Applies To: WatchGuard Advanced Reporting Tool
WatchGuard EPDR and WatchGuard EDR send data to the Advanced Visualization Tool, which organizes it into data tables that are easy to read. Each line of a data table is an event monitored by WatchGuard EPDR or WatchGuard EDR.
alert
This data table includes information on incidents shown in the Activity tile on the WatchGuard EPDR or WatchGuard EDR dashboard.
| Name | Explanation | Values | |||
|---|---|---|---|---|---|
|
eventdate |
Date and time when the event was received on the Advanced Reporting Tool server. The value in the management UI is dependent on the time zone configured on the computer. |
Date |
|||
|
machineIP |
IP address of the customer computer that triggered the alert. |
IP address |
|||
|
date |
Date on the user computer when the event was generated. |
Date |
|||
|
alertType |
Category of the threat that triggered the alert. |
Malware PUP |
|||
|
machineName |
Name of the computer. |
String |
|||
|
executionStatus |
Indicates whether the threat was run. |
Executed Not Executed |
|||
|
dwellTimeSecs |
Time in seconds from the first time the threat was seen on the network. |
Seconds |
|||
|
itemHash |
Hash of the detected threat. |
String |
|||
|
itemName |
Name of the detected threat. |
String |
|||
|
itenPath |
Full path of the file that contains the threat. |
String |
|||
|
sourceIP |
If the malware came from outside the network, this indicates the IP of the remote computer. |
IP address |
|||
|
sourceMachineName |
If the malware came from outside the network, this indicates the name of the remote computer. |
String |
|||
|
sourceUserName |
If the malware came from outside the network, this indicates the user of the remote computer. |
String |
|||
|
urlList |
List of accessed URLs if a browser exploit is detected. |
String |
|||
|
docList |
List of accessed documents if a file exploit is detected. |
String |
|||
|
version |
Content of the Version attribute of the process metadata. |
String |
|||
|
vulnerable |
Indicates if the application is considered vulnerable. |
Boolean |
|||
install
This data table logs all the information generated during the installation of the endpoint agents on computers.
| Field | Description | Values |
|---|---|---|
|
eventDate |
Date and time when the event was received on the Advanced Reporting Tool server. The value in the management UI is dependent on the time zone configured on the computer. |
Date |
|
serverdate |
Date and time when the event was logged on the user computer (in UTC format). |
Date |
|
machine |
Name of the computer. |
String |
|
machineIP |
IP address of the computer. |
IP address |
|
machineIP1 |
IP address of an additional network card if installed. |
IP address |
|
machineIP2 |
IP address of an additional network card if installed. |
IP address |
|
op |
Operation performed. |
Install Uninstall Upgrade |
|
osVersion |
Operating system version. |
String |
|
osServicePack |
Service Pack version. |
String |
|
osPlatform |
Platform of the operating system installed:
|
Enumeration |
monitoredopen
This data table logs access attempts to data files accessed that run on the computer and processes that accessed user data. This table logs access attempts to files on Windows computers only.
An access attempt is classified as atypical when the process that interacts with the data file is not part of the set of applications that typically interact with that kind of file (for example, a .DOC file manipulated by a process other than word.exe).
An access attempt can also be classified as unusual when the process that accesses the file is not stored in the folder set by default during program installation, or when the data files are stored in temporary or unusual folders.
