ahnlab-epp-unknown-detail
Fetch unknown detail from AhnLab EPP
ahnlab-epp-unknown-detail watchobj=WATCHOBJ node=NODE [duration=NUM{mon|w|d|h|m|s}] [from=yyyyMMddHHmmss] [to=yyyyMMddHHmmss]
- watchobj=WATCHOBJ
- watch_obj_id of ahnlab-epp-unknowns output
- node=NODE
- node_id of ahnlab-epp-unknowns output
- duration=NUM{mon|w|d|h|m|s}
- Scan only recent data. You should use s(second), m(minute), h(hour), d(day), mon(month) time unit. For example,
10smeans data from 10 seconds earlier. - from=yyyyMMddHHmmss
- Start time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.
- to=yyyyMMddHHmmss
- End time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.
Output Fields
| Field | Type | Name | Description |
|---|---|---|---|
| _time | Date | Client time | |
| profile | String | Connect profile | |
| host_ip | IP address | Host IP | |
| hostname | String | Hostname | |
| user | String | User | |
| department | String | Department | |
| severity | Integer | Severity | |
| status | String | Workflow status | |
| signature | String | Detection name | e.g. Suspicious/EDR.Infostealer.M3269;2207;300001A |
| detect_agent_count | Integer | Detected agent count | |
| md5 | String | MD5 | |
| file_name | String | File name | |
| file_size | Long | File size | Size of file |
| file_signer | String | File signer | |
| file_issuer | String | File issuer | |
| file_path | String | File path | |
| is_server | Bool | Server or not | |
| detect_agent_list | String | List of detect agent ID | |
| fileless_type | Bool | Fileless type | |
| exploit_type | Bool | Exploit type | |
| privilege_type | Bool | Privilege type | |
| ransomware_type | Bool | Ransomware type | |
| network_type | Bool | Network type | |
| injection_type | Bool | Injection type | |
| infostealer_type | Bool | Infostealer type | |
| system_setting_type | Bool | System setting type | |
| etc_type | Bool | Other type | |
| platform_type | String | Platform type | e.g. WINDOWS |
| platform_id | String | Platform ID | e.g. WINDOWS_10_ENTERPRISE_X64 |
| platform_name | String | Platform name | e.g. Windows 10 Enterprise x64 |
| connection_status | String | Connection status | e.g. CONNECTED |
| ip_connected | IP address | Connected IP address | |
| net_block_status | String | Quarantine status | |
| product_id | String | Product ID | e.g. V3IS_9.0 |
| product_name | String | Product name | e.g. AhnLab V3 Internet Security 9.0 |
| engine_version | String | Engine version | e.g. 2021.06.14.02 |
| last_scan_time | Date | Last scan time | |
| file_sign_info | String | File sign info | |
| inflow_route | String | Inflow route | |
| target_count | Integer | Target count | |
| target_type_info | String | Target type info |