Property Types & Relations, Symbols
Property types & Relations (condition attribute).
|
is(not)set |
is(not) |
is(not)empty |
(not)starts |
(not)contains |
(not)ends |
less, lessOrEqual, greater, greaterOrEqual |
|---|---|---|---|---|---|---|---|
string |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
|
int |
✔ |
✔ |
|
|
✔ |
|
✔ |
value |
✔ |
✔ |
✔ |
|
|
|
|
bool |
✔ |
✔ |
|
|
|
|
|
date |
✔ |
✔ |
|
|
|
|
✔ |
set of strings |
✔ |
|
✔ |
|
✔ |
|
|
IPv4 Address |
✔ |
✔ |
✔ |
|
|
|
|
IPv6 Address |
✔ |
✔ |
✔ |
|
|
|
|
set of IPV4 addresses |
✔ |
|
✔ |
|
✔ |
|
|
set of IPV6 addresses |
✔ |
|
✔ |
|
✔ |
|
|
Symbols
When specifying a value for a property to be matched against:
<condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="svchost">
(the "svchost" string), for certain properties, you can use a value from pre-defined symbols (to avoid having to specify integer constants that can/will be modified), currently the following are implemented:
•Module::WhiteList
oNone
oAuthoritative
oLiveGrid
oCertificate
•Module::SignatureType
oTrusted
oValid
oNone
oInvalid
oUnknown
•ProcessInfo::IntegrityLevel
oUntrusted
oLow
oMedium
oHigh
oSystem
oProtected process
•SystemInfo::SystemType
oWindows
oWin
oApple
omacos
omacosx
oosx
•SystemInfo::SystemArchitecture
o32
o32bit
ox86
o64
o64bit
ox64
oamd64
•<Whatever>::SidNameUse
o"User"
o"Group"
o"Domain"
o"Alias"
o"WellKnownGroup"
o"DeletedAccount"
o"Invalid"
o"Unknown"
o"Computer"
o"Label"
o"LogonSession"
•UserLogonData::LogonType
o"Unknown"
o"Interactive"
o"Network"
o"Batch"
o"Service"
o"Unlock"
o"NetworkCleartext"
o"NewCredentials"
o"RemoteInteractive"
o"CachedInteractive"
For LogonType definition, see.
•CodeInjection::CodeInjectionType
oCreateRemoteThread
oSetThreadContext
oApcQueue
For example, for ProcessInfo component and IntegrityLevel property:
<condition component="ProcessInfo" property="IntegrityLevel" condition="is" value="Low">