The data files that are monitored include:
- Files accessed by atypical applications
- Accessed files that reside in unusual folders
- Files that run automatically when the operating system starts up (Run or RunOnce Windows registry keys, among others)
- Files run from the task scheduler
- Files that contain certificates
- Files that contain passwords
| Field | Description | Values | |||||
|---|---|---|---|---|---|---|---|
|
eventdate |
Date and time when the event was received on the Advanced Reporting Tool server. The value in the management UI is dependent on the time zone configured on the computer. |
Date |
|||||
|
serverdate |
Date and time when the event was logged on the user computer (in UTC format). |
Date |
|||||
|
date |
Date on the user computer when the event was generated. |
Date |
|||||
|
machine |
Name of the customer computer. |
String |
|||||
|
machineIP |
IP address of the customer computer. |
IP address |
|||||
|
user |
Process user name. |
String |
|||||
|
muid |
Internal ID of the customer computer. |
String in this format: xxxxxxxx-xxxx-xxxx- xxxxxxxxxxxxxxx |
|||||
|
parentHash |
Digest or hash of the file that accessed data. |
String |
|||||
|
parentPath |
Path of the process that accessed data. |
String |
|||||
|
parentValidSig |
Digitally signed process that accessed data. |
Boolean |
|||||
|
parentCompany |
Content of the Company attribute of the metadata of the file that accessed data. |
String |
|||||
|
parentCat |
Category of the file that accessed data. |
Goodware Malware PUP Unknown Monitoring |
|||||
|
parentMWName |
Malware name if the file that accessed data is classified as a threat. |
String Null if the item is not malware |
|||||
|
childPath |
Name of the data file accessed by the process. By default, only the file extension is indicated to preserve the privacy of the customer data. |
String |
|||||
|
loggedUser |
User logged in to the computer at the time of file access. |
String |
|||||
|
firstParentCat |
Initial classification of the parent file that performed the logged operation. |
Goodware Malware PUP Unknown Monitoring Null |
|||||
monitoredregistry
This data table logs every attempt to modify the registry as well as when software accesses the registry permissions, passwords, certificate stores, and similar information.
| Name | Explanation | Values |
|---|---|---|
|
eventdate |
Date and time when the event was received on the Advanced Reporting Tool server. The value in the management UI is dependent on the time zone configured on the computer. |
Date |
|
date |
Date of the user computer when the event was generated. |
Date |
|
machine |
Name of the computer. |
String |
|
machineIP |
IP address of the computer. |
IP address |
|
user |
User name of the process that accessed or modified the registry. |
String |
|
muid |
Internal ID of the customer computer. |
String in the following format xxxxxxxx-xxxx-xxxx- xxxx-xxxxxxxxxxxx |
|
parentHash |
Digest or hash of the process that accessed or modified the registry. |
String |
|
parentPath |
Path of the executable that accessed or modified the registry. |
String |
|
parentValidSig |
Digitally-signed process that accessed the registry. |
Boolean |
|
parentCompany |
Content of the Company attribute of the metadata of the process that accessed the registry. |
String |
|
parentCat |
Process category. |
Goodware Malware PUP Unknown Monitoring |
|
parentMwName |
Malware name if the process is classified as a threat. |
String Null if the item is not malware |
|
regAction |
Operation performed on the computer registry. |
CreateKey CreateValue ModifyValue |
|
key |
Affected registry branch or key. |
String |
|
value |
Name of the affected value under the registry key. |
String |
|
valueData |
Value content. |
String |
|
loggedUser |
User logged in to the computer at the time of registry access. |
String |
|
firstParentCat |
Initial classification of the parent file that performed the logged operation. |
Goodware Malware PUP Unknown Monitoring Null |
notblocked
This data table logs the items that WatchGuard EPDR or WatchGuard EDR did not scan because of exceptional situations, such as service timeout on startup or configuration changes.
| Name | Description | Values | |||
|---|---|---|---|---|---|
|
evendate |
Date when the event was received on the Advanced Reporting Tool server. |
Date |
|||
|
date |
Date of the user computer when the event was generated. |
Date |
|||
|
machine |
Name of the computer. |
String |
|||
|
machineIP |
IP address of the computer. |
IP address |
|||
|
user |
Process user name. |
String |
|||
|
muid |
Internal ID of the computer. |
String in the following format xxxxxxxx-xxxx-xxxx-xxxx- xxxxxxxxxxxx |
|||
|
parentHash |
Digest or hash of the parent file. |
String |
|||
|
parentPath |
Parent process path. |
String |
|||
|
parentValidSig |
Digitally signed parent process. |
Boolean |
|||
|
parentCompany |
Content of the Company attribute of the parent process metadata. |
String |
|||
|
parentCat |
Parent file category. |
Goodware Malware PUP Unknown Monitoring |
|||
|
ParentmwName |
Malware name if the parent file is classified as a threat. |
String Null if the item is not malware |
|||
|
childHash |
Child file digest or hash. |
String |
|||
|
childPath |
Child process path. |
String |
|||
|
childValidSig |
Digitally-signed child process. |
Boolean |
|||
|
childCompany |
Content of the company attribute of the child process metadata. |
String |
|||
|
childCat |
Child process category. |
Goodware Malware PUP Unknown Monitoring |
|||
|
childMWName |
Malware name if the child file is classified as a threat. |
String Null if the item is not malware |
|||
|
firstParentCat |
Initial classification of the parent file that performed the logged operation. |
Goodware Malware PUP Unknown Monitoring Null |
|||
|
firstChildCat |
Initial classification of the child file that performed the logged operation. |
Goodware Malware PUP Unknown Monitoring Null |
|||
ops
This data table logs all operations performed by processes seen on the network.
