Supported IOC Indicator Terms

dnsentryitem/host

DNS host

dnsentryitem/recorddata/host

Host name

dnsentryitem/recorddata/ipv4address

IPv4 address of the DNS host

• FileItem

  Use FileItem indicators in Historical Records IOCs to search for loaded modules in database logs.

  Use FileItem indicators in System Process IOCs to search for loaded modules in a system snapshot. Do not use FileItem indicators for running processes and Windows services.

  Use FileItem indicators in Disk Scanning IOCs to search for loaded modules in a system snapshot. Endpoint Sensor requires at least one fileitem/filepath or fileitem/fullpath indicator for Disk Scanning IOCs.

  Use FileItem indicators in Monitoring IOCs to monitor file access (drop/open) behavior on the system.

fileitem/accessed

Timestamp when a file was last accessed

Example: 2000-04-12T09:14:38Z

fileitem/created

Timestamp when a file was created

Example: 2000-04-12T09:14:38Z

fileitem/fileextension

File extension name

Example: exe

fileitem/filename

Suspicious file name

fileitem/filepath

Target landing folder without a file name

For Disk Scanning IOCs, add an asterisk (*) after the path to recursively search subfolders.

Example: C:\Windows\System32\*

Disk Scanning IOCs require at least one filepath or fullpath indicator.

fileitem/fullpath

Full target landing folder including the file name

Example: C:\Windows\System32\WinSync.dll

Disk Scanning IOCs require at least one filepath or fullpath indicator.

fileitem/md5sum

Suspicious file MD5 hash value, in hexadecimal format

fileitem/modified

Timestamp when a file was last modified

Example: 2000-04-12T09:14:38Z

fileitem/peinfo/digitalsignature/certificateissuer

Keywords in the file digital certificate issuer section

fileitem/peinfo/digitalsignature/certificatesubject

Keywords in the file digital certificate subject section

fileitem/sha1sum

Suspicious file SHA-1 hash value, in hexadecimal format

fileitem/sizeInbytes

Size of file or range of file sizes in bytes

Example: 101000 TO 120000

fileitem/username

Name of the account that created the file

fileitem/devicepath

Device path of the file

fileitem/drive

Drive of the file

• PortItem

  Use PortItem indicators in Historical Records IOCs for network-related queries and to search for running processes in database logs.

  Use PortItem indicators in Monitoring IOCs to to monitor network-related behavior on the system.

portitem/creationtime

Timestamp when the connection was established

Example: 2000-04-12T09:14:38Z

portitem/localip

Binding local IP address

portitem/localport

Binding local port

portitem/process

Process name binding on a specific port

portitem/remoteip

Connected remote IP address

portitem/remoteport

Connected remote port

• ProcessItem

  Use ProcessItem indicators in Historical Records IOCs for network-related queries in database logs.

  Use ProcessItem indicators in System Process IOCs to search for running processes in a system snapshot. Do not use FileItem indicators for running processes and Windows services.

  Use ProcessItem indicators in Monitoring IOCs to to monitor the process activity on the system.

processitem/handlelist/handle/name

Handle name or path to handle

processitem/handlelist/handle/type

Windows handle type

processitem/name

Connection created by a specific process name

processitem/path

File path to the executable file of the process

processitem/pid

Windows process ID number

processitem/portlist/portitem/creationtime

Timestamp when a process was created

Example: 2000-04-12T09:14:38Z

processitem/portlist/portitem/localip

Connected local IP address

processitem/portlist/portitem/remoteip

Connected remote IP address

processitem/sectionlist/memorysection/digitalsignature/certificateissuer

Keywords in the process certificate issuer section

processitem/sectionlist/memorysection/digitalsignature/certificatesubject

Keywords in the process certificate subject section

processitem/sectionlist/memorysection/sha1sum

SHA-1 hash value associated with the process or file, in hexadecimal format

processitem/sectionlist/memorysection/md5sum

Suspicious process MD5 hash value, in hexadecimal format

processitem/username

Account of the process owner

• RegistryItem

  Use RegistryItem indicators in Historical Records and System Process IOCs for Windows registry-related queries in a system snapshot.

  Use RegistryItem indicators in Monitoring IOCs to monitor registry changes related to autorun processes on the system.

registryitem/keypath

Full registry path

Example:

HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Notepad\DefaultFonts

registryitem/path

Keywords within the registry path

registryitem/value

Keywords within the registry data

registryitem/valuename

Name of the registry entry

• ServiceItem

  Use ServiceItem indicators in System Process IOCs to search for active Windows services in a system snapshot. Do not use FileItem indicators for running processes and Windows services.

serviceitem/description

Keywords within the service description

serviceitem/descriptivename

Full descriptive Windows service name

serviceitem/name

Short name of the Windows service as stored in the registry

serviceitem/servicedllcertificateissuer

Keywords in the service DLL certificate issuer section

serviceitem/servicedllcertificatesubject

Keywords in the service DLL certificate subject section

serviceitem/servicedllmd5sum

Suspicious service MD5 hash value, in hexadecimal format

serviceitem/startedas

User account that started the service

serviceitem/status

Service status:

• active

• inactive

serviceitem/type

Windows service type

• UserItem

  Use UserItem indicators in Historical Records IOCs to search for user accounts in database logs.

useritem/fullname

Domain and user account name

Example: user@domain.com

useritem/grouplist/groupname

Group name

useritem/lastlogin

Most recent/last known access

Example: 2000-04-12T09:14:38Z

useritem/username

User account name