From 7ee1dddcdcce3226537288037cd05e70ea9345d8 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Wed, 18 Dec 2024 09:19:46 +0100 Subject: [PATCH 1/3] HarfangLab: fix on process field --- HarfangLab/harfanglab/ingest/parser.yml | 1 - HarfangLab/harfanglab/tests/process-event.json | 1 - HarfangLab/harfanglab/tests/process.json | 7 ------- HarfangLab/harfanglab/tests/process3.json | 7 ------- HarfangLab/harfanglab/tests/process4.json | 1 - 5 files changed, 17 deletions(-) diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml index 2b8fb9c96..9a07a2fe4 100644 --- a/HarfangLab/harfanglab/ingest/parser.yml +++ b/HarfangLab/harfanglab/ingest/parser.yml @@ -207,7 +207,6 @@ stages: process.working_directory: "{{json_event.message.current_directory}}" process.pe.imphash: "{{json_event.message.pe_imphash}}" harfanglab.grandparent.process.executable: "{{json_event.message.grandparent_image}}" - harfanglab.grandparent.process.command_line: "{{json_event.message.parent_commandline}}" harfanglab.grandparent.process.ancestors: "{{json_event.message.ancestors.split('|')}}" user.name: > diff --git a/HarfangLab/harfanglab/tests/process-event.json b/HarfangLab/harfanglab/tests/process-event.json index 9f1f078f3..3428ebe94 100644 --- a/HarfangLab/harfanglab/tests/process-event.json +++ b/HarfangLab/harfanglab/tests/process-event.json @@ -28,7 +28,6 @@ "harfanglab": { "grandparent": { "process": { - "command_line": "C:\\ProgramData\\CentraStage\\AEMAgent\\AEMAge.exe", "executable": "C:\\Program Files (x86)\\Centra\\CagServ.exe" } }, diff --git a/HarfangLab/harfanglab/tests/process.json b/HarfangLab/harfanglab/tests/process.json index 024f674a3..0f1dd018c 100644 --- a/HarfangLab/harfanglab/tests/process.json +++ b/HarfangLab/harfanglab/tests/process.json @@ -25,13 +25,6 @@ "sha256": "100af46c952e58105dbc51eb92510f6990377a3ffc57e82074a8bfb64c56c529" } }, - "harfanglab": { - "grandparent": { - "process": { - "command_line": "E:\\Program Files\\Microsoft\\Exchange Server\\V15\\Bin\\Microsoft.Exchange.Diagnostics.Service.exe" - } - } - }, "host": { "domain": "NIVURA", "hostname": "EXCHANGE", diff --git a/HarfangLab/harfanglab/tests/process3.json b/HarfangLab/harfanglab/tests/process3.json index 3e464ccab..94dc5cd95 100644 --- a/HarfangLab/harfanglab/tests/process3.json +++ b/HarfangLab/harfanglab/tests/process3.json @@ -25,13 +25,6 @@ "sha256": "b5c78bef3883e3099f7ef844da1446db29107e5c0223b97f29e7fafab5527f15" } }, - "harfanglab": { - "grandparent": { - "process": { - "command_line": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p" - } - } - }, "host": { "domain": "WORKGROUP", "hostname": "REDACTED", diff --git a/HarfangLab/harfanglab/tests/process4.json b/HarfangLab/harfanglab/tests/process4.json index 3f32333c2..81c856502 100644 --- a/HarfangLab/harfanglab/tests/process4.json +++ b/HarfangLab/harfanglab/tests/process4.json @@ -34,7 +34,6 @@ "C:\\Windows\\test2.exe", "C:\\Windows\\test3.exe" ], - "command_line": "test.exe -p -e test_script.py | find test", "executable": "C:\\Windows\\grandparent_image.exe" } }, From 6bdf2de1c209b2b1e78e00990df30b3fd25280ff Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Wed, 18 Dec 2024 09:23:10 +0100 Subject: [PATCH 2/3] Removal of unused fields and linting --- HarfangLab/harfanglab/_meta/fields.yml | 391 ++++++++++++------------- 1 file changed, 193 insertions(+), 198 deletions(-) diff --git a/HarfangLab/harfanglab/_meta/fields.yml b/HarfangLab/harfanglab/_meta/fields.yml index 1ad5ffb1e..7ead9c0a2 100644 --- a/HarfangLab/harfanglab/_meta/fields.yml +++ b/HarfangLab/harfanglab/_meta/fields.yml @@ -1,960 +1,960 @@ action.properties.ASsecurityintelligencecreationtime: - description: '' + description: "" name: action.properties.ASsecurityintelligencecreationtime type: keyword action.properties.ASsecurityintelligenceversion: - description: '' + description: "" name: action.properties.ASsecurityintelligenceversion type: keyword action.properties.AVsecurityintelligencecreationtime: - description: '' + description: "" name: action.properties.AVsecurityintelligencecreationtime type: keyword action.properties.AVsecurityintelligenceversion: - description: '' + description: "" name: action.properties.AVsecurityintelligenceversion type: keyword action.properties.AccessList: - description: '' + description: "" name: action.properties.AccessList type: keyword action.properties.AccessMask: - description: '' + description: "" name: action.properties.AccessMask type: keyword action.properties.AccessReason: - description: '' + description: "" name: action.properties.AccessReason type: keyword action.properties.ActionID: - description: '' + description: "" name: action.properties.ActionID type: keyword action.properties.ActionName: - description: '' + description: "" name: action.properties.ActionName type: keyword action.properties.AdditionalActionsID: - description: '' + description: "" name: action.properties.AdditionalActionsID type: keyword action.properties.AdditionalActionsString: - description: '' + description: "" name: action.properties.AdditionalActionsString type: keyword action.properties.AuthenticationPackageName: - description: '' + description: "" name: action.properties.AuthenticationPackageName type: keyword action.properties.BMstate: - description: '' + description: "" name: action.properties.BMstate type: keyword action.properties.CacheState: - description: '' + description: "" name: action.properties.CacheState type: keyword action.properties.CallerProcessId: - description: '' + description: "" name: action.properties.CallerProcessId type: keyword action.properties.CallerProcessName: - description: '' + description: "" name: action.properties.CallerProcessName type: keyword action.properties.CategoryID: - description: '' + description: "" name: action.properties.CategoryID type: keyword action.properties.CategoryName: - description: '' + description: "" name: action.properties.CategoryName type: keyword action.properties.CertIssuerName: - description: '' + description: "" name: action.properties.CertIssuerName type: keyword action.properties.CertSerialNumber: - description: '' + description: "" name: action.properties.CertSerialNumber type: keyword action.properties.CertThumbprint: - description: '' + description: "" name: action.properties.CertThumbprint type: keyword action.properties.ClassName: - description: '' + description: "" name: action.properties.ClassName type: