| ProcessID |
bigint |
|
4 |
Ascending Identity |
1 |
| ProcessGUID |
uniqueidentifier |
|
2 |
UUID of the process |
98C99D96-6DFA-4C95-9A87-C8665C166286 |
| EventNumber |
int |
|
|
Event Number. See List of Events section. |
153 |
| TimeGenerated |
datetime |
|
|
Event generation date/time |
2017-02-20 13:11:11.217 |
| TimeReceived |
datetime |
|
|
Event received at ER date/time |
2017-02-20 13:16:28.047 |
| EventGUID |
uniqueidentifier |
|
|
Event UUID |
9F8EB86C-AA0D-42B9-8720-166FAB91F1ED |
| PID |
int |
|
|
Process ID |
8723 |
| ParentPID |
int |
|
|
Parent Process ID |
142916 |
| CommandLine |
nvarchar |
|
1024 |
Command Line |
"C:\cygwin64\bin\sh.exe" |
| FileName |
nvarchar |
|
255 |
File Name |
c:\cygwin64\bin\sh.exe |
| ProcessStartTime |
datetime |
|
1 |
Date/Time Process Started |
2017-02-20 13:11:11.217 |
| Reason |
nvarchar |
|
1024 |
Reason entered by user |
<None> |
| ClientIPV4 |
nvarchar |
|
15 |
Client IP Address |
10.0.9.58 |
| ClientName |
nvarchar |
|
1024 |
Client Name |
L-CNU410DJJ7 |
| UACTriggered |
bit |
|
|
1 if UAC shown |
0 |
| ParentProcessUniqueID |
uniqueidentifier |
|
|
Parent process UUID |
C404C7F5-3A93-4C0E-81BC-9902D220C21E |
| COMCLSID |
uniqueidentifier |
|
|
COM CLSID |
NULL |
| COMAppID |
uniqueidentifier |
|
|
COM Application ID |
NULL |
| COMDisplayName |
nvarchar |
1024 |
|
COM Display Name |
<None> |
| ApplicationType |
nvarchar |
4 |
|
Application Type |
svc |
| TokenGUID |
uniqueidentifier |
|
|
UUID of token in policy |
F30A3824-27AF-4D69-9125-C78E44764AC1 |
| Executed |
bit |
|
|
1 if executed, 0 otherwise |
1 |
| Elevated |
bit |
|
|
1 if elevated, 0 otherwise |
1 |
| Blocked |
bit |
|
|
1 if blocked, 0 otherwise |
0 |
| Passive |
bit |
|
|
1 if passive, 0 otherwise |
0 |
| Cancelled |
bit |
|
|
1 if cancelled, 0 otherwise |
0 |
| DropAdmin |
bit |
|
|
1 if admin rights dropped, 0 otherwise |
0 |
| EnforceUsersDefault |
bit |
|
|
1 if user default permissions were enforced, 0 otherwise |
0 |
| Custom |
bit |
|
|
1 if Custom Token, 0 otherwise |
0 |
| SourceURL |
nvarchar |
2048 |
|
Source URL |
<None> |
| AuthorizationChallenge |
nvarchar |
9 |
|
Challenge Response authorization code |
<None> |
| WindowsStoreAppName |
nvarchar |
200 |
|
Windows Store application name (appx app type only) |
<None> |
| WindowsStoreAppPublisher |
nvarchar |
200 |
|
Windows Store application publisher (appx app type only) |
<None> |
| WindowsStoreAppVersion |
nvarchar |
200 |
|
Window Store application version (appx app type only) |
<None> |
| DeviceType |
nvarchar |
40 |
|
Device Type |
Fixed Disk |
| ServiceName |
nvarchar |
1024 |
|
Service name (svc events only) |
<None> |
| ServiceDisplayName |
nvarchar |
1024 |
|
Service Display Name (svc app type only) |
<None> |
| PowerShellCommand |
nvarchar |
1024 |
|
PowerShell Command (ps1/rpsc/rpss app types only) |
<None> |
| ApplicationPolicyDescription |
nvarchar |
1024 |
|
Policy Description |
<None> |
| SandboxGUID |
uniqueidentifier |
|
|
Sandbox UUID (sandbox events only) |
NULL |
| SandboxName |
nvarchar |
1024 |
|
Sandbox Name (sandbox events only) |
NULL |
| BrowseSourceURL |
nvarchar |
2048 |
|
Sandbox browse source (sandbox events only) |
<None> |
| BrowseDestinationURL |
nvarchar |
2048 |
|
Sandbox destination source (sandbox events only) |
<None> |
| Classification |
nvarchar |
200 |
|
Sandbox classification (sandbox events only) |
Private (Local) |
| IEZoneTag |
nvarchar |
200 |
|
IE Zone Tag |
<None> |
| OriginSandbox |
nvarchar |
40 |
|
Origin Sandbox |
<None> |
| OriginIEZone |
nvarchar |
40 |
|
Origin IE Zone |
<None> |
