Property Types & Relations, Symbols
Property types & Relations (condition attribute).
|
is(not)set |
is(not) |
is(not)empty |
(not)starts |
(not)contains |
(not)ends |
less, lessOrEqual, greater, greaterOrEqual |
|---|---|---|---|---|---|---|---|
string |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
|
int |
✔ |
✔ |
|
|
✔ |
|
✔ |
value |
✔ |
✔ |
✔ |
|
|
|
|
bool |
✔ |
✔ |
|
|
|
|
|
date |
✔ |
✔ |
|
|
|
|
✔ |
set of strings |
✔ |
|
✔ |
|
✔ |
|
|
IPv4 Address |
✔ |
✔ |
✔ |
|
|
|
|
IPv6 Address |
✔ |
✔ |
✔ |
|
|
|
|
set of IPV4 addresses |
✔ |
|
✔ |
|
✔ |
|
|
set of IPV6 addresses |
✔ |
|
✔ |
|
✔ |
|
|
Symbols
When specifying a value for a property to be matched against:
<condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="svchost">
(the "svchost" string), for certain properties, you can use a value from pre-defined symbols (to avoid having to specify integer constants that can/will be modified), currently the following are implemented:
•Module::WhiteList
oNone—no whitelisting for this file
oAuthoritative—the file is whitelisted by EndPoint
oLiveGrid—the file is whitelisted from LiveGrid
oCertificate—the file certificate is whitelisted
•Module::SignatureType
oTrusted—90—the signature is trusted by Endpoint
oValid—80—the signature is trusted by the OS
oAdhoc—75—the certificate is self signed
oNone—70—there is no signature in the file
oInvalid—60—the signature is not valid/corrupted/revoked
oUnknown—50—failed to verify certificate
oPresent—50—the signature is present, but the certificate status is unknown
•ProcessInfo::IntegrityLevel
oUntrusted—0
oLow—4096
oMedium—8192
oHigh—12288
oSystem—16384
oProtected process—20480
•SystemInfo::SystemType
oWindows
oWin
oApple
omacos
omacosx
oosx
•SystemInfo::SystemArchitecture
o32
o32bit
ox86
o64
o64bit
ox64
oamd64
•<Whatever>::SidNameUse
o"User"
o"Group"
o"Domain"
o"Alias"
o"WellKnownGroup"
o"DeletedAccount"
o"Invalid"
o"Unknown"
o"Computer"
o"Label"
o"LogonSession"
•UserLogonData::LogonType
o"Unknown"
o"Interactive"
o"Network"
o"Batch"
o"Service"
o"Unlock"
o"NetworkCleartext"
o"NewCredentials"
o"RemoteInteractive"
o"CachedInteractive"
For LogonType definition, see.
•CodeInjection::CodeInjectionType
oCreateRemoteThread
oSetThreadContext
oApcQueue
For example, for ProcessInfo component and IntegrityLevel property:
<condition component="ProcessInfo" property="IntegrityLevel" condition="is" value="Low">