| Field | Description | Values |
|---|---|---|
|
eventdate
|
Date and time when the event was received on the Advanced Reporting Tool server. The value in the management UI is dependent on the time zone configured on the computer. |
Date
|
|
serverdate |
Date and time when the event was logged on the user computer (in UTC format). |
Date |
|
machine |
Name of the computer. |
String |
|
machineIP |
IP address of the computer. |
IP address |
|
user |
Process user name. |
String |
|
op |
Operation performed. |
CreateDir Exec CreatePE DeletePE LoadLib OpenCmp RenamePE CreateCmp |
|
muid |
Unique ID of the computer. |
String in this format: xxxxxxxxxxxx-xxxx-xxxx- xxxxxxxxxxxx |
|
parentHash |
Parent file digest or hash. |
String |
|
parentDriveType |
Type of drive where the parent process resides. |
Fixed Remote Removable |
|
parentPath |
Parent process path. |
String |
|
parentValidSig |
Digitally-signed parent process. |
Boolean |
|
parentCompany |
Content of the Company attribute of the parent file metadata. |
String |
|
parentCat |
Parent file category. |
Goodware Malware PUP Unknown Monitoring |
|
parentMWName |
Name of the malware found in the parent file. |
String Null if the item is not malware |
|
childHash |
Child file digest or hash. |
String |
|
childDriveType |
Type of drive where the child process resides. |
Fixed Remote Removable |
|
childPath |
Child process path. |
String |
|
childValidSig |
Digitally-signed child process. |
Boolean |
|
childCompany |
Content of the Company attribute of the child file metadata. |
String |
|
childCat |
Child file category. |
Goodware Malware PUP Unknown Monitoring |
|
childMWName |
Name of the malware found in the child file. |
String Null if the item is not malware |
|
Ocs_Exec |
Indicates whether software considered as vulnerable was run. |
Boolean |
|
Ocs_Name |
Name of the software considered vulnerable. |
String |
|
OcsVer |
Version of the software considered vulnerable. |
String |
|
action |
Action performed. |
Allow Block BlockTimeout |
|
serviceLevel |
Agent mode:
|
Enumeration |
|
params |
Command line execution parameters of the process run. |
Character string |
|
firstParenCat |
Initial classification of the parent file that performed the logged operation. |
Goodware Malware PUP Unknown Monitoring Null |
processnetbytes
This data table logs the data usage of processes seen on the network. ART generates a log for each process approximately every four hours with the amount of data transferred since the last log was sent.
| Field | Description | Values |
|---|---|---|
|
eventdate |
Date and time when the event was received on the Advanced Reporting Tool server. The value in the management UI is dependent on the time zone configured on the computer. |
Date |
|
serverdate |
Date and time when the event was logged on the user computer (in UTC format). |
Date |
|
machineName |
Name of the computer. |
String |
|
machineIP |
IP address of the computer. |
IP address |
|
version |
Version of the WatchGuard Endpoint Agent. |
String |
|
user |
Process user name. |
String |
|
muid |
Internal ID of the computer. |
String in this format: xxxxxxxx-xxxx- xxxx-xxxx-xxxxxxxxxxxx |
|
hash |
Digest or hash of the process. |
String |
|
path |
Program name and path. |
String |
|
bytesSent |
Number of bytes sent by the process since the last event was generated. |
Numeric |
|
bytesReceived
|
Number of bytes received by the process since the last event was generated. |
Numeric |
registry
This data table logs all operations performed on the registry branches used by malicious programs to become persistent and survive computer restarts.