| TargetSandbox |
nvarchar |
40 |
|
Target Sandbox |
<None> |
| TargetIEZone |
nvarchar |
40 |
|
Target IE Zone |
<None> |
| AuthRequestURI |
nvarchar |
1024 |
|
Authorization request URL (osx challenge/response only) |
<None> |
| PlatformVersion |
nvarchar |
10 |
|
Platform Version |
<None> |
| ControlAuthorization |
bit |
|
|
1 is Endpoint Privilege Management authorized this macOS application |
0 |
| TrustedApplicationName |
nvarchar |
1024 |
|
Name of the trusted application |
Microsoft Word |
| TrustedApplicationVersion |
nvarchar |
1024 |
|
Version of the trusted application |
11.1715.14393.0 |
| ParentProcessFileName |
nvarchar |
1024 |
|
Parent process file name |
Google Chrome |
| ApplicationHash |
nvarchar |
40 |
|
SHA1 of the application |
C22FF10511ECCEA1824A8DE64B678619C21B4BEE |
| ProductCode |
nvarchar |
1024 |
|
Product Code |
<None> |
| UpgradeCode |
nvarchar |
1024 |
|
Upgrade Code |
<None> |
| FileVersion |
nvarchar |
1024 |
|
File Version |
<None> |
| MD5 |
nvarchar |
32 |
|
MD5 hash of the app |
6E641CAE42A2A7C89442AF99613FE6D6 |
| TokenAssignmentGUID |
uniqueidentifier |
|
|
UUID of the token assignment in the policy |
E7654321-BBBB-5AD2-B954-1234DDC7A89D |
| TokenAssignmentIsShell |
bit |
|
|
Token assignment is for shell |
1 |
| UserSID |
nvarchar |
200 |
|
User SID |
S-1-21-123456789-123456789-16357176381125883508 |
| UserName |
nvarchar |
1024 |
|
User Name |
EGUser18 |
| UserDomainSID |
nvarchar |
200 |
|
User Domain SID |
S-1-21-123456789-123456789-1635717638 |
| UserDomainName |
nvarchar |
1024 |
|
User Domain |
EGDomain |
| UserDomain NameNETBIOS |
nvarchar |
15 |
|
User Domain NETBIOS |
EGDOMAIN |
| ChassisType |
nvarchar |
40 |
|
Chassis Type |
Laptop |
| HostSID |
nvarchar |
200 |
|
Host SID |
S-1-21-123456789-123456789-1635717638775838649 |
| HostName |
nvarchar |
1024 |
3* |
Host Name |
EGHostWin18 |
| HostNameNETBIOS |
nvarchar |
15 |
3* |
Host NETBIOS |
EGHOSTWIN18 |
| OS |
nvarchar |
|
|
OS Version |
10.0 |
| OSProductType |
int |
|
|
OS Product Type |
|
| HostDomainSID |
nvarchar |
200 |
|
Host Domain SID |
S-1-21-123456789-123456789-1635717638 |
| HostDomainName |
nvarchar |
1024 |
|
Host Domain |
EGDomain |
| HostDomain
NameNETBIOS |
nvarchar |
15 |
|
Host Domain NETBIOS |
EGDOMAIN |
| AuthUserSID |
nvarchar |
200 |
|
Authorizing User SID |
<None> |
| AuthUserName |
nvarchar |
1024 |
|
Authorizing User |
<None> |
| AuthUserDomainSID |
nvarchar |
200 |
|
Authorizing User Domain SID |
<None> |
| AuthUserDomainName |
nvarchar |
1024 |
|
Authorizing User Domain |
<None> |
| AuthUserDomain
NameNETBIOS |
nvarchar |
15 |
|
Authorizing User Domain NETBIOS |
<None> |
| FileOwnerUserSID |
nvarchar |
200 |
|
File Owner SID |
S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 |
| FileOwnerUserName |
nvarchar |
1024 |
|
File Owner |
NT SERVICE\TrustedInstaller |
| FileOwnerDomainSID |
nvarchar |
200 |
|
File Owner Domain SID |
S-1-5-80 |
| FileOwnerDomainName |
nvarchar |
1024 |
|
File Owner Domain |
NT SERVICE |
| FileOwnerDomain
NameNETBIOS |
nvarchar |
15 |
|
File Owner Domain NETBIOS |
<None> |
| ApplicationURI |
nvarchar |
1024 |
|
URI of the macOS Application |
com.apple.preference.datetime |
| ApplicationDescription |
nvarchar |
2048 |
|
Application Description |
c:\cygwin64\bin\sh.exe |
| FirstDiscovered |
datetime |
|
|
Time application first seen |
2017-02-07 09:14:39.413 |
| FirstExecuted |
datetime |
|
|
Time application first executed |
2017-02-07 09:07:00.000 |
| PlatformType |
nvarchar |
10 |
|
Platform Type |
Windows |
| ProductName |
nvarchar |
1024 |
|
Product Name |
