ahnlab-epp-unknown-behaviors
Fetch behavior logs of specified unknown threat from AhnLab EPP.
ahnlab-epp-unknown-behaviors watchobj=WATCHOBJ node=NODE
- watchobj=WATCHOBJ
- watch_obj_id of ahnlab-epp-unknowns output
- node=NODE
- node_id of ahnlab-epp-unknowns output
Output Fields
| Field | Type | Name | Description |
|---|---|---|---|
| _time | Date | Client time | |
| profile | String | Connect profile | |
| behavior | String | Behavior | e.g. 4000005 |
| behavior_type | String | Behavior type | e.g. PROCESS |
| level | Integer | Level | e.g. 1, 2 |
| log_type | Integer | Log type | e.g. 7 |
| rule_type | Integer | Rule type | e.g. 128 |
| rule_id | String | Rule ID | e.g. 40010005 |
| rule_seq | Integer | Rule sequence | e.g. 0 |
| severity | Integer | Severity | e.g. 20 |
| score | Integer | Score | e.g. 8 |
| current_pid | Long | Current PID | |
| current_file_name | String | Current file name | e.g. svchost.exe |
| current_file_signer | String | Current file signer | e.g. Microsoft Windows Publisher |
| current_file_issuer | String | Current file issuer | e.g. Microsoft Windows Production PCA 2011 |
| is_first | Bool | First or not | |
| is_target | Bool | Target or not | |
| is_trunk | Bool | Trunk or not | |
| target_pid | Long | Target PID | |
| target_file_name | String | Target file name | e.g. rundll32.exe |
| target_file_signer | String | Target file signer | e.g. unsigned |
| target_file_issuer | String | Target file issuer | e.g. unsigned |
| src_port | String | Source port | |
| dst_ip | IP address | Destination IP | |
| dst_port | Integer | Destination port | |
| current_file_size | Long | Current file size | |
| target_file_size | Long | Target file size | |
| current_path | String | Current path | e.g. C:\WINDOWS\system32\svchost.exe |
| target_path | String | Target path | e.g. C:\WINDOWS\system32\rundll32.exe |
| target_cmd_line | String | Target command line | |
| edr_obj_id | String | EDR object ID | e.g. 60c7aa6f7356d62baf598534 |
| current_hash | String | Current hash | |
| target_hash | String | Target hash | |
| hash_algorithm | String | Hash algorithm | e.g. MD5 |
| path | String | Path | e.g. 60c7aa6f7356d62baf598532 > 60c7aa6f7356d62baf598534 |
| scan_info_flag | String | Scan info flag | e.g. 2 |
| detect_msg_seq | Integer | Detect message sequence | e.g. 4041 |
| current_file_sign_info | List | Current file sign info | signer, issuer properties |
| target_file_sign_info | List | Target file sign info | signer, issuer properties |
| mitre_info | String | MITRE info | Encoded data |