OS Events for Threats

The events below are collected for threats. View all of the details in the Explore tab of the Incident Details.

Note: For threats, only events related to the malicious Storyline are shown.

Note: The Explore tab shows details for dynamic threats (detected by a Behavioral AI engine). For static threats, where a file did not run, or was stopped before it ran, the tab shows No Processes found for this threat.

Events recorded or Threats

Category Event Win OS events MacOS events Linux OS events
Network Actions TCP Connect
TCP listens  
Process Process Creation
Process Modification  
DNS DNS Request
Files File Creation
File Deletions  
File Modification  
File Rename  

Registry Events (Windows only)

Event Name Activity Description
Registry Action Antivirus Override
Registry Action Offline mode
Registry Action Registry tools
Registry Action Task Manager
Registry Action Firewall Exception
Registry Action Hidden Files
Registry Action Security Center Alerts
Registry Action Safe Mode
Registry Action ActiveX
Registry Action Application
Registry Action Autorun
Registry Action Browser Objects
Registry Action Netsh Event Tracing
Registry Action Uninstaller
Registry Action Firewall Status

Indicator Events (Windows Only)

Event Type Indicator Name Indicator Description
Behavioral Indicators Suspicious WMI Query Not available
Behavioral Indicators WMI - Security No available
Behavioral Indicators Service Create Name of the service
Behavioral Indicators Preload Injection Not available
Behavioral Indicators Keylogger Install Not available
Behavioral Indicators Remote Code Execution Not available
Behavioral Indicators Forbidden Process Not available
Behavioral Indicators Library Injection Not available
Behavioral Indicators Code Injection Not available
Behavioral Indicators Library Load Library path
Behavioral Indicators Modified Host File Not available

Active Content Information (Windows only)

Active Content represents the data that changed within a process, usually when the process loaded a new file or changed the command line.

  • Contains Active Content? Yes|No
  • Active Content File ID
  • Active Content Hash
  • Active Content Path