The attributes that identify security controls such as malware or policy violations.
Attributes
Section titled “Attributes”disposition_id
- Type:
integer_t - Requirement: required
- Values:
0-Unknown1-Allowed2-Blocked3-Quarantined4-Isolated5-Deleted6-Dropped7-Custom Action: Executed custom action such as run a command script.8-Approved9-Restored10-Exonerated: No longer suspicious (re-scored).11-Corrected12-Partially Corrected13-Uncorrected14-Delayed: Requires reboot to finish the operation.15-Detected16-No Action17-Logged18-Tagged: Marked with extended attributes.99-Other
When security issues, such as malware or policy violations, are detected and possibly corrected, then disposition_id describes the action taken by the security product.
attacks
- Type:
attack - Requirement: recommended
An array of attacks associated with an event.
disposition
- Type:
string_t - Requirement: optional
The event disposition name, normalized to the caption of the disposition_id value. In the case of ‘Other’, it is defined by the event source.
malware
- Type:
malware - Requirement: optional
The list of malware identified by a finding.
Available In
Section titled “Available In”dns_activityemail_activityemail_file_activityemail_url_activityfile_activityftp_activityhttp_activitykernel_activitykernel_extensionmemory_activitymodule_activitynetwork_activityprocess_activityrdp_activityscheduled_job_activitysmb_activityssh_activitywin/registry_key_activitywin/registry_value_activitywin/resource_activity