Skip to content

Memory Activity (1004)

Memory Activity events report when a process has memory allocated, read/modified, or other manipulation activities - such as a buffer overflow or turning off data execution protection (DEP).

  • Category: System Activity
  • Extends: system
  • UID: 1004

Attributes

Section titled “Attributes”

Classification

Section titled “Classification”

activity_id

  • Type: integer_t
  • Requirement: required
  • Values:
    • 0 - Unknown: The event activity is unknown.
    • 1 - Allocate Page
    • 2 - Modify Page
    • 3 - Delete Page
    • 4 - Buffer Overflow
    • 5 - Disable DEP: Data Execution Permission
    • 6 - Enable DEP: Data Execution Permission
    • 7 - Read: Read (Example: ReadProcessMemory)
    • 8 - Write: Write (Example: WriteProcessMemory)
    • 99 - Other: The event activity is not mapped.

The normalized identifier of the activity that triggered the event.

category_uid

  • Type: integer_t
  • Requirement: required
  • Values:
    • 1 - System Activity: System Activity events.

The category unique identifier of the event.

class_uid

  • Type: integer_t
  • Requirement: required
  • Values:
    • 1004 - Memory Activity: Memory Activity events report when a process has memory allocated, read/modified, or other manipulation activities - such as a buffer overflow or turning off data execution protection (DEP).

The unique identifier of a class. A Class describes the attributes available in an event.

severity_id

  • Type: integer_t
  • Requirement: required
  • Values:
    • 0 - Unknown: The event severity is not known.
    • 1 - Informational: Informational message. No action required.
    • 2 - Low: The user decides if action is needed.
    • 3 - Medium: Action is required but the situation is not serious at this time.
    • 4 - High: Action is required immediately.
    • 5 - Critical: Action is required immediately and the scope is broad.
    • 6 - Fatal: An error occurred but it is too late to take remedial action.
    • 99 - Other: The event severity is not mapped. See the severity attribute, which contains a data source specific value.

The normalized identifier of the event severity.The normalized severity is a measurement the effort and expense required to manage and resolve an event or incident. Smaller numerical values represent lower impact events, and larger numerical values represent higher impact events.

type_uid

  • Type: integer_t
  • Requirement: required
  • Values:
    • 100400 - Memory Activity: Unknown
    • 100401 - Memory Activity: Allocate Page
    • 100402 - Memory Activity: Modify Page
    • 100403 - Memory Activity: Delete Page
    • 100404 - Memory Activity: Buffer Overflow
    • 100405 - Memory Activity: Disable DEP: Data Execution Permission
    • 100406 - Memory Activity: Enable DEP: Data Execution Permission
    • 100407 - Memory Activity: Read: Read (Example: ReadProcessMemory)
    • 100408 - Memory Activity: Write: Write (Example: WriteProcessMemory)
    • 100499 - Memory Activity: Other

The event type ID. It identifies the event’s semantics and structure. The value is calculated by the logging system as: class_uid * 100 + activity_id.

activity_name

  • Type: string_t
  • Requirement: optional

The event activity name, as defined by the activity_id.

category_name

  • Type: string_t
  • Requirement: optional

The event category name, as defined by category_uid value: System Activity.

class_name

  • Type: string_t
  • Requirement: optional

The event class name, as defined by class_uid value: Memory Activity.

severity

  • Type: string_t
  • Requirement: optional

The event severity, normalized to the caption of the severity_id value. In the case of ‘Other’, it is defined by the event source.

type_name

  • Type: string_t
  • Requirement: optional

The event type name, as defined by the type_uid.

Context

Section titled “Context”

metadata

The metadata associated with the event.

api cloud

  • Type: api
  • Requirement: optional

Describes details about a typical API (Application Programming Interface) call.

enrichments

The additional information from an external data source, which is associated with the event. For example add location information for the IP address in the DNS answers:[{"name": "answers.ip", "value": "92.24.47.250", "type": "location", "data": {"city": "Socotra", "continent": "Asia", "coordinates": [-25.4153, 17.0743], "country": "YE", "desc": "Yemen"}}]

raw_data

  • Type: string_t
  • Requirement: optional

The event data as received from the event source.

unmapped

  • Type: object
  • Requirement: optional

The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.

