Operations

Copy current article URL Share via email

This article (PDF) Whole documentation (PDF)

The operations part defines which operations executed by a process raise the detection. If empty, the detection is triggered when the process generates an event.

Operations are defined using an operation element with a type attribute and an expression element.

<operation type="WriteFile">Expression</operation>

The following components are supported by all operation.

•DateTime

•EnterpriseInspector

•SystemInfo

BitsJobAddFile

A file was added to a BITS job.

Supported components:

•BitsJobAddFile

•DateTime

•EnterpriseInspector

•SystemInfo

CodeInjection

A process was subject to some form of code injection.

Supported components:

•ClientProcessInfo

•CodeInjectionInfo

•DateTime

•Enterprise

•EnterpriseInspector

•FileItem

•LiveGrid

•Module

•ProcessInfo

•SystemInfo

CreateNamedPipe

A named pipe was created.

Supported components:

•DateTime

•EnterpriseInspector

•FileItem

•SystemInfo

CreateProcess

A process was created.

Supported components:

•DateTime

•Enterprise

•EnterpriseInspector

•FileItem

•LiveGrid

•Module

•ProcessInfo

•SystemInfo

DeleteFile

A file was deleted.

Supported components:

•DateTime

•EnterpriseInspector

•FileItem

•SystemInfo

DeleteVolumeShadowCopy

A shadow copy of a volume was deleted.

Supported components:

•DateTime

•EnterpriseInspector

•SystemInfo

•VolumeShadowCopyInfo

Detection

This operation can be used in two different ways:

•Used in a regular rule—an event was triggered on client-side antivirus

•Used in a sequence rule—only detections triggered by Inspect

Supported components:

•DateTime

•Endpoint

•EnterpriseInspector

•InspectDetection

•Network

•SystemInfo

DnsRequest

A DNS request was made (usually IP > domain, domain > IP).

Supported components:

•DateTime

•DnsInfo

•EnterpriseInspector

•SystemInfo

HttpRequest

A HTTP request was made.

Supported components:

•DateTime

•EnterpriseInspector

•Network

•SystemInfo

LoadDLL

A DLL was loaded.

Supported components:

•DateTime

•Enterprise

•EnterpriseInspector

•FileItem

•LiveGrid

•Module

•ProcessInfo

•SystemInfo

LoadDriver

A driver or kernel module was loaded.

Supported components:

•DateTime

•EnterpriseInspector

•FileItem

•Module

•SystemInfo

ModuleDrop

An executable was dropped.

Supported components:

•DateTime

•Enterprise

•EnterpriseInspector

•FileItem

•LiveGrid

•Module

•SystemInfo

MultipleFilesChanged

Process modified multiple files.

Supported components:

•DateTime

•EnterpriseInspector

•ProcessBehavior

•SystemInfo

OpenProcess

Added a new rule attribute, which triggers when a process is opened. Only the open process to lsass.exe is monitored.

Supported components:

•DateTime

•EnterpriseInspector

•FileItem

•OpenProcess

•SystemInfo

ReadFile

Triggered when a monitored file was read. Monitored files refer to those which contain either sensitive information or stored credentials, for example, stored browser passwords, stored FTP clients passwords, AD database and so on.

Supported components:

•DateTime

•EnterpriseInspector

•FileItem

•SystemInfo

RegDeleteKey

A registry key was deleted.

Supported components:

•DateTime

•EnterpriseInspector

•RegistryItem

•SystemInfo

RegDeleteValue

The value of the registry was deleted.

Supported components:

•DateTime

•EnterpriseInspector

•RegistryItem

•SystemInfo

RegRenameKey

A registry key was renamed.

Supported components:

•DateTime

•EnterpriseInspector

•RegistryItem

•SystemInfo

RegSetValue

A registry key was altered.

Supported components:

•DateTime

•EnterpriseInspector

•RegistryItem

•SystemInfo

RenameFile

A file was renamed.

Supported components:

•DateTime

•DestFileItem

•EnterpriseInspector

•FileItem

•SystemInfo

Scripts

A script exposed by AMSI was executed.