keyword action.properties.ClientProcessId: - description: '' + description: "" name: action.properties.ClientProcessId type: keyword action.properties.ClientProcessStartKey: - description: '' + description: "" name: action.properties.ClientProcessStartKey type: keyword action.properties.CompatibleIds: - description: '' + description: "" name: action.properties.CompatibleIds type: keyword action.properties.DetectionID: - description: '' + description: "" name: action.properties.DetectionID type: keyword action.properties.DetectionTime: - description: '' + description: "" name: action.properties.DetectionTime type: keyword action.properties.DetectionUser: - description: '' + description: "" name: action.properties.DetectionUser type: keyword action.properties.DeviceID: - description: '' + description: "" name: action.properties.DeviceID type: keyword action.properties.Domain: - description: '' + description: "" name: action.properties.Domain type: keyword action.properties.ElevatedToken: - description: '' + description: "" name: action.properties.ElevatedToken type: keyword action.properties.EngineVersion: - description: '' + description: "" name: action.properties.EngineVersion type: keyword action.properties.Engineup-to-date: - description: '' + description: "" name: action.properties.Engineup-to-date type: keyword action.properties.Engineversion: - description: '' + description: "" name: action.properties.Engineversion type: keyword action.properties.ErrorCode: - description: '' + description: "" name: action.properties.ErrorCode type: keyword action.properties.ErrorDescription: - description: '' + description: "" name: action.properties.ErrorDescription type: keyword action.properties.ExecutionID: - description: '' + description: "" name: action.properties.ExecutionID type: keyword action.properties.ExecutionName: - description: '' + description: "" name: action.properties.ExecutionName type: keyword action.properties.FQDN: - description: '' + description: "" name: action.properties.FQDN type: keyword action.properties.FWLink: - description: '' + description: "" name: action.properties.FWLink type: keyword action.properties.FailureReason: - description: '' + description: "" name: action.properties.FailureReason type: keyword action.properties.FileNameBuffer: - description: '' + description: "" name: action.properties.FileNameBuffer type: keyword action.properties.FileNameLength: - description: '' + description: "" name: action.properties.FileNameLength type: keyword action.properties.Flags: - description: '' + description: "" name: action.properties.Flags type: keyword action.properties.Hash: - description: '' + description: "" name: action.properties.Hash type: keyword action.properties.HashSize: - description: '' + description: "" name: action.properties.HashSize type: keyword action.properties.IOAVstate: - description: '' + description: "" name: action.properties.IOAVstate type: keyword action.properties.ImpersonationLevel: - description: '' + description: "" name: action.properties.ImpersonationLevel type: keyword action.properties.IpAddress: - description: '' + description: "" name: action.properties.IpAddress type: keyword action.properties.IpPort: - description: '' + description: "" name: action.properties.IpPort type: keyword action.properties.IssuerName: - description: '' + description: "" name: action.properties.IssuerName type: keyword action.properties.IssuerNameLength: - description: '' + description: "" name: action.properties.IssuerNameLength type: keyword action.properties.IssuerTBSHash: - description: '' + description: "" name: action.properties.IssuerTBSHash type: keyword action.properties.IssuerTBSHashSize: - description: '' + description: "" name: action.properties.IssuerTBSHashSize type: keyword action.properties.KeyLength: - description: '' + description: "" name: action.properties.KeyLength type: keyword action.properties.LastASsecurityintelligenceage: - description: '' + description: "" name: action.properties.LastASsecurityintelligenceage type: keyword action.properties.LastAVsecurityintelligenceage: - description: '' + description: "" name: action.properties.LastAVsecurityintelligenceage type: keyword action.properties.Lastfullscanage: - description: '' + description: "" name: action.properties.Lastfullscanage type: keyword action.properties.Lastfullscanendtime: - description: '' + description: "" name: action.properties.Lastfullscanendtime type: keyword action.properties.Lastfullscansource: - description: '' + description: "" name: action.properties.Lastfullscansource type: keyword action.properties.Lastfullscanstarttime: - description: '' + description: "" name: action.properties.Lastfullscanstarttime type: keyword action.properties.Lastquickscanage: - description: '' + description: "" name: action.properties.Lastquickscanage type: keyword action.properties.Lastquickscanendtime: - description: '' + description: "" name: action.properties.Lastquickscanendtime type: keyword action.properties.Lastquickscansource: - description: '' + description: "" name: action.properties.Lastquickscansource type: keyword action.properties.Lastquickscanstarttime: - description: '' + description: "" name: action.properties.Lastquickscanstarttime type: keyword action.properties.Latestengineversion: - description: '' + description: "" name: action.properties.Latestengineversion type: keyword action.properties.Latestplatformversion: - description: '' + description: "" name: action.properties.Latestplatformversion type: keyword action.properties.LmPackageName: - description: '' + description: "" name: action.properties.LmPackageName type: keyword action.properties.LogonGuid: - description: '' + description: "" name: action.properties.LogonGuid type: keyword action.properties.LogonProcessName: - description: '' + description: "" name: action.properties.LogonProcessName type: keyword action.properties.LogonType: - description: '' + description: "" name: action.properties.LogonType type: keyword action.properties.MemberName: - description: '' + description: "" name: action.properties.MemberName type: keyword action.properties.NRIengineversion: - description: '' + description: "" name: action.properties.NRIengineversion type: keyword action.properties.NRIsecurityintelligenceversion: - description: '' + description: "" name: action.properties.NRIsecurityintelligenceversion type: keyword