| Field | Description | Values | |||||||
|---|---|---|---|---|---|---|---|---|---|
|
eventdate |
Date and time when the event was received on the Advanced Reporting Tool server. The value in the management UI is dependent on the time zone configured on the computer. |
Date |
|||||||
|
serverdate |
Date and time when the event was logged on the user computer (in UTC format). |
Date |
|||||||
|
machine |
Name of the computer. |
String |
|||||||
|
machineIP |
IP address of the computer. |
IP address |
|||||||
|
user |
User name of the process that modified the registry. |
String |
|||||||
|
op |
Operation performed on the computer registry. |
ModifyExeKey CreateExeKey |
|||||||
|
hash |
Digest/hash of the process that modified the registry. |
String |
|||||||
|
muid |
Unique ID of the computer. |
String in the following format xxxxxxxx-xxxx-xxxx-xxxx- xxxxxxxxxxxx |
|||||||
|
targetPath |
Path of the executable that the registry key points to. |
Type of drive where the process that accessed the registry resides |
|||||||
|
regKey |
Registry key. |
String |
|||||||
|
driveType |
Type of drive where the process that accessed the registry resides. |
String |
|||||||
|
path |
Path of the process that modified the registry. |
String |
|||||||
|
validSig |
Registry key. |
Boolean |
|||||||
|
company |
Registry key. |
String |
|||||||
|
Cat
|
Process category. |
Goodware Malware PUP Unknown Monitoring |
|||||||
|
mwName |
Malware name if the process is classified as a threat |
String Null if the item is not malware. |
|||||||
|
firstCat |
Category of the process the first time it was classified |
Goodware Malware PUP Unknown Monitoring |
|||||||
socket
This data table logs all network connections established by the processes seen on the network.
| Field | Description | Values |
|---|---|---|
|
eventdate |
Date and time when the event was received on the Advanced Reporting Tool server. The value in the management UI is dependent on the time zone configured on the computer. |
Date |
|
serverdate |
Date and time when the event was logged on the user computer (in UTC format). |
Date |
|
machine |
Name of the computer. |
String |
|
machineIP |
IP address of the computer. |
IP address |
|
user |
Process user name. |
String |
|
hash |
Digest or hash of the process that established the connection. |
String |
|
driveType |
Type of drive where the process that established the connection resides. |
Fixed Remote Removable |
|
path |
Path of the process that established the connection. |
String |
|
protocol |
Communications protocol used by the process. |
TCP UDP ICMP ICMPv6 IGMP RF |
|
remotePort |
Destination port the process communicates with. |
0-65535 |
|
direction |
Communication direction. |
Upload Download Bidirectional Unknown |
|
remoteIP |
Destination IP address. |
IP address |
|
localPort |
Source IP address. |
0-65535 |
|
localIP |
IPv6 destination address. |
IP address |
|
validSig |
Digitally-signed file that established the connection. |
Boolean |
|
company |
Content of the Company attribute of the metadata of the file that established the connection. |
String |
|
category |
Current category of the process that established the connection. |
Goodware Malware PUP Unknown Monitoring |
|
mwName |
Malware name if the process that established the connection is classified as a threat. |
String Null if the item is not malware |
|
firstCategory |
Category of the process the first time it was classified. |
Goodware Malware PUP Unknown Monitoring |
|
times |
Number of times the same communication event has occurred in the last hour. For two communication events to be considered the same, these parameters plus the communication direction must be the same:
The first time a communication is detected, an event is sent with the times field set to 1. Later, for each hour that passes after the first event, the times field indicates the number of equal communication events that have occurred in that time span minus 1, along with the date of the last event logged. |
Numeric |
toastblocked
This data table contains a record for each process blocked because WatchGuard EPDR or WatchGuard EDR has not yet returned the relevant classification.
