Applies To: WatchGuard Data Control
WatchGuard EPDR or WatchGuard EDR collect information about the processes run on all workstations and servers across the network. If those processes get access to files with Personally Identifiable Information (PII), the information is sent to the WatchGuard Data Control server, where it is organized into a table. Each line of the table is an event monitored by Data Control, and provides information such as when the event occurred, the computer where it took place and its IP address, and more.
ops
This data table stores all information related to the monitoring of files with PII.
| Field | Description | Values |
|---|---|---|
|
eventdate |
Date and time when the event was logged on the Data Control server. The value in the management UI is dependent on the time zone configured on the computer. |
Date |
|
serverdate |
Date and time on the workstation or server when the event was generated (in UTC format). |
Date |
|
machineName |
Workstation or server name. |
String |
|
machineIP |
Workstation or server IP address. |
IP address |
|
user |
User name of the process that operated on the file. |
String |
|
exfiltrationFlag |
Indicates whether the file was the subject of an operation classified as data exfiltration, data infiltration, or both. |
Infiltration Exfiltration Both |
|
docSize |
Size of the file with PII (in bytes). |
Numeric |
|
op |
Operation performed on the file with PII. |
Create Modify Open Delete Rename Copy-Paste OnDemand (search launched from the management UI by the administrator) |
|
fatherHash |
MD5 of the process that operated on the file with PII. This field will be empty if operation is On Demand. |
String |
|
fatherPath |
Path of the process that operated on the file with PII. This field will be empty if operation is On Demand. |
String |
|
fatherCategory |
Category of the process that operated on the file with PII. This field will be empty if operation is On Demand. |
Goodware Malware Monitoring (unknown process in the process of classification) PUP (unwanted program) |
|
documentPath |
Drive where the file with PII that was operated on resides, and its path, in this format: DEVICE TYPE|PATH |
String |
|
documentName |
Name of the file that was operated on. In rename operations, this field displays the DocumentName value of the original file, and the DocumentName value of the renamed file, in this format: TARGET_NAME|ORIGINAL_NAME |
String String | String |
|
documentHash |
Hash of the file that was operated on. |
String |
|
deviceType |
Drive where the file with PII that was operated on resides. |
0: UNKNOWN 1: NO_ROOT_DIR (path is invalid or does not exist) 2: REMOVABLE: Mobile device (external hard drive, card reader, USB device, etc.) 3: FIXED: Internal hard drive 5: CDROM 6: RAMDISK String |
|
creditCard |
Indicates whether the credit card number data type was found in the file with PII. |
Boolean |
|
bankAccount |
Indicates whether the bank account number data type was found in the file with PII. |
Boolean |
|
personalID |
Indicates whether the ID card number data type was found in the file with PII. |
Boolean |
|
driveLic |
Indicates whether the driver's license number data type was found in the file with PII. |
Boolean |
|
passPort |
Indicates whether the passport number data type was found in the file with PII. |
Boolean |
|
SSId |
Indicates whether the social security number data type was found in the file with PII. |
Boolean |
|
|
Indicates whether the email address data type was found in the file with PII. |
Boolean |
|
IP |
Indicates whether the IP address data type was found in the file with PII. |
Boolean |
|
name |
Indicates whether the first and last name data type was found in the file with PII. |
Boolean |
|
address |
Indicates whether the physical address data type was found in the file with PII. |
Boolean |
|
phone |
Indicates whether the phone number data type was found in the file with PII. |
Boolean |
|
estimatedNumPII |
Estimated number of found data types. |
Numeric |
|
Reclassified |
True: The file contained PII but no longer contains it. False: The file has not been reclassified and therefore contains PII. |
Boolean |
usrrules
This data table stores all information collected from the files specified in rules defined by the administrator.
| Field | Description | Values |
|---|---|---|
|
eventdate |
Date and time when the event was logged on the Data Control server. The value in the management UI is dependent on the time zone configured on the computer. |
Date |
|
serverdate |
Date and time on the workstation or server when the event was generated (in UTC format). |
Date |
|
machineName |
Workstation or server name. |
Character string |
|
machineIP |
Workstation or server IP address. |
IP address |
|
user |
Name of the user who was logged in when the event was logged. |
Character string |
|
exfiltrationFlag |
Indicates that the file has been the subject of an operation classified as data exfiltration, data infiltration, or both. |
Infiltration Exfiltration Both |
|
docSize |
Size of the file in bytes. |
Numeric |
|
op |
Operation performed on the file with PII. |
Create Modify Open Delete Rename Copy-Paste |
|
fatherHash |
MD5 of the process that operated on the file. |
Character string |
|
fatherPath |
Path of the process that operated on the file. |
Character string |
|
fatherCat |
Category of the process that operated on the file. |
Goodware Malware Monitoring (unknown process in the process of classification) PUP (unwanted program) |
|
documentPath |
Drive where the file that was operated on resides, and its path, in this format: DEVICE TYPE|PATH |
Character string |
|
documentName |
Name of the file that was operated on. In rename operations, this field displays the documentName value of the original file and the documentName value of the renamed file, in this format: TARGET_NAME|ORIGINAL_NAME |
Character string Character string | Character string |
|
documentHash |
Hash of the file that was operated on. |
Character string |
|
deviceType |
Drive where the file with PII that was operated on resides. |
0:UNKNOWN 1:NO_ROOT_DIR (path is invalid or does not exist) 2:REMOVABLE(portable device, external hard drive, card reader, USB device, etc.) 3: FIXED (internal hard drive) 5: CDROM 6: RAMDISK Character string |
|
usrRules |
Names of the rules entered in the WatchGuard Endpoint Security management UI that monitor the file. They are separated with the | (pipe) character. |
Character string | Character string | Character string |
usrrulesmail
This data table stores all information collected from email messages that contain files monitored as specified in the rules defined by the administrator.