action.properties.NotValidAfter: - description: '' + description: "" name: action.properties.NotValidAfter type: keyword action.properties.NotValidBefore: - description: '' + description: "" name: action.properties.NotValidBefore type: keyword action.properties.OAstate: - description: '' + description: "" name: action.properties.OAstate type: keyword action.properties.ObjectType: - description: '' + description: "" name: action.properties.ObjectType type: keyword action.properties.OriginID: - description: '' + description: "" name: action.properties.OriginID type: keyword action.properties.OriginName: - description: '' + description: "" name: action.properties.OriginName type: keyword action.properties.PageHash: - description: '' + description: "" name: action.properties.PageHash type: keyword action.properties.ParentProcessId: - description: '' + description: "" name: action.properties.ParentProcessId type: keyword action.properties.Path: - description: '' + description: "" name: action.properties.Path type: keyword action.properties.Platformup-to-date: - description: '' + description: "" name: action.properties.Platformup-to-date type: keyword action.properties.Platformversion: - description: '' + description: "" name: action.properties.Platformversion type: keyword action.properties.PolicyBits: - description: '' + description: "" name: action.properties.PolicyBits type: keyword action.properties.PostCleanStatus: - description: '' + description: "" name: action.properties.PostCleanStatus type: keyword action.properties.PreAuthType: - description: '' + description: "" name: action.properties.PreAuthType type: keyword action.properties.PreExecutionStatus: - description: '' + description: "" name: action.properties.PreExecutionStatus type: keyword action.properties.PrivilegeList: - description: '' + description: "" name: action.properties.PrivilegeList type: keyword action.properties.ProcessId: - description: '' + description: "" name: action.properties.ProcessId type: keyword action.properties.ProcessName: - description: '' + description: "" name: action.properties.ProcessName type: keyword action.properties.ProcessNameBuffer: - description: '' + description: "" name: action.properties.ProcessNameBuffer type: keyword action.properties.ProcessNameLength: - description: '' + description: "" name: action.properties.ProcessNameLength type: keyword action.properties.ProductName: - description: '' + description: "" name: action.properties.ProductName type: keyword action.properties.ProductVersion: - description: '' + description: "" name: action.properties.ProductVersion type: keyword action.properties.Productstatus: - description: '' + description: "" name: action.properties.Productstatus type: keyword action.properties.ProfileChanged: - description: '' + description: "" name: action.properties.ProfileChanged type: keyword action.properties.PublisherName: - description: '' + description: "" name: action.properties.PublisherName type: keyword action.properties.PublisherNameLength: - description: '' + description: "" name: action.properties.PublisherNameLength type: keyword action.properties.PublisherTBSHash: - description: '' + description: "" name: action.properties.PublisherTBSHash type: keyword action.properties.PublisherTBSHashSize: - description: '' + description: "" name: action.properties.PublisherTBSHashSize type: keyword action.properties.RTPstate: - description: '' + description: "" name: action.properties.RTPstate type: keyword action.properties.RelativeTargetName: - description: '' + description: "" name: action.properties.RelativeTargetName type: keyword action.properties.RemediationUser: - description: '' + description: "" name: action.properties.RemediationUser type: keyword action.properties.RequestedPolicy: - description: '' + description: "" name: action.properties.RequestedPolicy type: keyword action.properties.RequestedSigningLevel: - description: '' + description: "" name: action.properties.RequestedSigningLevel type: keyword action.properties.RestrictedAdminMode: - description: '' + description: "" name: action.properties.RestrictedAdminMode type: keyword action.properties.RpcCallClientLocality: - description: '' + description: "" name: action.properties.RpcCallClientLocality type: keyword action.properties.RuleId: - description: '' + description: "" name: action.properties.RuleId type: keyword action.properties.RuleName: - description: '' + description: "" name: action.properties.RuleName type: keyword action.properties.ScriptBlockText: - description: '' + description: "" name: action.properties.ScriptBlockText type: keyword action.properties.SecureRequired: - description: '' + description: "" name: action.properties.SecureRequired type: keyword action.properties.SecurityintelligenceVersion: - description: '' + description: "" name: action.properties.SecurityintelligenceVersion type: keyword action.properties.ServiceName: - description: '' + description: "" name: action.properties.ServiceName type: keyword action.properties.ServiceSid: - description: '' + description: "" name: action.properties.ServiceSid type: keyword action.properties.SeverityID: - description: '' + description: "" name: action.properties.SeverityID type: keyword action.properties.SeverityName: - description: '' + description: "" name: action.properties.SeverityName type: keyword action.properties.ShareLocalPath: - description: '' + description: "" name: action.properties.ShareLocalPath type: keyword action.properties.ShareName: - description: '' + description: "" name: action.properties.ShareName type: keyword action.properties.Signature: - description: '' + description: "" name: action.properties.Signature type: keyword action.properties.SignatureType: - description: '' + description: "" name: action.properties.SignatureType type: keyword action.properties.SourceID: - description: '' + description: "" name: action.properties.SourceID type: keyword action.properties.SourceName: - description: '' + description: "" name: action.properties.SourceName type: keyword action.properties.State: - description: '' + description: "" name: action.properties.State type: keyword action.properties.Status: - description: '' + description: "" name: action.properties.Status type: keyword action.properties.StatusCode: - description: '' + description: "" name: action.properties.StatusCode type: keyword action.properties.StatusDescription: - description: '' + description: "" name: action.properties.StatusDescription type: keyword action.properties.SubStatus: - description: '' + description: "" name: action.properties.SubStatus type: keyword action.properties.SubjectDomainName: - description: '' + description: "" name: action.properties.SubjectDomainName type: keyword action.properties.SubjectLogonId: - description: '' + description: "" name: action.properties.SubjectLogonId type: keyword action.properties.SubjectUserName: - description: '' + description: "" name: action.properties.SubjectUserName type: keyword action.properties.SubjectUserSid: - description: '' + description: "" name: action.properties.SubjectUserSid type: keyword action.properties.TargetDomainName: - description: '' + description: "" name: action.properties.TargetDomainName type: keyword action.properties.TargetInfo: - description: '' + description: "" name: action.properties.TargetInfo type: keyword action.properties.TargetLinkedLogonId: - description: '' + description: "" name: action.properties.TargetLinkedLogonId type: keyword action.properties.TargetLogonGuid: - description: '' + description: "" name: action.properties.TargetLogonGuid type: keyword action.properties.TargetLogonId: - description: '' + description: "" name: action.properties.TargetLogonId type: keyword action.properties.TargetOutboundDomainName: - description: '' + description: "" name: action.properties.TargetOutboundDomainName type: keyword action.properties.TargetOutboundUserName: - description: '' + description: "" name: action.properties.TargetOutboundUserName type: keyword action.properties.TargetServerName: - description: '' + description: "" name: action.properties.TargetServerName type: keyword action.properties.TargetSid: - description: '' + description: "" name: action.properties.TargetSid type: keyword action.properties.TargetUserName: - description: '' + description: "" name: action.properties.TargetUserName type: keyword action.properties.TargetUserSid: - description: '' + description: "" name: action.properties.TargetUserSid type: keyword action.properties.TaskContent: - description: '' + description: "" name: action.properties.TaskContent type: keyword action.properties.TaskContentNew_Args: - description: '' + description: "" name: action.properties.TaskContentNew_Args type: keyword action.properties.TaskContentNew_Command: - description: '' + description: "" name: action.properties.TaskContentNew_Command type: keyword action.properties.TaskName: - description: '' + description: "" name: action.properties.TaskName type: keyword action.properties.ThreatID: - description: '' + description: "" name: action.properties.ThreatID type: keyword action.properties.ThreatName: - description: '' + description: "" name: action.properties.ThreatName type: keyword action.properties.TicketEncryptionType: - description: '' + description: "" name: action.properties.TicketEncryptionType type: keyword action.properties.TicketOptions: - description: '' + description: "" name: action.properties.TicketOptions type: keyword action.properties.TotalSignatureCount: - description: '' + description: "" name: action.properties.TotalSignatureCount type: keyword action.properties.TransmittedServices: - description: '' + description: "" name: action.properties.TransmittedServices type: keyword action.properties.TypeID: - description: '' + description: "" name: action.properties.TypeID type: keyword action.properties.TypeName: - description: '' + description: "" name: action.properties.TypeName type: keyword action.properties.Unused: - description: '' + description: "" name: action.properties.Unused type: keyword action.properties.Unused2: - description: '' + description: "" name: action.properties.Unused2 type: keyword action.properties.Unused3: - description: '' + description: "" name: action.properties.Unused3 type: keyword action.properties.Unused4: - description: '' + description: "" name: action.properties.Unused4 type: keyword action.properties.Unused5: - description: '' + description: "" name: action.properties.Unused5 type: keyword action.properties.Unused6: - description: '' + description: "" name: action.properties.Unused6 type: keyword action.properties.User: - description: '' + description: "" name: action.properties.User type: keyword action.properties.ValidatedPolicy: - description: '' + description: "" name: action.properties.ValidatedPolicy type: keyword action.properties.ValidatedSigningLevel: - description: '' + description: "" name: action.properties.ValidatedSigningLevel type: keyword action.properties.VerificationError: - description: '' + description: "" name: action.properties.VerificationError type: keyword action.properties.VirtualAccount: - description: '' + description: "" name: action.properties.VirtualAccount type: keyword action.properties.WorkstationName: - description: '' + description: "" name: action.properties.WorkstationName type: keyword action.properties.param0: - description: '' + description: "" name: action.properties.param0 type: keyword action.properties.param1: - description: '' + description: "" name: action.properties.param1 type: keyword action.properties.param10: - description: '' + description: "" name: action.properties.param10 type: keyword action.properties.param11: - description: '' + description: "" name: action.properties.param11 type: keyword action.properties.param12: - description: '' + description: "" name: action.properties.param12 type: keyword action.properties.param13: - description: '' + description: "" name: action.properties.param13 type: keyword action.properties.param14: - description: '' + description: "" name: action.properties.param14 type: keyword action.properties.param15: - description: '' + description: "" name: action.properties.param15 type: keyword action.properties.param16: - description: '' + description: "" name: action.properties.param16 type: keyword action.properties.param17: - description: '' + description: "" name: action.properties.param17 type: keyword action.properties.param18: - description: '' + description: "" name: action.properties.param18 type: keyword action.properties.param19: - description: '' + description: "" name: action.properties.param19 type: keyword action.properties.param2: - description: '' + description: "" name: action.properties.param2 type: keyword action.properties.param20: - description: '' + description: "" name: action.properties.param20 type: keyword action.properties.param21: - description: '' + description: "" name: action.properties.param21 type: keyword action.properties.param22: - description: '' + description: "" name: action.properties.param22 type: keyword action.properties.param3: - description: '' + description: "" name: action.properties.param3 type: keyword action.properties.param4: - description: '' + description: "" name: action.properties.param4 type: keyword action.properties.param5: - description: '' + description: "" name: action.properties.param5 type: keyword action.properties.param6: - description: '' + description: "" name: action.properties.param6 type: keyword action.properties.param7: - description: '' + description: "" name: action.properties.param7 type: keyword action.properties.param8: - description: '' + description: "" name: action.properties.param8 type: keyword action.properties.param9: - description: '' + description: "" name: action.properties.param9 type: keyword harfanglab.agent_ids: - description: '' + description: "" name: harfanglab.agent_ids type: keyword @@ -989,7 +989,7 @@ harfanglab.count.users_impacted: type: number harfanglab.execution: - description: 'Execution time ' + description: "Execution time " name: harfanglab.execution type: long @@ -998,11 +998,6 @@ harfanglab.grandparent.process.ancestors: name: harfanglab.grandparent.process.ancestors type: keyword -harfanglab.grandparent.process.command_line: - description: Command line that started the grandparent process - name: harfanglab.grandparent.process.command_line - type: keyword - harfanglab.grandparent.process.executable: description: Absolute path to the grandparent process executable name: harfanglab.grandparent.process.executable From 3a478f3e5813c04d3e8fed9979f7b5df3510ee56 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Wed, 18 Dec 2024 09:25:14 +0100 Subject: [PATCH 3/3] prettier --- HarfangLab/harfanglab/_meta/fields.yml | 386 ++++++++++++------------- 1 file changed, 193 insertions(+), 193 deletions(-) diff --git a/HarfangLab/harfanglab/_meta/fields.yml b/HarfangLab/harfanglab/_meta/fields.yml index 7ead9c0a2..d9fcdaa24 100644 --- a/HarfangLab/harfanglab/_meta/fields.yml +++ b/HarfangLab/harfanglab/_meta/fields.yml @@ -1,960 +1,960 @@ action.properties.ASsecurityintelligencecreationtime: - description: "" + description: '' name: action.properties.ASsecurityintelligencecreationtime type: keyword action.properties.ASsecurityintelligenceversion: - description: "" + description: '' name: action.properties.ASsecurityintelligenceversion type: keyword action.properties.AVsecurityintelligencecreationtime: - description: "" + description: '' name: action.properties.AVsecurityintelligencecreationtime type: keyword action.properties.AVsecurityintelligenceversion: - description: "" + description: '' name: action.properties.AVsecurityintelligenceversion type: keyword action.properties.AccessList: - description: "" + description: '' name: action.properties.AccessList type: keyword action.properties.AccessMask: - description: "" + description: '' name: action.properties.AccessMask type: keyword action.properties.AccessReason: - description: "" + description: '' name: action.properties.AccessReason type: keyword action.properties.ActionID: - description: "" + description: '' name: action.properties.ActionID type: keyword action.properties.ActionName: - description: "" + description: '' name: action.properties.ActionName type: keyword action.properties.AdditionalActionsID: - description: "" + description: '' name: action.properties.AdditionalActionsID type: keyword action.properties.AdditionalActionsString: - description: "" + description: '' name: action.properties.AdditionalActionsString type: keyword action.properties.AuthenticationPackageName: - description: "" + description: '' name: action.properties.AuthenticationPackageName type: keyword action.properties.BMstate: - description: "" + description: '' name: action.properties.BMstate type: keyword action.properties.CacheState: - description: "" + description: '' name: action.properties.CacheState type: keyword action.properties.CallerProcessId: - description: "" + description: '' name: action.properties.CallerProcessId type: keyword action.properties.CallerProcessName: - description: "" + description: '' name: action.properties.CallerProcessName type: keyword action.properties.CategoryID: - description: "" + description: '' name: action.properties.CategoryID type: keyword action.properties.CategoryName: - description: "" + description: '' name: action.properties.CategoryName type: keyword action.properties.CertIssuerName: - description: "" + description: '' name: action.properties.CertIssuerName type: keyword action.properties.CertSerialNumber: - description: "" + description: '' name: action.properties.CertSerialNumber type: keyword action.properties.CertThumbprint: - description: "" + description: '' name: action.properties.CertThumbprint type: keyword action.properties.ClassName: - description: "" + description: '' name: action.properties.ClassName type: keyword action.properties.ClientProcessId: - description: "" + description: '' name: action.properties.ClientProcessId type: keyword action.properties.ClientProcessStartKey: - description: "" + description: '' name: action.properties.ClientProcessStartKey type: keyword action.properties.CompatibleIds: - description: "" + description: '' name: action.properties.CompatibleIds type: keyword action.properties.DetectionID: - description: "" + description: '' name: action.properties.DetectionID type: keyword action.properties.DetectionTime: - description: "" + description: '' name: action.properties.DetectionTime type: keyword action.properties.DetectionUser: - description: "" + description: '' name: action.properties.DetectionUser type: keyword action.properties.DeviceID: - description: "" + description: '' name: action.properties.DeviceID type: keyword action.properties.Domain: - description: "" + description: '' name: action.properties.Domain type: keyword action.properties.ElevatedToken: - description: "" + description: '' name: action.properties.ElevatedToken type: keyword action.properties.EngineVersion: - description: "" + description: '' name: action.properties.EngineVersion type: keyword action.properties.Engineup-to-date: - description: "" + description: '' name: action.properties.Engineup-to-date