Supported components:

•DateTime

•EnterpriseInspector

•Scripts

•SystemInfo

ServiceInstalled

A service was installed.

Supported components:

•DateTime

•Enterprise

•EnterpriseInspector

•FileItem

•LiveGrid

•Module

•Service

•SystemInfo

ServiceStarted

A service was started.

Supported components:

•DateTime

•Enterprise

•EnterpriseInspector

•FileItem

•LiveGrid

•Module

•Service

•SystemInfo

SetFileAttribute

A file attribute was set.

Supported components:

•DateTime

•EnterpriseInspector

•FileAttribute

•FileItem

•SystemInfo

SystemApiCall

A system function was called.

Supported components:

•ApiCall

•DateTime

•EnterpriseInspector

•SystemInfo

TcpIpAccept

An incoming TCP/IP connection was accepted.

Supported components:

•DateTime

•EnterpriseInspector

•Network

•SystemInfo

TcpIpConnect

An outbound TCP/IP connection was made.

Supported components:

•DateTime

•EnterpriseInspector

•Network

•SystemInfo

TcpIpProtocolIdentified

On top of TCP/IP connection, describes the protocol used.

Supported components:

•DateTime

•EnterpriseInspector

•Network

•SystemInfo

TruncateFile

A file was truncated.

Supported components:

•DateTime

•EnterpriseInspector

•FileItem

•SystemInfo

UnloadDriver

A driver or kernel module was unloaded.

Supported components:

•DateTime

•EnterpriseInspector

•FileItem

•Module

•SystemInfo

UserActivate

The user was activated.

Supported components:

•DateTime

•DoneByUser

•EnterpriseInspector

•SystemInfo

•TargetUser

UserAddToGroup

The user was added to the group.

Supported components:

•DateTime

•DoneByUser

•EnterpriseInspector

•SystemInfo

•TargetUser

•UserGroupData

UserCreate

A new user was created.

Supported components:

•DateTime

•DoneByUser

•EnterpriseInspector

•SystemInfo

•TargetUser

UserDisable

The user was disabled.

Supported components:

•DateTime

•DoneByUser

•EnterpriseInspector

•SystemInfo

•TargetUser

UserLogin

The user logged in.

Supported components:

•DateTime

•DoneByUser

•EnterpriseInspector

•SystemInfo

•TargetUser

•UserLogonData

UserLogout

The user logged out.

Supported components:

•DateTime

•DoneByUser

•EnterpriseInspector

•SystemInfo

•TargetUser

•UserLogonData

UserRemove

The user was removed.

Supported components:

•DateTime

•DoneByUser

•EnterpriseInspector

•SystemInfo

•TargetUser

UserRemoveFromGroup

The user was removed from the group.

Supported components:

•DateTime

•DoneByUser

•EnterpriseInspector

•SystemInfo

•TargetUser

•UserGroupData

WmiExecution

WMI execution event was triggered.

Supported components:

•DateTime

•FileItem

•SystemInfo

•WmiExecutionInfo

WmiPersistence

The event is generated when consumer binds to a filter.

Supported components:

•DateTime

•EnterpriseInspector

•SystemInfo

•WmiPersistenceInfo

WmiQuery

WMI query was executed on a computer.

Supported components:

•DateTime

•SystemInfo

WriteFile

A file was written to.

Supported components:

•DateTime

•EnterpriseInspector

•FileItem

•SystemInfo

Earlier versions of Windows do not produce WMI events. This functionality has been available since Windows 10 version 1803.

Some of the events provide only partial information:

•File write events—only the first file change is recorded (This is per process. If two processes change the same file, both changes are recorded)

•Registry related events—only the first registry key change is recorded (first time by a process)

•DLLLoad—only DLLs that are not whitelisted by AV are recorded

•TcpIp events—only the first connection is recorded (first time by a process)

•Http events—only the first request is recorded (first time by a process)

•ModuleDrop (a.k.a PEDrop)—it is reported only for the first drop of a given module (first time on a computer)

•AmsiTriggerEvent—only the first execution is recorded (first time on a computer)

˄˅