Occurrence

Section titled “Occurrence”

time

  • Type: timestamp_t
  • Requirement: required

The normalized event occurrence time.

timezone_offset

  • Type: integer_t
  • Requirement: recommended

The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080.

count

  • Type: integer_t
  • Requirement: optional

The number of times that events in the same logical group occurred during the event Start Time to End Time period.

duration

  • Type: integer_t
  • Requirement: optional

The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds.

end_time

  • Type: timestamp_t
  • Requirement: optional

The end time of a time period, or the time of the most recent event included in the aggregate event.

end_time_dt datetime

  • Type: datetime_t
  • Requirement: optional

The end time of a time period, or the time of the most recent event included in the aggregate event.

start_time

  • Type: timestamp_t
  • Requirement: optional

The start time of a time period, or the time of the least recent event included in the aggregate event.

start_time_dt datetime

  • Type: datetime_t
  • Requirement: optional

The start time of a time period, or the time of the least recent event included in the aggregate event.

time_dt datetime

  • Type: datetime_t
  • Requirement: optional

The normalized event occurrence time.

Primary

Section titled “Primary”

actor

  • Type: actor
  • Requirement: required

The actor object describes details about the user/role/process that was the source of the activity.

cloud cloud

  • Type: cloud
  • Requirement: required

Describes details about the Cloud environment where the event was originally created or logged.

device

  • Type: device
  • Requirement: required

An addressable device, computer system or host.

disposition_id security_control

  • Type: integer_t
  • Requirement: required
  • Values:
    • 0 - Unknown
    • 1 - Allowed
    • 2 - Blocked
    • 3 - Quarantined
    • 4 - Isolated
    • 5 - Deleted
    • 6 - Dropped
    • 7 - Custom Action: Executed custom action such as run a command script.
    • 8 - Approved
    • 9 - Restored
    • 10 - Exonerated: No longer suspicious (re-scored).
    • 11 - Corrected
    • 12 - Partially Corrected
    • 13 - Uncorrected
    • 14 - Delayed: Requires reboot to finish the operation.
    • 15 - Detected
    • 16 - No Action
    • 17 - Logged
    • 18 - Tagged: Marked with extended attributes.
    • 99 - Other

When security issues, such as malware or policy violations, are detected and possibly corrected, then disposition_id describes the action taken by the security product.

process

  • Type: process
  • Requirement: required

The process that had memory allocated, read/written, or had other manipulation activities performed on it.

attacks security_control

  • Type: attack
  • Requirement: recommended

An array of attacks associated with an event.

base_address

  • Type: string_t
  • Requirement: recommended

The memory address that was access or requested.

message

  • Type: string_t
  • Requirement: recommended

The description of the event, as defined by the event source.

status_id

  • Type: integer_t
  • Requirement: recommended
  • Values:
    • 0 - Unknown
    • 1 - Success
    • 2 - Failure
    • 99 - Other: The event status is not mapped. See the status attribute, which contains a data source specific value.

The normalized identifier of the event status.

actual_permissions

  • Type: integer_t
  • Requirement: optional

The permissions that were granted to the in a platform-native format.

disposition security_control

  • Type: string_t
  • Requirement: optional

The event disposition name, normalized to the caption of the disposition_id value. In the case of ‘Other’, it is defined by the event source.

malware security_control

  • Type: malware
  • Requirement: optional

The list of malware identified by a finding.

observables

The observables associated with the event.

requested_permissions

  • Type: integer_t
  • Requirement: optional

The permissions mask that were requested by the process.

size

  • Type: long_t
  • Requirement: optional

The memory size that was access or requested.

status

  • Type: string_t
  • Requirement: optional

The event status, normalized to the caption of the status_id value. In the case of ‘Other’, it is defined by the event source.

status_code

  • Type: string_t
  • Requirement: optional

The event status code, as reported by the event source.

For example, in a Windows Failed Authentication event, this would be the value of ‘Failure Code’, e.g. 0x18.

status_detail

  • Type: string_t
  • Requirement: optional

The status details contains additional information about the event outcome.

Objects Used

Section titled “Objects Used”