type: keyword action.properties.Engineversion: - description: "" + description: '' name: action.properties.Engineversion type: keyword action.properties.ErrorCode: - description: "" + description: '' name: action.properties.ErrorCode type: keyword action.properties.ErrorDescription: - description: "" + description: '' name: action.properties.ErrorDescription type: keyword action.properties.ExecutionID: - description: "" + description: '' name: action.properties.ExecutionID type: keyword action.properties.ExecutionName: - description: "" + description: '' name: action.properties.ExecutionName type: keyword action.properties.FQDN: - description: "" + description: '' name: action.properties.FQDN type: keyword action.properties.FWLink: - description: "" + description: '' name: action.properties.FWLink type: keyword action.properties.FailureReason: - description: "" + description: '' name: action.properties.FailureReason type: keyword action.properties.FileNameBuffer: - description: "" + description: '' name: action.properties.FileNameBuffer type: keyword action.properties.FileNameLength: - description: "" + description: '' name: action.properties.FileNameLength type: keyword action.properties.Flags: - description: "" + description: '' name: action.properties.Flags type: keyword action.properties.Hash: - description: "" + description: '' name: action.properties.Hash type: keyword action.properties.HashSize: - description: "" + description: '' name: action.properties.HashSize type: keyword action.properties.IOAVstate: - description: "" + description: '' name: action.properties.IOAVstate type: keyword action.properties.ImpersonationLevel: - description: "" + description: '' name: action.properties.ImpersonationLevel type: keyword action.properties.IpAddress: - description: "" + description: '' name: action.properties.IpAddress type: keyword action.properties.IpPort: - description: "" + description: '' name: action.properties.IpPort type: keyword action.properties.IssuerName: - description: "" + description: '' name: action.properties.IssuerName type: keyword action.properties.IssuerNameLength: - description: "" + description: '' name: action.properties.IssuerNameLength type: keyword action.properties.IssuerTBSHash: - description: "" + description: '' name: action.properties.IssuerTBSHash type: keyword action.properties.IssuerTBSHashSize: - description: "" + description: '' name: action.properties.IssuerTBSHashSize type: keyword action.properties.KeyLength: - description: "" + description: '' name: action.properties.KeyLength type: keyword action.properties.LastASsecurityintelligenceage: - description: "" + description: '' name: action.properties.LastASsecurityintelligenceage type: keyword action.properties.LastAVsecurityintelligenceage: - description: "" + description: '' name: action.properties.LastAVsecurityintelligenceage type: keyword action.properties.Lastfullscanage: - description: "" + description: '' name: action.properties.Lastfullscanage type: keyword action.properties.Lastfullscanendtime: - description: "" + description: '' name: action.properties.Lastfullscanendtime type: keyword action.properties.Lastfullscansource: - description: "" + description: '' name: action.properties.Lastfullscansource type: keyword action.properties.Lastfullscanstarttime: - description: "" + description: '' name: action.properties.Lastfullscanstarttime type: keyword action.properties.Lastquickscanage: - description: "" + description: '' name: action.properties.Lastquickscanage type: keyword action.properties.Lastquickscanendtime: - description: "" + description: '' name: action.properties.Lastquickscanendtime type: keyword action.properties.Lastquickscansource: - description: "" + description: '' name: action.properties.Lastquickscansource type: keyword action.properties.Lastquickscanstarttime: - description: "" + description: '' name: action.properties.Lastquickscanstarttime type: keyword action.properties.Latestengineversion: - description: "" + description: '' name: action.properties.Latestengineversion type: keyword action.properties.Latestplatformversion: - description: "" + description: '' name: action.properties.Latestplatformversion type: keyword action.properties.LmPackageName: - description: "" + description: '' name: action.properties.LmPackageName type: keyword action.properties.LogonGuid: - description: "" + description: '' name: action.properties.LogonGuid type: keyword action.properties.LogonProcessName: - description: "" + description: '' name: action.properties.LogonProcessName type: keyword action.properties.LogonType: - description: "" + description: '' name: action.properties.LogonType type: keyword action.properties.MemberName: - description: "" + description: '' name: action.properties.MemberName type: keyword action.properties.NRIengineversion: - description: "" + description: '' name: action.properties.NRIengineversion type: keyword action.properties.NRIsecurityintelligenceversion: - description: "" + description: '' name: action.properties.NRIsecurityintelligenceversion type: keyword action.properties.NotValidAfter: - description: "" + description: '' name: action.properties.NotValidAfter type: keyword action.properties.NotValidBefore: - description: "" + description: '' name: action.properties.NotValidBefore type: keyword action.properties.OAstate: - description: "" + description: '' name: action.properties.OAstate type: keyword action.properties.ObjectType: - description: "" + description: '' name: action.properties.ObjectType type: keyword action.properties.OriginID: - description: "" + description: '' name: action.properties.OriginID type: keyword action.properties.OriginName: - description: "" + description: '' name: action.properties.OriginName type: keyword action.properties.PageHash: - description: "" + description: '' name: action.properties.PageHash type: keyword action.properties.ParentProcessId: - description: "" + description: '' name: action.properties.ParentProcessId type: keyword action.properties.Path: - description: "" + description: '' name: action.properties.Path type: keyword action.properties.Platformup-to-date: - description: "" + description: '' name: action.properties.Platformup-to-date type: keyword action.properties.Platformversion: - description: "" + description: '' name: action.properties.Platformversion type: keyword action.properties.PolicyBits: - description: "" + description: '' name: action.properties.PolicyBits type: keyword action.properties.PostCleanStatus: - description: "" + description: '' name: action.properties.PostCleanStatus type: keyword action.properties.PreAuthType: - description: "" + description: '' name: action.properties.PreAuthType type: keyword action.properties.PreExecutionStatus: - description: "" + description: '' name: action.properties.PreExecutionStatus type: keyword action.properties.PrivilegeList: - description: "" + description: '' name: action.properties.PrivilegeList type: keyword action.properties.ProcessId: - description: "" + description: '' name: action.properties.ProcessId type: keyword action.properties.ProcessName: - description: "" + description: '' name: action.properties.ProcessName type: keyword action.properties.ProcessNameBuffer: - description: "" + description: '' name: action.properties.ProcessNameBuffer type: keyword action.properties.ProcessNameLength: - description: "" + description: '' name: action.properties.ProcessNameLength type: keyword action.properties.ProductName: - description: "" + description: '' name: action.properties.ProductName type: keyword action.properties.ProductVersion: - description: "" + description: '' name: action.properties.ProductVersion type: keyword action.properties.Productstatus: - description: "" + description: '' name: action.properties.Productstatus type: keyword action.properties.ProfileChanged: - description: "" + description: '' name: action.properties.ProfileChanged type: keyword action.properties.PublisherName: - description: "" + description: '' name: action.properties.PublisherName type: keyword action.properties.PublisherNameLength: - description: "" + description: '' name: action.properties.PublisherNameLength type: keyword action.properties.PublisherTBSHash: - description: "" + description: '' name: action.properties.PublisherTBSHash type: keyword action.properties.PublisherTBSHashSize: - description: "" + description: '' name: action.properties.PublisherTBSHashSize type: keyword action.properties.RTPstate: - description: "" + description: '' name: action.properties.RTPstate type: keyword action.properties.RelativeTargetName: - description: "" + description: '' name: action.properties.RelativeTargetName type: keyword action.properties.RemediationUser: - description: "" + description: '' name: action.properties.RemediationUser type: keyword action.properties.RequestedPolicy: - description: "" + description: '' name: action.properties.RequestedPolicy type: keyword action.properties.RequestedSigningLevel: - description: "" + description: '' name: action.properties.RequestedSigningLevel type: keyword action.properties.RestrictedAdminMode: - description: "" + description: '' name: action.properties.RestrictedAdminMode type: keyword action.properties.RpcCallClientLocality: - description: "" + description: '' name: action.properties.RpcCallClientLocality type: keyword action.properties.RuleId: - description: "" + description: '' name: action.properties.RuleId type: keyword action.properties.RuleName: - description: "" + description: '' name: action.properties.RuleName type: keyword action.properties.ScriptBlockText: - description: "" + description: '' name: action.properties.ScriptBlockText type: keyword action.properties.SecureRequired: - description: "" + description: '' name: action.properties.SecureRequired type: keyword action.properties.SecurityintelligenceVersion: - description: "" + description: '' name: action.properties.SecurityintelligenceVersion type: keyword action.properties.ServiceName: - description: "" + description: '' name: action.properties.ServiceName type: keyword action.properties.ServiceSid: - description: "" + description: '' name: action.properties.ServiceSid type: keyword action.properties.SeverityID: - description: "" + description: '' name: action.properties.SeverityID type: keyword action.properties.SeverityName: - description: "" + description: '' name: action.properties.SeverityName type: keyword action.properties.ShareLocalPath: - description: "" + description: '' name: action.properties.ShareLocalPath type: keyword action.properties.ShareName: - description: "" + description: '' name: action.properties.ShareName type: keyword action.properties.Signature: - description: "" + description: '' name: action.properties.Signature type: keyword action.properties.SignatureType: - description: "" + description: '' name: action.properties.SignatureType type: keyword action.properties.SourceID: - description: "" + description: '' name: action.properties.SourceID type: keyword action.properties.SourceName: - description: "" + description: '' name: action.properties.SourceName type: keyword action.properties.State: - description: "" + description: '' name: action.properties.State type: keyword action.properties.Status: - description: "" + description: '' name: action.properties.Status type: keyword action.properties.StatusCode: - description: "" + description: '' name: action.properties.StatusCode type: keyword action.properties.StatusDescription: - description: "" + description: '' name: action.properties.StatusDescription type: keyword action.properties.SubStatus: - description: "" + description: '' name: action.properties.SubStatus type: keyword action.properties.SubjectDomainName: - description: "" + description: '' name: action.properties.SubjectDomainName type: keyword action.properties.SubjectLogonId: - description: "" + description: '' name: action.properties.SubjectLogonId type: keyword action.properties.SubjectUserName: - description: "" + description: '' name: action.properties.SubjectUserName type: keyword action.properties.SubjectUserSid: - description: "" + description: '' name: action.properties.SubjectUserSid type: keyword action.properties.TargetDomainName: - description: "" + description: '' name: action.properties.TargetDomainName type: keyword action.properties.TargetInfo: - description: "" + description: '' name: action.properties.TargetInfo type: keyword action.properties.TargetLinkedLogonId: - description: "" + description: '' name: action.properties.TargetLinkedLogonId type: keyword action.properties.TargetLogonGuid: - description: "" + description: '' name: action.properties.TargetLogonGuid type: keyword action.properties.TargetLogonId: - description: "" + description: '' name: action.properties.TargetLogonId