ahnlab-epp-unknowns
Fetch unknowns from AhnLab EPP
ahnlab-epp-unknowns [duration=NUM{mon|w|d|h|m|s}] [from=yyyyMMddHHmmss] [to=yyyyMMddHHmmss]
- duration=NUM{mon|w|d|h|m|s}
- Scan only recent data. You should use s(second), m(minute), h(hour), d(day), mon(month) time unit. For example,
10smeans data from 10 seconds earlier. - from=yyyyMMddHHmmss
- Start time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.
- to=yyyyMMddHHmmss
- End time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.
Output Fields
| Field | Type | Name | Description |
|---|---|---|---|
| _time | Date | Time | |
| profile | String | Connect profile | |
| node_id | String | Node ID | |
| node_edr_id | String | Node EDR ID | |
| host_ip | IP address | Host IP | |
| hostname | String | Hostname | |
| user | String | User | |
| platform_type | String | Platform type | |
| status | String | Workflow status | |
| md5 | String | MD5 | |
| severity | Integer | Severity | |
| ml_score | Double | ML score | |
| file_name | String | File name | |
| file_path | String | File path | |
| watch_obj_id | String | Watch object ID | |
| watch_workflow_status | String | Watch workflow status | |
| platform_id | String | Platform ID | e.g. WINDOWS_10_ENTERPRISE_X64 |
| connection_status | String | Connection status | e.g. CONNECTED |
| fileless_type | Bool | Fileless type | |
| exploit_type | Bool | Exploit type | |
| privilege_type | Bool | Privilege type | |
| ransomware_type | Bool | Ransomware type | |
| network_type | Bool | Network type | |
| injection_type | Bool | Injection type | |
| infostealer_type | Bool | Infostealer type | |
| system_setting_type | Bool | System setting type | |
| etc_type | Bool | Other type |