ProcessID |
bigint |
|
4 |
Ascending Identity |
1 |
ProcessGUID |
uniqueidentifier |
|
2 |
UUID of the process |
98C99D96-6DFA-4C95-9A87-C8665C166286 |
EventNumber |
int |
|
|
Event Number. See List of Events section. |
153 |
TimeGenerated |
datetime |
|
|
Event generation date/time |
2017-02-20 13:11:11.217 |
TimeReceived |
datetime |
|
|
Event received at ER date/time |
2017-02-20 13:16:28.047 |
EventGUID |
uniqueidentifier |
|
|
Event UUID |
9F8EB86C-AA0D-42B9-8720-166FAB91F1ED |
PID |
int |
|
|
Process ID |
8723 |
ParentPID |
int |
|
|
Parent Process ID |
142916 |
CommandLine |
nvarchar |
|
1024 |
Command Line |
"C:\cygwin64\bin\sh.exe" |
FileName |
nvarchar |
|
255 |
File Name |
c:\cygwin64\bin\sh.exe |
ProcessStartTime |
datetime |
|
1 |
Date/Time Process Started |
2017-02-20 13:11:11.217 |
Reason |
nvarchar |
|
1024 |
Reason entered by user |
<None> |
ClientIPV4 |
nvarchar |
|
15 |
Client IP Address |
10.0.9.58 |
ClientName |
nvarchar |
|
1024 |
Client Name |
L-CNU410DJJ7 |
UACTriggered |
bit |
|
|
1 if UAC shown |
0 |
ParentProcessUniqueID |
uniqueidentifier |
|
|
Parent process UUID |
C404C7F5-3A93-4C0E-81BC-9902D220C21E |
COMCLSID |
uniqueidentifier |
|
|
COM CLSID |
NULL |
COMAppID |
uniqueidentifier |
|
|
COM Application ID |
NULL |
COMDisplayName |
nvarchar |
1024 |
|
COM Display Name |
<None> |
ApplicationType |
nvarchar |
4 |
|
Application Type |
svc |
TokenGUID |
uniqueidentifier |
|
|
UUID of token in policy |
F30A3824-27AF-4D69-9125-C78E44764AC1 |
Executed |
bit |
|
|
1 if executed, 0 otherwise |
1 |
Elevated |
bit |
|
|
1 if elevated, 0 otherwise |
1 |
Blocked |
bit |
|
|
1 if blocked, 0 otherwise |
0 |
Passive |
bit |
|
|
1 if passive, 0 otherwise |
0 |
Cancelled |
bit |
|
|
1 if cancelled, 0 otherwise |
0 |
DropAdmin |
bit |
|
|
1 if admin rights dropped, 0 otherwise |
0 |
EnforceUsersDefault |
bit |
|
|
1 if user default permissions were enforced, 0 otherwise |
0 |
Custom |
bit |
|
|
1 if Custom Token, 0 otherwise |
0 |
SourceURL |
nvarchar |
2048 |
|
Source URL |
<None> |
AuthorizationChallenge |
nvarchar |
9 |
|
Challenge Response authorization code |
<None> |
WindowsStoreAppName |
nvarchar |
200 |
|
Windows Store application name (appx app type only) |
<None> |
WindowsStoreAppPublisher |
nvarchar |
200 |
|
Windows Store application publisher (appx app type only) |
<None> |
WindowsStoreAppVersion |
nvarchar |
200 |
|
Window Store application version (appx app type only) |
<None> |
DeviceType |
nvarchar |
40 |
|
Device Type |
Fixed Disk |
ServiceName |
nvarchar |
1024 |
|
Service name (svc events only) |
<None> |
ServiceDisplayName |
nvarchar |
1024 |
|
Service Display Name (svc app type only) |
<None> |
PowerShellCommand |
nvarchar |
1024 |
|
PowerShell Command (ps1/rpsc/rpss app types only) |
<None> |
ApplicationPolicyDescription |
nvarchar |
1024 |
|
Policy Description |
<None> |
SandboxGUID |
uniqueidentifier |
|
|
Sandbox UUID (sandbox events only) |
NULL |
SandboxName |
nvarchar |
1024 |
|
Sandbox Name (sandbox events only) |
NULL |
BrowseSourceURL |
nvarchar |
2048 |
|
Sandbox browse source (sandbox events only) |
<None> |
BrowseDestinationURL |
nvarchar |
2048 |
|
Sandbox destination source (sandbox events only) |
<None> |
Classification |
nvarchar |
200 |
|
Sandbox classification (sandbox events only) |
Private (Local) |
IEZoneTag |
nvarchar |
200 |
|
IE Zone Tag |
<None> |
OriginSandbox |
nvarchar |
40 |
|
Origin Sandbox |
<None> |
OriginIEZone |
nvarchar |
40 |
|
Origin IE Zone |
<None> |
TargetSandbox |