type: keyword action.properties.TargetOutboundDomainName: - description: "" + description: '' name: action.properties.TargetOutboundDomainName type: keyword action.properties.TargetOutboundUserName: - description: "" + description: '' name: action.properties.TargetOutboundUserName type: keyword action.properties.TargetServerName: - description: "" + description: '' name: action.properties.TargetServerName type: keyword action.properties.TargetSid: - description: "" + description: '' name: action.properties.TargetSid type: keyword action.properties.TargetUserName: - description: "" + description: '' name: action.properties.TargetUserName type: keyword action.properties.TargetUserSid: - description: "" + description: '' name: action.properties.TargetUserSid type: keyword action.properties.TaskContent: - description: "" + description: '' name: action.properties.TaskContent type: keyword action.properties.TaskContentNew_Args: - description: "" + description: '' name: action.properties.TaskContentNew_Args type: keyword action.properties.TaskContentNew_Command: - description: "" + description: '' name: action.properties.TaskContentNew_Command type: keyword action.properties.TaskName: - description: "" + description: '' name: action.properties.TaskName type: keyword action.properties.ThreatID: - description: "" + description: '' name: action.properties.ThreatID type: keyword action.properties.ThreatName: - description: "" + description: '' name: action.properties.ThreatName type: keyword action.properties.TicketEncryptionType: - description: "" + description: '' name: action.properties.TicketEncryptionType type: keyword action.properties.TicketOptions: - description: "" + description: '' name: action.properties.TicketOptions type: keyword action.properties.TotalSignatureCount: - description: "" + description: '' name: action.properties.TotalSignatureCount type: keyword action.properties.TransmittedServices: - description: "" + description: '' name: action.properties.TransmittedServices type: keyword action.properties.TypeID: - description: "" + description: '' name: action.properties.TypeID type: keyword action.properties.TypeName: - description: "" + description: '' name: action.properties.TypeName type: keyword action.properties.Unused: - description: "" + description: '' name: action.properties.Unused type: keyword action.properties.Unused2: - description: "" + description: '' name: action.properties.Unused2 type: keyword action.properties.Unused3: - description: "" + description: '' name: action.properties.Unused3 type: keyword action.properties.Unused4: - description: "" + description: '' name: action.properties.Unused4 type: keyword action.properties.Unused5: - description: "" + description: '' name: action.properties.Unused5 type: keyword action.properties.Unused6: - description: "" + description: '' name: action.properties.Unused6 type: keyword action.properties.User: - description: "" + description: '' name: action.properties.User type: keyword action.properties.ValidatedPolicy: - description: "" + description: '' name: action.properties.ValidatedPolicy type: keyword action.properties.ValidatedSigningLevel: - description: "" + description: '' name: action.properties.ValidatedSigningLevel type: keyword action.properties.VerificationError: - description: "" + description: '' name: action.properties.VerificationError type: keyword action.properties.VirtualAccount: - description: "" + description: '' name: action.properties.VirtualAccount type: keyword action.properties.WorkstationName: - description: "" + description: '' name: action.properties.WorkstationName type: keyword action.properties.param0: - description: "" + description: '' name: action.properties.param0 type: keyword action.properties.param1: - description: "" + description: '' name: action.properties.param1 type: keyword action.properties.param10: - description: "" + description: '' name: action.properties.param10 type: keyword action.properties.param11: - description: "" + description: '' name: action.properties.param11 type: keyword action.properties.param12: - description: "" + description: '' name: action.properties.param12 type: keyword action.properties.param13: - description: "" + description: '' name: action.properties.param13 type: keyword action.properties.param14: - description: "" + description: '' name: action.properties.param14 type: keyword action.properties.param15: - description: "" + description: '' name: action.properties.param15 type: keyword action.properties.param16: - description: "" + description: '' name: action.properties.param16 type: keyword action.properties.param17: - description: "" + description: '' name: action.properties.param17 type: keyword action.properties.param18: - description: "" + description: '' name: action.properties.param18 type: keyword action.properties.param19: - description: "" + description: '' name: action.properties.param19 type: keyword action.properties.param2: - description: "" + description: '' name: action.properties.param2 type: keyword action.properties.param20: - description: "" + description: '' name: action.properties.param20 type: keyword action.properties.param21: - description: "" + description: '' name: action.properties.param21 type: keyword action.properties.param22: - description: "" + description: '' name: action.properties.param22 type: keyword action.properties.param3: - description: "" + description: '' name: action.properties.param3 type: keyword action.properties.param4: - description: "" + description: '' name: action.properties.param4 type: keyword action.properties.param5: - description: "" + description: '' name: action.properties.param5 type: keyword action.properties.param6: - description: "" + description: '' name: action.properties.param6 type: keyword action.properties.param7: - description: "" + description: '' name: action.properties.param7 type: keyword action.properties.param8: - description: "" + description: '' name: action.properties.param8 type: keyword action.properties.param9: - description: "" + description: '' name: action.properties.param9 type: keyword harfanglab.agent_ids: - description: "" + description: '' name: harfanglab.agent_ids type: keyword @@ -989,7 +989,7 @@ harfanglab.count.users_impacted: type: number harfanglab.execution: - description: "Execution time " + description: 'Execution time ' name: harfanglab.execution type: long