Operands (facet value extractors)
The
CylanceOPTICS
CAE uses facet value extractors to identify an individual property (facet) of a single artifact that is associated with an event that CylanceOPTICS
observed. While facet value extractors are narrowly scoped by themselves, they can be strung together in a logical way to analyze complex behaviors that are occurring on a device, and to trigger a detection event.Extractor name | Description | Supported facets | |
---|---|---|---|
InstigatingProcess | This extractor extracts a facet from the instigating process of an event, and is commonly used to inspect the name or command line arguments of a process that is initiating an action (for example, starting another process, initiating a network connection, or writing a file). | Name (as String) CommandLine (as String) | |
InstigatingProcessImageFile | This extractor extracts a facet from the image file that is associated with the instigating process of an event. It is commonly used to inspect various attributes of the image file (for example, name, path, hash, signature status). | Path (as String) Size (as Integer) Md5Hash (as String) Sha256Hash (as String) IsHidden (as Boolean) IsReadOnly (as Boolean) Directory (as String) SuspectedFileType (as String) SignatureStatus (as String) IsSelfSigned (as Boolean) LeafDNSString (as String) LeafThumbprint (as String) LeafSignatureAlgorithm (as String) LeafCN (as String) LeafDN (as String) LeafOU (as String) LeafO (as String) LeafL (as String) LeafC (as String) | IssuerDNString (as String) IssuerThumbprint (as String) IssuerSignatureAlgorithm (as String) IssuerCN (as String) IssuerDN (as String) IssuerOU (as String) IssuerO (as String) IssuerL (as String) IssuerC (as String) RootDNString (as String) RootThumbprint (as String) RootSignatureAlgorithm (as String) RootCN (as String) RootDN (as String) RootOU (as String) RootO (as String) RootL (as String) RootC (as String) |
InstigatingProcessOwner | This extractor extracts a facet from the owner associated with the instigating process of an event. It is commonly used to inspect the user who owns the process. | Name (as String) Domain (as String) | |
TargetFile | This extractor extracts a facet from a file on which an event occurred. It is commonly used to inspect various attributes of the file (for example, name, path, hash, or signature status). | See InstigatingProcessImageFile above. | |
TargetFileOwner | This extractor extracts a facet from the owner that is associated with the file on which an event occurred. It is commonly used to inspect the user who owns the file. | See InstigatingProcessOwner above. | |
TargetNetworkConnection | This extractor extracts a facet from the network connection on which an event occurred. It is commonly used to inspect the network IP address or the port that is acted on. | SourceAddress (as IPAddress) SourcePort (as Integer) DestinationAddress (as IPAddress) DestinationPort (as Integer) | |
TargetProcess | This extractor extracts a facet from the process on which an event occurred. It is commonly used to inspect the name or command line arguments of a process that is acted on. | See InstigatingProcess above. | |
TargetProcessImageFile | This extractor extracts a facet from the image file that is associated with a process on which an event occurred. It is commonly used to inspect the attributes of the image file (for example, name, path, hash, or signature status). | See InstigatingProcessImageFile above. | |
TargetProcessOwner | This extractor extracts a facet from the owner that is associated with a process on which an event occurred. It is commonly used to inspect the user who owns the process that is acted on. | See InstigatingProcessOwner above. | |
TargetRegistryKey | This extractor extracts a facet from the registry key on which an event occurred. It is commonly used to inspect the registry key or value that is acted on. | Path (as String) ValueName (as String) |
Path value extractors
Extractor name | Description |
---|---|
EnvVar | EnvVar extracts an environment variable from the OS. |
LiteralWithEnvVar | LiteralWithEnvVar expands a path that contains an environment variable. |
Literal | Literal represents a literal value and is the most common extractor and operand. |