nvarchar |
40 |
|
Target Sandbox |
<None> |
TargetIEZone |
nvarchar |
40 |
|
Target IE Zone |
<None> |
AuthRequestURI |
nvarchar |
1024 |
|
Authorization request URL (osx challenge/response only) |
<None> |
PlatformVersion |
nvarchar |
10 |
|
Platform Version |
<None> |
ControlAuthorization |
bit |
|
|
1 is Endpoint Privilege Management authorized this macOS application |
0 |
TrustedApplicationName |
nvarchar |
1024 |
|
Name of the trusted application |
Microsoft Word |
TrustedApplicationVersion |
nvarchar |
1024 |
|
Version of the trusted application |
11.1715.14393.0 |
ParentProcessFileName |
nvarchar |
1024 |
|
Parent process file name |
Google Chrome |
ApplicationHash |
nvarchar |
40 |
|
SHA1 of the application |
C22FF10511ECCEA1824A8DE64B678619C21B4BEE |
ProductCode |
nvarchar |
1024 |
|
Product Code |
<None> |
UpgradeCode |
nvarchar |
1024 |
|
Upgrade Code |
<None> |
FileVersion |
nvarchar |
1024 |
|
File Version |
<None> |
MD5 |
nvarchar |
32 |
|
MD5 hash of the app |
6E641CAE42A2A7C89442AF99613FE6D6 |
TokenAssignmentGUID |
uniqueidentifier |
|
|
UUID of the token assignment in the policy |
E7654321-BBBB-5AD2-B954-1234DDC7A89D |
TokenAssignmentIsShell |
bit |
|
|
Token assignment is for shell |
1 |
UserSID |
nvarchar |
200 |
|
User SID |
S-1-21-123456789-123456789-16357176381125883508 |
UserName |
nvarchar |
1024 |
|
User Name |
EGUser18 |
UserDomainSID |
nvarchar |
200 |
|
User Domain SID |
S-1-21-123456789-123456789-1635717638 |
UserDomainName |
nvarchar |
1024 |
|
User Domain |
EGDomain |
UserDomain NameNETBIOS |
nvarchar |
15 |
|
User Domain NETBIOS |
EGDOMAIN |
ChassisType |
nvarchar |
40 |
|
Chassis Type |
Laptop |
HostSID |
nvarchar |
200 |
|
Host SID |
S-1-21-123456789-123456789-1635717638775838649 |
HostName |
nvarchar |
1024 |
3* |
Host Name |
EGHostWin18 |
HostNameNETBIOS |
nvarchar |
15 |
3* |
Host NETBIOS |
EGHOSTWIN18 |
OS |
nvarchar |
|
|
OS Version |
10.0 |
OSProductType |
int |
|
|
OS Product Type |
|
HostDomainSID |
nvarchar |
200 |
|
Host Domain SID |
S-1-21-123456789-123456789-1635717638 |
HostDomainName |
nvarchar |
1024 |
|
Host Domain |
EGDomain |
HostDomain
NameNETBIOS |
nvarchar |
15 |
|
Host Domain NETBIOS |
EGDOMAIN |
AuthUserSID |
nvarchar |
200 |
|
Authorizing User SID |
<None> |
AuthUserName |
nvarchar |
1024 |
|
Authorizing User |
<None> |
AuthUserDomainSID |
nvarchar |
200 |
|
Authorizing User Domain SID |
<None> |
AuthUserDomainName |
nvarchar |
1024 |
|
Authorizing User Domain |
<None> |
AuthUserDomain
NameNETBIOS |
nvarchar |
15 |
|
Authorizing User Domain NETBIOS |
<None> |
FileOwnerUserSID |
nvarchar |
200 |
|
File Owner SID |
S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 |
FileOwnerUserName |
nvarchar |
1024 |
|
File Owner |
NT SERVICE\TrustedInstaller |
FileOwnerDomainSID |
nvarchar |
200 |
|
File Owner Domain SID |
S-1-5-80 |
FileOwnerDomainName |
nvarchar |
1024 |
|
File Owner Domain |
NT SERVICE |
FileOwnerDomain
NameNETBIOS |
nvarchar |
15 |
|
File Owner Domain NETBIOS |
<None> |
ApplicationURI |
nvarchar |
1024 |
|
URI of the macOS Application |
com.apple.preference.datetime |
ApplicationDescription |
nvarchar |
2048 |
|
Application Description |
c:\cygwin64\bin\sh.exe |
FirstDiscovered |
datetime |
|
|
Time application first seen |
2017-02-07 09:14:39.413 |
FirstExecuted |
datetime |
|
|
Time application first executed |
2017-02-07 09:07:00.000 |
PlatformType |
nvarchar |
10 |
|
Platform Type |
Windows |
ProductName |
nvarchar |
1024 |
|
Product Name |
