InstigatingProcess

This extractor extracts a facet from the instigating process of an event, and is commonly used to inspect the name or command line arguments of a process that is initiating an action (for example, starting another process, initiating a network connection, or writing a file).

Name (as String)

CommandLine (as String)

InstigatingProcessImageFile

This extractor extracts a facet from the image file that is associated with the instigating process of an event. It is commonly used to inspect various attributes of the image file (for example, name, path, hash, signature status).

Path (as String)

Size (as Integer)

Md5Hash (as String)

Sha256Hash (as String)

IsHidden (as Boolean)

IsReadOnly (as Boolean)

Directory (as String)

SuspectedFileType (as String)

SignatureStatus (as String)

IsSelfSigned (as Boolean)

LeafDNSString (as String)

LeafThumbprint (as String)

LeafSignatureAlgorithm (as String)

LeafCN (as String)

LeafDN (as String)

LeafOU (as String)

LeafO (as String)

LeafL (as String)

LeafC (as String)

IssuerDNString (as String)

IssuerThumbprint (as String)

IssuerSignatureAlgorithm (as String)

IssuerCN (as String)

IssuerDN (as String)

IssuerOU (as String)

IssuerO (as String)

IssuerL (as String)

IssuerC (as String)

RootDNString (as String)

RootThumbprint (as String)

RootSignatureAlgorithm (as String)

RootCN (as String)

RootDN (as String)

RootOU (as String)

RootO (as String)

RootL (as String)

RootC (as String)

InstigatingProcessOwner

This extractor extracts a facet from the owner associated with the instigating process of an event. It is commonly used to inspect the user who owns the process.

Name (as String)

Domain (as String)

TargetFile

This extractor extracts a facet from a file on which an event occurred. It is commonly used to inspect various attributes of the file (for example, name, path, hash, or signature status).

See InstigatingProcessImageFile above.

TargetFileOwner

This extractor extracts a facet from the owner that is associated with the file on which an event occurred. It is commonly used to inspect the user who owns the file.

See InstigatingProcessOwner above.

TargetNetworkConnection

This extractor extracts a facet from the network connection on which an event occurred. It is commonly used to inspect the network IP address or the port that is acted on.

SourceAddress (as IPAddress)

SourcePort (as Integer)

DestinationAddress (as IPAddress)

DestinationPort (as Integer)

TargetProcess

This extractor extracts a facet from the process on which an event occurred. It is commonly used to inspect the name or command line arguments of a process that is acted on.

See InstigatingProcess above.

TargetProcessImageFile

This extractor extracts a facet from the image file that is associated with a process on which an event occurred. It is commonly used to inspect the attributes of the image file (for example, name, path, hash, or signature status).

See InstigatingProcessImageFile above.

TargetProcessOwner

This extractor extracts a facet from the owner that is associated with a process on which an event occurred. It is commonly used to inspect the user who owns the process that is acted on.

See InstigatingProcessOwner above.

TargetRegistryKey

This extractor extracts a facet from the registry key on which an event occurred. It is commonly used to inspect the registry key or value that is acted on.

Path (as String)

ValueName (as String)

EnvVar

EnvVar extracts an environment variable from the OS.

LiteralWithEnvVar

LiteralWithEnvVar expands a path that contains an environment variable.

Literal

Literal represents a literal value and is the most common extractor and operand.