ADelRCP Dynamic Link Library |
| ProductVersion |
nvarchar |
1024 |
|
Product Version |
15.10.20056.167417 |
| Publisher |
nvarchar |
1024 |
|
Publisher |
Adobe Systems, Incorporated |
| TrustedOwner |
bit |
|
|
1 if a trusted owner, 0 otherwise |
0 |
| MessageGUID |
uniqueidentifier |
|
|
UUID of the message in the policy |
00000000-0000-0000-0000-000000000000 |
| MessageName |
nvarchar |
1024 |
|
Name of the message in the policy |
Block Message |
| MessageType |
nvarchar |
40 |
|
Message Type |
Prompt |
| AppGroupGUID |
uniqueidentifier |
|
|
UUID of the Application Group in the Policy |
47E4A204-FC06-428B-8E73-1E36E3A65430 |
| AppGroupName |
nvarchar |
1024 |
|
Application Group Name in the Policy |
Test Policy.test |
| PolicyID |
bigint |
|
|
Internal ID of the Policy |
2 |
| PolicyGUID |
uniqueidentifier |
|
|
UUID of the Policy |
E7654321-AAAA-5AD2-B954-12342918D604 |
| PolicyName |
nvarchar |
1024 |
|
Policy Name |
EventGen Test Policy |
| WorkstyleName |
nvarchar |
1024 |
|
Workstyle Name |
EventGen Test Workstyle |
| ContentFileName |
nvarchar |
255 |
|
Content File Name |
c:\users\user.wp-epo-win7-64\downloads\con29 selectable feestable (1).pdf |
| ContentFileDescription |
nvarchar |
1024 |
|
Content File Description |
<None> |
| ContentFileVersion |
nvarchar |
1024 |
|
Content File Version |
<None> |
| ContentOwnerSID |
nvarchar |
200 |
|
Content Owner SID |
S-1-21-123456789-123456789-1635717638-1072059836 |
| ContentOwnerName |
nvarchar |
1024 |
|
Content Owner |
EGUser1 |
| ContentOwnerDomainSID |
nvarchar |
200 |
|
Content Owner Domain SID |
S-1-5-21-2217285736-120021366-3854014904 |
| ContentOwnerDomainName |
nvarchar |
1024 |
|
Content Owner Domain |
BEYONDTRUSTTEST58\BEYONDTRUSTTEST58.QA |
| ContentOwnerDomain NameNetBIOS |
nvarchar |
15 |
|
Content Owner Domain NETBIOS |
BEYONDTRUSTTEST58 |
| UninstallAction |
nvarchar |
20 |
|
The uninstall action carried out |
Change/Modify |
| TokenName |
nvarchar |
20 |
|
The name of the event action |
Blocked |
| TieStatus |
int |
|
|
Threat Intelligence Exchange status for the reputation of this application |
0 |
| TieScore |
int |
|
|
Threat Intelligence Exchange score for the application |
|
| VtStatus |
int |
|
|
VirusTotal status for the reputation of this application |
|
| RuleScriptFileName |
nvarchar |
200 |
|
The name in config of the script associated with the rule |
Get-McAfeeGTIReputation |
| RuleScriptName |
nvarchar |
200 |
|
The name of the script set by interface |
Get-McAfeeGTIReputation |
| RuleScriptVersion |
nvarchar |
20 |
|
Version number of the script. |
1.1.0 |
| RuleScriptPublisher |
nvarchar |
200 |
|
Publisher that signed the script |
BeyondTrust
|
| RuleScriptRuleAffected |
bit |
|
|
True when the script has set all settable rule properties; otherwise false |
True |
| RuleScriptStatus |
nvarchar |
100 |
|
Success OR Why the configured script didn't run or set rule properties |
Success |
| RuleScriptResult |
nvarchar |
1024 |
|
Result of the script run |
Script ran successfully |
| RuleScriptOutput |
nvarchar |
1024 |
|
The output of the script |
|
| AuthorizationSource |
nvarchar |
200 |
|
The Authorizing User Credential Source |
|
| AuthMethods |
nvarchar |
1024 |
|
The type of authentication method selected in the Policy Editor. |
Possible values: Identity Provider, Password, Challenge Response, Smart Card and User Request. Multiple values can be present and will be comma separated. |
| IdPAuthentication |
nvarchar |
400 |
|
The credential provided when adding an Identity Provider authorization message in the Policy Editor. |
|