ADelRCP Dynamic Link Library |
ProductVersion |
nvarchar |
1024 |
|
Product Version |
15.10.20056.167417 |
Publisher |
nvarchar |
1024 |
|
Publisher |
Adobe Systems, Incorporated |
TrustedOwner |
bit |
|
|
1 if a trusted owner, 0 otherwise |
0 |
MessageGUID |
uniqueidentifier |
|
|
UUID of the message in the policy |
00000000-0000-0000-0000-000000000000 |
MessageName |
nvarchar |
1024 |
|
Name of the message in the policy |
Block Message |
MessageType |
nvarchar |
40 |
|
Message Type |
Prompt |
AppGroupGUID |
uniqueidentifier |
|
|
UUID of the Application Group in the Policy |
47E4A204-FC06-428B-8E73-1E36E3A65430 |
AppGroupName |
nvarchar |
1024 |
|
Application Group Name in the Policy |
Test Policy.test |
PolicyID |
bigint |
|
|
Internal ID of the Policy |
2 |
PolicyGUID |
uniqueidentifier |
|
|
UUID of the Policy |
E7654321-AAAA-5AD2-B954-12342918D604 |
PolicyName |
nvarchar |
1024 |
|
Policy Name |
EventGen Test Policy |
WorkstyleName |
nvarchar |
1024 |
|
Workstyle Name |
EventGen Test Workstyle |
ContentFileName |
nvarchar |
255 |
|
Content File Name |
c:\users\user.wp-epo-win7-64\downloads\con29 selectable feestable (1).pdf |
ContentFileDescription |
nvarchar |
1024 |
|
Content File Description |
<None> |
ContentFileVersion |
nvarchar |
1024 |
|
Content File Version |
<None> |
ContentOwnerSID |
nvarchar |
200 |
|
Content Owner SID |
S-1-21-123456789-123456789-1635717638-1072059836 |
ContentOwnerName |
nvarchar |
1024 |
|
Content Owner |
EGUser1 |
ContentOwnerDomainSID |
nvarchar |
200 |
|
Content Owner Domain SID |
S-1-5-21-2217285736-120021366-3854014904 |
ContentOwnerDomainName |
nvarchar |
1024 |
|
Content Owner Domain |
BEYONDTRUSTTEST58\BEYONDTRUSTTEST58.QA |
ContentOwnerDomain NameNetBIOS |
nvarchar |
15 |
|
Content Owner Domain NETBIOS |
BEYONDTRUSTTEST58 |
UninstallAction |
nvarchar |
20 |
|
The uninstall action carried out |
Change/Modify |
TokenName |
nvarchar |
20 |
|
The name of the event action |
Blocked |
TieStatus |
int |
|
|
Threat Intelligence Exchange status for the reputation of this application |
0 |
TieScore |
int |
|
|
Threat Intelligence Exchange score for the application |
|
VtStatus |
int |
|
|
VirusTotal status for the reputation of this application |
|
RuleScriptFileName |
nvarchar |
200 |
|
The name in config of the script associated with the rule |
Get-McAfeeGTIReputation |
RuleScriptName |
nvarchar |
200 |
|
The name of the script set by interface |
Get-McAfeeGTIReputation |
RuleScriptVersion |
nvarchar |
20 |
|
Version number of the script. |
1.1.0 |
RuleScriptPublisher |
nvarchar |
200 |
|
Publisher that signed the script |
BeyondTrust
|
RuleScriptRuleAffected |
bit |
|
|
True when the script has set all settable rule properties; otherwise false |
True |
RuleScriptStatus |
nvarchar |
100 |
|
Success OR Why the configured script didn't run or set rule properties |
Success |
RuleScriptResult |
nvarchar |
1024 |
|
Result of the script run |
Script ran successfully |
RuleScriptOutput |
nvarchar |
1024 |
|
The output of the script |
|
AuthorizationSource |
nvarchar |
200 |
|
The Authorizing User Credential Source |
|
AuthMethods |
nvarchar |
1024 |
|
The type of authentication method selected in the Policy Editor. |
Possible values: Identity Provider, Password, Challenge Response, Smart Card and User Request. Multiple values can be present and will be comma separated. |
IdPAuthentication |
nvarchar |
400 |
|
The credential provided when adding an Identity Provider authorization message in the Policy Editor. |
|