AhnLab EPP

Download 5
Last updated Apr 17, 2022

ahnlab-epp-unknowns

Fetch unknowns from AhnLab EPP

ahnlab-epp-unknowns [duration=NUM{mon|w|d|h|m|s}] [from=yyyyMMddHHmmss] [to=yyyyMMddHHmmss]
duration=NUM{mon|w|d|h|m|s}
Scan only recent data. You should use s(second), m(minute), h(hour), d(day), mon(month) time unit. For example, 10s means data from 10 seconds earlier.
from=yyyyMMddHHmmss
Start time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.
to=yyyyMMddHHmmss
End time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.

Output Fields

FieldTypeNameDescription
_timeDateTime
profileStringConnect profile
node_idStringNode ID
node_edr_idStringNode EDR ID
host_ipIP addressHost IP
hostnameStringHostname
userStringUser
platform_typeStringPlatform type
statusStringWorkflow status
md5StringMD5
severityIntegerSeverity
ml_scoreDoubleML score
file_nameStringFile name
file_pathStringFile path
watch_obj_idStringWatch object ID
watch_workflow_statusStringWatch workflow status
platform_idStringPlatform IDe.g. WINDOWS_10_ENTERPRISE_X64
connection_statusStringConnection statuse.g. CONNECTED
fileless_typeBoolFileless type
exploit_typeBoolExploit type
privilege_typeBoolPrivilege type
ransomware_typeBoolRansomware type
network_typeBoolNetwork type
injection_typeBoolInjection type
infostealer_typeBoolInfostealer type
system_setting_typeBoolSystem setting type
etc_typeBoolOther type