| Field | Description | Values |
|---|---|---|
|
eventdate |
Date and time when the event was logged on the Data Control server. The value in the management UI is dependent on the time zone configured on the computer. |
Date |
|
serverdate |
Date and time on the workstation or server when the event was generated (in UTC format). |
Date |
|
machineName |
Workstation or server name. |
Character string |
|
machineIP |
Workstation or server IP address. |
IP address |
|
loggeduser |
Name of the user who was logged in when the event was logged. |
Character string |
|
msgID |
Unique ID of the message. |
Character string |
|
msgTo |
Email address of the message recipient. |
Character string |
|
msgFrom |
Email address of the message sender. |
Character string |
|
msgSentDate |
Date the message was sent. In received messages, this field is Null. |
Date |
|
msgSubject |
Message subject. |
Character string |
|
msgReceivedDate |
Date the message was received. In sent messages, this field is Null. |
Character string |
|
msgElement |
Monitored item in the message. |
“Attachment” character string |
|
msgElementSize |
Size of the monitored file. |
Numeric |
|
msgElementName |
Name of the monitored file. |
Character string |
|
msgElementHash |
MD5 of the monitored file. |
Character string |
|
msgExfiltrationFlag |
Indicates that the file has been the subject of an operation classified as data exfiltration, data infiltration, or both. |
INFILTRATION EXFILTRATION BOTH |
|
usrRules |
Names of the rules entered in the WatchGuard Endpoint Security management UI that monitor the file. They are separated with the | (pipe) character. |
Character string | Character string | Character string... |
This data table stores all information collected from the email messages that contain files classified as PII, as well as the characteristics of the files with personal data.
| Field | Description | Values |
|---|---|---|
|
eventdate |
Date and time when the event was logged on the Data Control server. The value in the management UI is dependent on the time zone configured on the computer. |
Date |
|
serverdate |
Date and time on the workstation or server when the event was generated (in UTC format). |
Date |
|
machineName |
Workstation or server name. |
Character string |
|
machineIP |
Workstation or server IP address. |
IP address |
|
LoggedUser |
Name of the logged-in user when the event was logged. |
Character string |
|
msgID |
Unique ID of the message. |
Character string |
|
msgTo |
Email address of the message recipient. |
Character string |
|
msgFrom |
Email address of the message sender. |
Character string |
|
msgSentDate |
Date the message was sent. In received messages, this field is Null. |
Date |
|
msgSubject |
Message subject. |
Character string |
|
msgReceivedDate |
Date the message was received. In sent messages, this field is Null. |
Character string |
|
msgElement |
Monitored item in the message. |
“Attachment” character string |
|
msgElementSize |
Size of the monitored file. |
Numeric |
|
msgElementName |
Name of the monitored file. |
Character string |
|
msgElementHash |
MD5 of the monitored file. |
Character string |
|
msgExfiltrationFlag |
Indicates that the file has been the subject of an operation classified as data exfiltration, data infiltration, or both. |
INFILTRATION EXFILTRATION BOTH |
|
creditCard |
Indicates whether the credit card number data type was found in the file with PII. |
Boolean |
|
bankAccount |
Indicates whether the bank account number data type was found in the file with PII. |
Boolean |
|
personalID |
Indicates whether the personal ID number data type was found in the file with PII. |
Boolean |
|
driveLic |
Indicates whether the driver’s license number data type was found in the file with PII. |
Boolean |
|
passPort |
Indicates whether Passport number data type was found in the file with PII. |
Boolean |
|
SSId |
Indicates whether the social security number data type was found in the file with PII. |
Boolean |
|
|
Indicates whether the email address data type was found in the file with PII. |
Boolean |
|
IP |
Indicates whether IP address data type was found in the file with PII. |
Boolean |
|
name |
Indicates whether the first and last name data type was found in the file with PII. |
Boolean |
|
address |
Indicates whether the physical address data type was found in the file with PII. |
Boolean |
|
phone |
Indicates whether phone number data type was found in the file with PII. |
Boolean |
|
estimatedNumPII |
Estimated number of found data types. |
Numeric |