| Field | Description | Values |
|---|---|---|
|
eventdate |
Date and time when the event was received on the Advanced Reporting Tool server. The value in the management UI is dependent on the time zone configured on the computer. |
Date |
|
serverdate |
Date and time when the event was logged on the user computer (in UTC format). |
Date |
|
machineName |
Name of the computer. |
String |
|
machineIP |
IP address of the computer. |
IP address |
|
user |
User name of the process blocked. |
String |
|
muid |
Unique ID of the computer. |
String in this format: xxxxxxxx-xxxx-xxxx- xxxx-xxxxxxxxxxxx |
|
hash |
Digest or hash of the process blocked. |
String |
|
path |
Path of the process blocked. |
String |
|
toastBlockReason |
0 OK: The user accepts the message. 1 Timeout: The pop-up message disappears due to non-action by the user. 2 Angry: The user rejects the block action. 3 Block 4 Allow 5 BadCall |
Enumerator |
|
toastResult |
Result of the pop-up message:
|
Enumerator |
URLdownload
This data table contains information on HTTP downloads performed by processes seen on the network (such as URLs, downloaded file data, computers that downloaded data).
| Field | Description | Values |
|---|---|---|
|
eventdate |
Date and time when the event was received on the Advanced Reporting Tool server. The value in the management UI is dependent on the time zone configured on the computer. |
Date |
|
serverdate |
Date and time when the event was logged on the user computer (in UTC format). |
Date |
|
Machine |
Name of the computer. |
String |
|
machineIP |
IP address of the computer. |
IP address |
|
User |
Process user name. |
String |
|
muid |
Internal ID of the customer computer. |
String in this format: xxxxxxxx-xxxx-xxxx- xxxx-xxxxxxxxxxxx |
|
url |
Download URL. |
URL stem |
|
parentHash |
Digest or hash of the process that downloaded the file. |
String |
|
parentDriveType |
Type of drive where the process that downloaded the file resides. |
Fixed Remote Removable |
|
parentPath |
Path of the process that downloaded the file. |
String |
|
parentValidSig |
Digitally-signed process that downloaded the file. |
Boolean |
|
parentCompany |
Content of the Company attribute of the metadata of the process that downloaded the file. |
String |
|
parentCat |
Category of the process that downloaded the file. |
Goodware Malware PUP Unknown Monitoring |
|
parentMwname |
Malware name if the process that downloaded the file is classified as a threat. |
String Null if the item is not malware |
|
childHash |
Digest or hash of the downloaded file. |
String |
|
childDriveType |
Type of drive where the process that downloaded the file resides. |
Fixed Remote Removable |
|
childPath |
Path of the downloaded file. |
String |
|
childValidSig |
Digitally-signed downloaded file. |
Boolean |
|
childCompany |
Content of the company attribute of the downloaded file metadata. |
String |
|
childCat |
Category of the downloaded file. |
Goodware Malware PUP Unknown Monitoring |
|
childMwname |
Malware name if the downloaded file is classified as a threat. |
String Null if the item is not malware |
|
firstParentCat |
Initial classification of the parent file that performed the logged operation. |
Goodware Malware PUP Unknown Monitoring Null |
|
firstChildCat |
Initial classification of the child file that performed the logged operation. |
Goodware Malware PUP Unknown Monitoring Null |
vulnerableappsfound
This data table logs every vulnerable application found on each computer on the network.
| Field | Description | Values | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
eventdate |
Date and time when the event was received on the Advanced Reporting Tool server. The value in the management UI is dependent on the time zone configured on the computer. |
Date |
||||||||
|
serverdate |
Date and time when the event was logged on the user computer (in UTC format). |
Date |
||||||||
|
muid |
Internal ID of the computer. |
String in this format: xxxxxxxx-xxxx-xxxx- xxxx-xxxxxxxxxxxx |
||||||||
|
machineName |
Name of the computer. |
String |
||||||||
|
machineIP |
IP address of the computer. |
IP address |
||||||||
|
criticalSoftEventType |
Indicates the existence of vulnerable software. |
Present |
||||||||
|
itemHash |
Digest of the vulnerable program found on the computer. |
String |
||||||||
|
fileName |
Name of the vulnerable file. |
String |
||||||||
|
filePath |
Full path of the vulnerable file. |
String |
||||||||
|
internalName |
Content of the Name attribute of the vulnerable file metadata. |
String |
||||||||
|
companyName |
Content of the Company attribute of the vulnerable file metadata. |
String |
||||||||
|
fileVersion |
Content of the Version attribute of the vulnerable file metadata. |
String |
||||||||
|
productVersion |
Content of the ProductVersion attribute of the vulnerable file metadata. |
String |
||||||||