Property Types & Relations, Symbols
Property types & Relations (condition attribute).
|
is(not)set |
is(not) |
is(not)empty |
(not)starts |
(not)contains |
(not)ends |
less, lessOrEqual, greater, greaterOrEqual |
|---|---|---|---|---|---|---|---|
string |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
|
symbol |
✔ |
✔ |
✔ |
|
✔ |
|
|
int |
✔ |
✔ |
✔ |
|
✔ |
|
✔ |
bool |
✔ |
✔ |
|
|
|
|
|
date |
✔ |
✔ |
|
|
|
|
✔ |
hash |
✔ |
✔ |
✔ |
|
|
|
|
uuid |
✔ |
✔ |
|
|
|
|
|
path |
✔ |
✔ |
✔ |
✔ |
✔ |
|
|
IPv4 Address |
✔ |
✔ |
✔ |
|
|
|
|
IPv6 Address |
✔ |
✔ |
✔ |
|
|
|
|
set of values |
✔ |
|
✔ |
|
✔ |
|
|
Symbols
When specifying a value for a property to be matched against:
<condition component="ApiCall" property="ApiName" condition="is" value="RegisterRawInputDevices"/> |
For the Symbol property type, you can use an integer code or string value of the predefined symbol.
For example, for ApiCall component and ApiName property, the supported values are:
•0—SetWinEventHook
•1—SetWindowsHookEx
•2—RegisterRawInputDevices
•3—GetAsyncKeyState
•4—UiLimitWriteClipboard
•5—UiWriteClipboard
•6—CredEnumerate
•7—CredReadDomainCredentials
•8—CredFindBestCredential
•9—CredBackupCredentials
•10—CredRead
•11—CredReadByTokenHandle
•12—VaultEnumerateCredentials
•21845—RawSocketCreated
•21846—SocketFilterAttached
You can use as value either integer code 2:
<condition component="ApiCall" property="ApiName" condition="is" value="2"/> |
or string value RegisterRawInputDevices:
<condition component="ApiCall" property="ApiName" condition="is" value="RegisterRawInputDevices"/> |
Currently the symbol types are implemented in components:
•ApiCall, for property ApiName
•BitsJobAddFile, for property SidNameUse
•ClientModule, for properties FileOrigin, SignatureType, Whitelist
•ClientProcessInfo, for property IntegrityLevel
•CodeInjectionInfo, for property CodeInjectionType
•DnsInfo, for property DnsResponseType
•DoneByUser, for property SidNameUse
•Endpoint, for properties DetectionType, Scanner, ScannerObjectType, Severity
•FileAttribute, for property Attribute
•InspectDetection, for property RuleSeverity
•Module, for properties FileOrigin, SignatureType, Whitelist
•OpenProcess, for property AccessRight
•ProcessInfo, for property IntegrityLevel
•ScheduledTask, for property Type
•Service, for property LoadType
•ServiceProcessInfo, for property IntegrityLevel
•SystemInfo, for properties SystemArchitecture, SystemType
•TargetUser, for property SidNameUse
•UserGroupData, for property SidNameUse
•UserLogonData, for property LogonType