AhnLab EPP

Download 209
Last updated Mar 5, 2024

ahnlab-epp-unknown-detail

Fetch unknown detail from AhnLab EPP

ahnlab-epp-unknown-detail watchobj=WATCHOBJ node=NODE [duration=NUM{mon|w|d|h|m|s}] [from=yyyyMMddHHmmss] [to=yyyyMMddHHmmss]
watchobj=WATCHOBJ
watch_obj_id of ahnlab-epp-unknowns output
node=NODE
node_id of ahnlab-epp-unknowns output
duration=NUM{mon|w|d|h|m|s}
Scan only recent data. You should use s(second), m(minute), h(hour), d(day), mon(month) time unit. For example, 10s means data from 10 seconds earlier.
from=yyyyMMddHHmmss
Start time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.
to=yyyyMMddHHmmss
End time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.

Output Fields

FieldTypeNameDescription
_timeDateClient time
profileStringConnect profile
host_ipIP addressHost IP
hostnameStringHostname
userStringUser
departmentStringDepartment
severityIntegerSeverity
statusStringWorkflow status
signatureStringDetection namee.g. Suspicious/EDR.Infostealer.M3269;2207;300001A
detect_agent_countIntegerDetected agent count
md5StringMD5
file_nameStringFile name
file_sizeLongFile sizeSize of file
file_signerStringFile signer
file_issuerStringFile issuer
file_pathStringFile path
is_serverBoolServer or not
detect_agent_listStringList of detect agent ID
fileless_typeBoolFileless type
exploit_typeBoolExploit type
privilege_typeBoolPrivilege type
ransomware_typeBoolRansomware type
network_typeBoolNetwork type
injection_typeBoolInjection type
infostealer_typeBoolInfostealer type
system_setting_typeBoolSystem setting type
etc_typeBoolOther type
platform_typeStringPlatform typee.g. WINDOWS
platform_idStringPlatform IDe.g. WINDOWS_10_ENTERPRISE_X64
platform_nameStringPlatform namee.g. Windows 10 Enterprise x64
connection_statusStringConnection statuse.g. CONNECTED
ip_connectedIP addressConnected IP address
net_block_statusStringQuarantine status
product_idStringProduct IDe.g. V3IS_9.0
product_nameStringProduct namee.g. AhnLab V3 Internet Security 9.0
engine_versionStringEngine versione.g. 2021.06.14.02
last_scan_timeDateLast scan time
file_sign_infoStringFile sign info
inflow_routeStringInflow route
target_countIntegerTarget count
target_type_infoStringTarget type info