Skip Navigation

Artifacts of interest

You can use the artifacts of interest (AOI) in the actions field to define a list of artifacts that
Optics
can perform automated response actions on. The AOI follow the same syntax as operands. Any artifact that is associated with an event or set of events that satisfy a state can be marked as an AOI. AOI do not need to be defined as an operand to be considered an AOI.
If a filter is applied to a state, note that some AOI will not be available to take automatic response actions against. For example, if a file create filter is applied to a state, file and process related AOI would be available but would not have registry or network-related AOI. If an irrelevant AOI is provided in a state, the
Optics
agent will gracefully handle its exclusion. The table below outlines the applicable filter to AOI relationships.
Category
Subcategory
Type
Applicable AOI
File
Create
InstigatingProcess
InstigatingProcessImageFile
InstigatingProcessOwner
TargetFile
TargetFileOwner
File
Delete
InstigatingProcess
InstigatingProcessImageFile
InstigatingProcessOwner
TargetFile
TargetFileOwner
File
Rename
InstigatingProcess
InstigatingProcessImageFile
InstigatingProcessOwner
TargetFile
TargetFileOwner
File
Write
InstigatingProcess
InstigatingProcessImageFile
InstigatingProcessOwner
TargetFile
TargetFileOwner
Network
IPv4
Connect
InstigatingProcess
InstigatingProcessImageFile
InstigatingProcessOwner
TargetNetworkConnection
Network
IPv6
Connect
InstigatingProcess
InstigatingProcessImageFile
InstigatingProcessOwner
TargetNetworkConnection
Network
TCP
Connect
InstigatingProcess
InstigatingProcessImageFile
InstigatingProcessOwner
TargetNetworkConnection
Network
UDP
Connect
InstigatingProcess
InstigatingProcessImageFile
InstigatingProcessOwner
TargetNetworkConnection
Process
Exit
InstigatingProcess
InstigatingProcessImageFile
InstigatingProcessOwner
TargetProcess
TargetProcessImageFile
TargetProcessOwner
Process
Start
InstigatingProcess
InstigatingProcessImageFile
InstigatingProcessOwner
TargetProcess
TargetProcessImageFile
TargetProcessOwner
Process
CylancePROTECT
AbnormalExit
TargetProcess
TargetProcessImageFile
TargetProcessOwner
Registry
PersistencePoint:
KeyCreating
InstigatingProcess
InstigatingProcessImageFile
InstigatingProcessOwner
TargetRegistryKey
Registry
PersistencePoint:
KeyCreated
InstigatingProcess
InstigatingProcessImageFile
InstigatingProcessOwner
TargetRegistryKey
Registry
PersistencePoint:
KeyDeleting
InstigatingProcess
InstigatingProcessImageFile
InstigatingProcessOwner
TargetRegistryKey
Registry
PersistencePoint:
KeyDeleted
InstigatingProcess
InstigatingProcessImageFile
InstigatingProcessOwner
TargetRegistryKey
Registry
PersistencePoint:
KeyRenaming
InstigatingProcess
InstigatingProcessImageFile
InstigatingProcessOwner
TargetRegistryKey
Registry
PersistencePoint:
KeyRenamed
InstigatingProcess
InstigatingProcessImageFile
InstigatingProcessOwner
TargetRegistryKey
Registry
PersistencePoint:
ValueChanging
InstigatingProcess
InstigatingProcessImageFile
InstigatingProcessOwner
TargetRegistryKey
Registry
PersistencePoint:
ValueChanged
InstigatingProcess
InstigatingProcessImageFile
InstigatingProcessOwner
TargetRegistryKey
Registry
PersistencePoint:
ValueDeleting
InstigatingProcess
InstigatingProcessImageFile
InstigatingProcessOwner
TargetRegistryKey
Registry
PersistencePoint:
ValueDeleted
InstigatingProcess
InstigatingProcessImageFile
InstigatingProcessOwner
TargetRegistryKey
Thread
Create
InstigatingProcess
InstigatingProcessImageFile
InstigatingProcessOwner
TargetProcess
TargetProcessImageFile
TargetProcessOwner
Thread
Inject
InstigatingProcess
InstigatingProcessImageFile
InstigatingProcessOwner
TargetProcess
TargetProcessImageFile
TargetProcessOwner
Example:
"Actions": [ { "Type": "AOI", "ItemName": "InstigatingProcess", "Position": "PostActivation" }, { "Type": "AOI", "ItemName": "TargetProcess", "Position": "PostActivation" }, { "Type": "AOI", "ItemName": "InstigatingProcessOwner", "Position": "PostActivation" } ],