heic`, `.ico`, `.iff`, `.jpg`, `.kexi`, `.key`, `.kml`, `.kmz`, `.log`, `.lz`, `.m3u`, `.m4a`, `.m4v`, `.max`, `.md`, `.mdb`, `.mde`, `.mdf`, `.mid`, `.midi`, `.mkv`, `.mov`, `.mp3`, `.mp4`, `.mpa`, `.mpeg`, `.mpg`, `.msg`, `.obj`, `.odp`, `.ods`, `.odt`, `.oft`, `.ogg`, `.opus`, `.ost`, `.pdb`, `.pdf`, `.pez`, `.png`, `.pot`, `.pps`, `.ppt`, `.pptx`, `.psd`, `.pspimage`, `.pst`, `.rar`, `.rm`, `.rtf`, `.sqlite`, `.srt`, `.svg`, `.swf`, `.tar`, `.tar.gz`, `.tar.xz`, `.tex`, `.tga`, `.thm`, `.tif`, `.tiff`, `.vcf`, `.vob`, `.wav`, `.wdb`, `.wma`, `.wmv`, `.wpd`, `.wps`, `.xlr`, `.xls`, `.xls`, `.xlsm`, `.xlsx`, `.xz`, `.yuv`, `.zip`, and `.zipx`.
user_name	The user who started the process that read from file

Move file

Field name	Description
company_id	Indicates the company ID in GravityZone.
ctc_version	The version of CTC security signatures
datetime	The date and time in Unix epoch time format
event_name	Event name
event_version	Event version
hardware_id	An ID, generated by BEST, that uniquely identifies an endpoint.
machine_name	The host name
md5	The MD5 hash of the file
new_path	The new file path
os_family	The type of operating system. Possible values: `windows` `linux` `macos`
os_platform	The type of OS architecture, `x86`, `x64`, or `arm64`.
os_type	Indicates whether the operating system fulfils the role of a client or a server.
os_version	The operating system version. For example: `Windows 11`.
path	The initial file path
pid	The process identifier
process_sha	The SHA256 hash of the process that moved the file
process_md5	The MD5 hash of the process that moved the file
process_path	The process path
product_version	BEST product version
sha	The SHA256 hash of the file that was moved
user_name	The user who started the process that moved the file.

Registry create key

Field name	Description
company_id	Indicates the company ID in GravityZone.
ctc_version	The version of CTC security signatures
datetime	The date and time in Unix epoch time format
event_name	Event name
event_version	Event version
hardware_id	An ID, generated by BEST, that uniquely identifies an endpoint.
key_path	The path to the registry key
machine_name	The host name
operation	The type of operation performed on the registry key. Possible values: `create` `write` `delete`
os_family	The type of operating system. Possible values: `windows` `linux` `macos`
os_platform	The type of OS architecture, `x86`, `x64`, or `arm64`.
os_type	Indicates whether the operating system fulfils the role of a client or a server.
os_version	The operating system version. For example: `Windows 11`.
pid	The process identifier
product_version	BEST product version
user_name	The user who started the process that created the registry key.

Registry delete key

Field name	Description
company_id	Indicates the company ID in GravityZone.
datetime	The date and time in Unix epoch time format
event_name	Event name
event_version	Event version
hardware_id	An ID, generated by BEST, that uniquely identifies an endpoint.
key_path	The path to the registry key
machine_name	The host name
operation	The type of operation performed on the registry key. Possible values: `create` `write` `delete`
os_family	The type of operating system. Possible values: `windows` `linux` `macos`
os_platform	The type of OS architecture, `x86`, `x64`, or `arm64`.
os_type	Indicates whether the operating system fulfils the role of a client or a server.
os_version	The operating system version. For example: `Windows 11`.
pid	The process identifier
product_version	BEST product version
user_name	The user who started the process that deleted the registry key.

Registry delete value

Field name	Description
company_id	Indicates the company ID in GravityZone.
ctc_version	The version of CTC security signatures
datetime	The date and time in Unix epoch time format
event_name	Event name
event_version	Event version
hardware_id	An ID, generated by BEST, that uniquely identifies an endpoint.
key_path	The path to the registry key
machine_name	The host name
operation	The type of operation performed on the registry key. Possible values: `create` `write` `delete`
os_family	The type of operating system. Possible values: `windows` `linux` `macos`
os_platform	The type of OS architecture, `x86`, `x64`, or `arm64`.
os_type	Indicates whether the operating system fulfils the role of a client or a server.
os_version	The operating system version. For example: `Windows 11`.
pid	The process identifier
product_version	BEST product version
user_name	The user who started the process that deleted the registry value.
value	The registry value

Registry modify value

Field name	Description
company_id	Indicates the company ID in GravityZone.
ctc_version	The version of CTC security signatures
data	The data that was written into the value
data_type	The ID associated with the registry data type. Possible values: `0`: correlates with `none` data type `1`: correlates with `string` data type `2`: correlates with `expandablestring` data type `3`: correlates with `binary` data type `4`: correlates with `dword` data type `5`: correlates with `dwordbigendian` data type `6`: correlates with `link` data type `7`: correlates with `multistring` data type `8`: correlates with `resourcelist` data type `9`: correlates with `resourcedescriptor` data type `10`: correlates with `resourcerequirements` data type `11`: correlates with `qword` data type
data_type_sz	The data format for the registry value. Possible values: `none` `string` `expandablestring` `binary` `dword` `dwordbigendian` `link` `multistring` `resourcelist` `resourcedescriptor` `resourcerequirements` `qword` To learn more about these data formats, refer to Registry value types.
datetime	The date and time in Unix epoch time format
event_name	Event name
event_version	Event version
hardware_id	An ID, generated by BEST, that uniquely identifies an endpoint.
key_path	The path to the registry key
machine_name	The host name
operation	The type of operation performed on the registry key. Possible values: `create` `write` `delete`
os_family	The type of operating system. Possible values: `windows` `linux` `macos`
os_platform	The type of OS architecture, `x86`, `x64`, or `arm64`.
os_type	Indicates whether the operating system fulfils the role of a client or a server.
os_version	The operating system version. For example: `Windows 11`.
pid	The process identifier
product_version	BEST product version
user_name	The user who started the process that modified the registry value.
value	The registry value

In this section: