Appendix B. Request Parameters for Filters

Below, you will find a full compilation of the parameters that can be used in search requests for filters. The parameters are organized into categories. For each parameter, its type is specified (text, integer, etc.).

Parameter categories:

•artefacts_fs

•defender:computer_status

•defender:preference

•defender:threat

•defender:threat_detection

•disk_bootsect

•dns

•drivers

•drweb:bases

•drweb:components

•drweb:info

•drweb:launched_modules

•events

•files

•fixes

•hosts

•installed_apps

•modules

•msi_apps

•net_connections

•net_providers:namespaces

•net_providers:protocols

•processes

•services

•startups:mstasks

•startups:registry

•startups:wmi

•sysobj:chromium_config

•sysobj:chromium_extensions

•sysobj:detects

•sysobj:dns

•sysobj:firefox_addons

•sysobj:firefox_config

•sysobj:ie

•sysobj:wmi

•system:bios

•system:cpu

•system:dep

•system:dirs

•system:dns

•system:firewall

•system:hdd

•system:kernel_va_shadowing

•system:locale

•system:machine_scores

•system:mapped_disks

•system:memory

•system:net_adapters

•system:os

•system:persisted_routes

•system:security_providers

•system:sessions

•system:shares

•system:smart

•system:speculation_control

•system:user_privelegies

•system:users

•system_reg_export

•winstore_apps

artefacts_fs

File artifacts

Parameter name	Parameter type
analysis_results.metawave.datetime	date and time
analysis_results.metawave.result	text
analysis_results.metawave.status	text
category_name	text
hash.sha1	text
hash.sha256	text
modification_datetime	date and time
modify_datetime	date and time
path	text
sha1	text
size	long
type	text

defender:computer_status

The computer status based on Microsoft Defender data

Parameter name	Parameter type
am_engine_version	text
am_product_version	text
am_service_enabled	boolean (true/false)
am_service_version	text
antispyware_enabled	boolean (true/false)
antispyware_signature_age	long
antispyware_signature_last_updated	date and time
antispyware_signature_version	text
antivirus_enabled	boolean (true/false)
antivirus_signature_age	long
antivirus_signature_last_updated	date and time
antivirus_signature_version	text
behavior_monitor_enabled	boolean (true/false)
category_name	text
computer_id	text
computer_state	long
full_scan_age	long
full_scan_end_time	text
full_scan_start_time	text
ioav_protection_enabled	boolean (true/false)
last_full_scan_source	long
last_quick_scan_source	long
nis_enabled	boolean (true/false)
nis_engine_version	text
nis_signature_age	long
nis_signature_last_updated	date and time
on_access_protection_enabled	boolean (true/false)
quick_scan_age	long
quick_scan_end_time	date and time
quick_scan_start_time	date and time
real_time_protection_enabled	boolean (true/false)
real_time_scan_direction	long

defender:preference

Microsoft Defender settings

Parameter name	Parameter type
category_name	text
check_for_signatures_before_running_scan	boolean (true/false)
computer_id	text
disable_archive_scanning	boolean (true/false)
disable_auto_exclusions	boolean (true/false)
disable_behavior_monitoring	boolean (true/false)
disable_catchup_full_scan	boolean (true/false)
disable_catchup_quick_scan	boolean (true/false)
disable_email_scanning	boolean (true/false)
disable_intrusion_prevention_system	text
disable_ioav_protection	boolean (true/false)
disable_privacy_mode	boolean (true/false)
disable_realtime_monitoring	boolean (true/false)
disable_removable_drive_scanning	boolean (true/false)
disable_restore_point	boolean (true/false)
disable_scanning_mapped_network_drives_for_full_scan	boolean (true/false)
disable_scanning_network_files	boolean (true/false)
disable_script_scanning	boolean (true/false)
exclusion_path	text
exclusion_process	text
high_threat_default_action	long
low_threat_default_action	long
maps_reporting	long
moderate_threat_default_action	long
quarantine_purge_items_after_delay	long
randomize_schedule_task_times	boolean (true/false)
real_time_scan_direction	long
remediation_schedule_day	long
reporting_additional_action_time_out	long
reporting_critical_failure_time_out	long
reporting_non_critical_time_out	long
scan_only_if_idle_enabled	boolean (true/false)
scan_parameters	long
scan_purge_items_after_delay	long
scan_schedule_day	long
scan_schedule_quick_scan_time	date and time
scan_schedule_time	date and time
severe_threat_default_action	long
signature_au_grace_period	long
signature_definition_update_file_shares_sources	text
signature_disable_update_on_startup_without_engine	boolean (true/false)
signature_fallback_order	text
signature_first_au_grace_period	long
signature_schedule_day	long
signature_schedule_time	date and time
signature_update_catchup_interval	long
signature_update_interval	long
submit_samples_consent	long
ui_lockdown	boolean (true/false)
unknown_threat_default_action	long

defender:threat

Threats detected by Microsoft Defender

Parameter name	Parameter type
category_id	long
category_name	text
did_threat_execute	boolean (true/false)
is_active	boolean (true/false)
resources	text
rollup_status	long
schema_version	text
severity_id	long
threat_id	long
threat_name	text
type_id	long

defender:threat_detection

Threat detection using Microsoft Defender

Parameter name	Parameter type
action_success	boolean (true/false)
additional_actions_bit_mask	long
am_product_version	text
category_name	text
cleaning_action_id	long
current_threat_execution_status_id	long
detection_id	text
detection_source_type_id	long
domain_user	text
initial_detection_time	date and time
last_threat_status_change_time	date and time
process_name	text
remediation_time	text
resources	text
threat_id	long
threat_status_error_code	long
threat_status_id	long

disk_bootsect

Boot sectors of disks

Parameter name	Parameter type
block.end_lba	text
block.size	text
block.start_lba	text
block.status	text
bus_type	text
bytes_per_sector	integer
category_name	text
cylinders	integer
gpt.header.backup_lba	text
gpt.header.data	text
gpt.header.disk_guid	text
gpt.header.first_usable_lba	text
gpt.header.header_crc	text
gpt.header.header_size	text
gpt.header.last_usable_lba	text
gpt.header.num_parts	text
gpt.header.part_entries_crc	text
gpt.header.part_entry_lba	text
gpt.header.primary_lba	text
gpt.header.reserved	text
gpt.header.revision	text
gpt.header.signature	text
gpt.header.sizeof_part_entry	text
gpt.partition.arkstatus	text
gpt.partition.attrib	text
gpt.partition.end_lba	text
gpt.partition.guid	text
gpt.partition.index	text
gpt.partition.name	text
gpt.partition.size	text
gpt.partition.size_in_sectors	text
gpt.partition.start_lba	text
gpt.partition.type	text
id	integer
logical_sector_size	text
mbr.arkstatus	text
mbr.data	text
mbr.disk_signature	long
mbr.partition.arkstatus	text
mbr.partition.boot_id	integer
mbr.partition.end_lba	text
mbr.partition.index	integer
mbr.partition.size	text
mbr.partition.size_in_sectors	long
mbr.partition.start_lba	long
mbr.partition.type	text
mbr.signature	integer
mbr.zero_padding	integer
media_type	integer
part_style	text
physical_sector_size	text
removable	text
sectors_per_track	integer
size	long
tracks_per_cylinder	integer

dns

DNS cache

Parameter name	Parameter type
category_name	text
data_len	integer
flags	integer
host	text
ipv4	IP-address
ipv6	IP-address
name	text
port	text
priority	text
ttl	integer
type	integer
type_name	text
weight	text

drivers

Drivers

Parameter name	Parameter type
base	text
category_name	text
path	text
size	long

drweb:bases

Dr.Web anti-virus databases

Parameter name	Parameter type
category_name	text
name	text
path	text
records	long
timestamp	date and time
type	integer
version	text

drweb:components

Dr.Web components

Parameter name	Parameter type
category_name	text
installation_datetime	date and time
name	text

drweb:info

Dr.Web product information

Parameter name	Parameter type
bases_path	text
category_name	text
dr_web_esinstall_path	text
dr_web_server_install_path	text
hash	text
hash_sha1	text
install_path	text
licenses.licence.key.applications	text
licenses.licence.key.created	text
licenses.licence.key.expires	text
licenses.licence.key.products	text
licenses.licence.key.productspec	text
licenses.licence.key.producttype	text
licenses.licence.key.subscriptionexpires	text
licenses.licence.name	text
licenses.licence.Settings.AppControl	text
licenses.licence.Settings.FileServer	text
licenses.licence.Settings.InetGateway	text
licenses.licence.Settings.LotusSpamFilter	text
licenses.licence.Settings.MailServer	text
licenses.licence.Settings.SpamFilter	text
licenses.licence.Settings.Users	text
licenses.licence.user.computers	text
licenses.licence.user.name	text
licenses.licence.user.number	text
product_mode	text
product_type	text
product_version	text
repo_path	text

drweb:launched_modules

Launched Dr.Web modules

Parameter name	Parameter type
launched	boolean (true/false)

drweb:licenses

Dr.Web licenses

Parameter name	Parameter type
category_name	text
key.applications	text
key.created	date and time
key.expires	date and time
key.product_spec	text
key.product_type	text
key.products	text
key.subscription_expires	date and time
path	text
settings.app_control	text
settings.AppControl	text
settings.file_server	text
settings.FileServer	text
settings.inet_gateway	text
settings.InetGateway	text
settings.lotus_spam_filter	text
settings.LotusSpamFilter	text
settings.mail_server	text
settings.MailServer	text
settings.spam_filter	text
settings.SpamFilter	text
settings.Users	text
settings.users	text
user.computers	integer
user.name	text
user.number	text

drweb:products

Dr.Web products

Parameter name	Parameter type
category_name	text
installation_datetime	date and time
name	text

drweb:quarantine

Malicious objects that are moved to quarantine

Parameter name	Parameter type
category_name	text
cause	text
data	text
flags	text
hash	text
initiator	text
is_admin	boolean (true/false)
object.atime	date and time
object.attrib.normal	boolean (true/false)
object.attrib.security	text
object.ctime	date and time
object.drive	text
object.full_size	integer
object.group_sid	text
object.mtime	date and time
object.owner_sid	text
object.path	text
object.size	integer
object.threat	text
path	text
qr_time	date and time
storage_period	integer
tag	text
type	text
version	text

engine_detects

Threats detected using signature databases

Parameter name	Parameter type
category_name	text
path	text
threat	text
type	text

events

Events

Parameter name	Parameter type
category	text
category_name	text
code	text
computer	text
content	text
event.event_data.binary.value	text
event.event_data.data.name	text
event.event_data.data.value	text
event.event_data.name	text
event.system.channel.value	text
event.system.computer.value	text
event.system.correlation.activity_id	text
event.system.event_id.qualifiers	text
event.system.event_id.value	text
event.system.event_record_id.value	text
event.system.execution.process_id	text
event.system.execution.thread_id	text
event.system.keywords.value	text
event.system.level.value	text
event.system.opcode.value	text
event.system.provider.event_source_name	text
event.system.provider.guid	text
event.system.provider.name	text
event.system.security.user_id	text
event.system.task.value	text
event.system.time_created.system_time	text
event.system.version.value	text
event.user_data.add_service_id.add_service_status.value	text
event.user_data.add_service_id.device_instance_id.value	text
event.user_data.add_service_id.driver_file_name.value	text
event.user_data.add_service_id.primary_service.value	text
event.user_data.add_service_id.service_name.value	text
event.user_data.add_service_id.update_service.value	text
event.user_data.audit_events_dropped.reason.value	text
event.user_data.cbs_package_change_state.client.value	text
event.user_data.cbs_package_change_state.error_code.value	text
event.user_data.cbs_package_change_state.intended_package_state.value	text
event.user_data.cbs_package_change_state.intended_package_state_textized.value	text
event.user_data.cbs_package_change_state.package_identifier.value	text
event.user_data.cbs_package_initiate_changes.client.value	text
event.user_data.cbs_package_initiate_changes.initial_package_state.value	text
event.user_data.cbs_package_initiate_changes.intended_package_state.value	text
event.user_data.cbs_package_initiate_changes.initial_package_state_textized.value	text
event.user_data.cbs_package_initiate_changes.package_identifier.value	text
event.user_data.cbs_store_corruption_repair_finish.error_code.value	text
event.user_data.cbs_store_corruption_repair_finish.repaired.value	text
event.user_data.cbs_store_corruption_repair_finish.total_corruption.value	text
event.user_data.cbs_store_corruption_repair_start.auto_triggered.value	text
event.user_data.cbs_store_corruption_repair_start.detection_only.value	text
event.user_data.cbs_update_change_state.client.value	text
event.user_data.cbs_update_change_state.error_code.value	text
event.user_data.cbs_update_change_state.package_identifier.value	text
event.user_data.cbs_update_change_state.update_name.value	text
event.user_data.data_0x8000003f.namespace.value	text
event.user_data.data_0x8000003f.provider.value	text
event.user_data.event_data.domain_name.value	text
event.user_data.event_data.domain_name_length.value	text
event.user_data.event_data.name.value	text
event.user_data.event_data.name_length.value	text
event.user_data.event_data.transport_flags.value	text
event.user_data.event_data.transport_name.value	text
event.user_data.event_data.transport_name_length.value	text
event.user_data.event_xml.address.value	text
event.user_data.event_xml.message_name.value	text
event.user_data.event_xml.reason.value	text
event.user_data.event_xml.session.value	text
event.user_data.event_xml.session_id.value	text
event.user_data.event_xml.source.value	text
event.user_data.event_xml.target_session.value	text
event.user_data.event_xml.user.value	text
event.user_data.init_channel_publisher_enable_failure.channel_path.value	text
event.user_data.init_channel_publisher_enable_failure.error_code.value	text
event.user_data.init_channel_publisher_enable_failure.publisher_guid.value	text
event.user_data.operation_client_failure.client_machine.value	text
event.user_data.operation_client_failure.client_process_id.value	text
event.user_data.operation_client_failure.component.value	text
event.user_data.operation_client_failure.id.value	text
event.user_data.operation_client_failure.operation.value	text
event.user_data.operation_client_failure.possible_cause.value	text
event.user_data.operation_client_failure.result_code.value	text
event.user_data.operation_client_failure.user.value	text
event.user_data.operation_ess_started.namespace_name.value	text
event.user_data.operation_ess_started.possible_cause.value	text
event.user_data.operation_ess_started.processid.value	text
event.user_data.operation_ess_started.provider.value	text
event.user_data.operation_ess_started.query.value	text
event.user_data.operation_ess_started.queryid.value	text
event.user_data.operation_ess_started.user.value	text
event.user_data.operation_essto_consumer_binding.consumer.value	text
event.user_data.operation_essto_consumer_binding.ess.value	text
event.user_data.operation_essto_consumer_binding.namespace.value	text
event.user_data.operation_essto_consumer_binding.possible_cause.value	text
event.user_data.operation_started_operational.code.value	text
event.user_data.operation_started_operational.host_process.value	text
event.user_data.operation_started_operational.process_id.value	text
event.user_data.operation_started_operational.provider_name.value	text
event.user_data.operation_started_operational.provider_path.value	text
event.user_data.operation_temporary_ess_started.client_machine.value	text
event.user_data.operation_temporary_ess_started.namespace_name.value	text
event.user_data.operation_temporary_ess_started.possible_cause.value	text
event.user_data.operation_temporary_ess_started.processid.value	text
event.user_data.operation_temporary_ess_started.query.value	text
event.user_data.operation_temporary_ess_started.user.value	text
event.user_data.rm_restart_event.applications.application.value	text
event.user_data.rm_restart_event.n_applications.value	text
event.user_data.rm_restart_event.reboot_reasons.value	text
event.user_data.rm_restart_event.rm_session_id.value	text
event.user_data.rm_session_event.rm_session_id.value	text
event.user_data.rm_session_event.utcstart_time.value	date and time
event.user_data.rm_unsupported_restart_event.app_type.value	text
event.user_data.rm_unsupported_restart_event.app_version.value	text
event.user_data.rm_unsupported_restart_event.display_name.value	text
event.user_data.rm_unsupported_restart_event.full_path.value	text
event.user_data.rm_unsupported_restart_event.pid.value	text
event.user_data.rm_unsupported_restart_event.reason.value	text
event.user_data.rm_unsupported_restart_event.rm_session_id.value	text
event.user_data.rm_unsupported_restart_event.status.value	text
event.user_data.rm_unsupported_restart_event.tssession_id.value	text
event.user_data.veto_app_event.app_name.value	text
event.user_data.veto_app_event.response_time.value	text
id	text
index	text
instance_id	text
keywords	text
logfile	text
msg	text
opcode	text
pid	text
source	text
task	text
tid	text
time	date and time
type	text
user	text

files

Files

Parameter name	Parameter type
analysis_results.metawave.datetime	date and time
analysis_results.metawave.result	text
analysis_results.metawave.status	text
arkstatus.cert	text
arkstatus.cloud	text
arkstatus.confidence	text
arkstatus.file	text
arkstatus.soft_type	text
arkstatus.soft_white	text
arkstatus.threat	text
arkstatus.type	text
atime	date and time
attrib.archive	boolean (true/false)
attrib.compressed	text
attrib.dir	boolean (true/false)
attrib.ea	text
attrib.hidden	boolean (true/false)
attrib.invalid	boolean (true/false)
attrib.normal	boolean (true/false)
attrib.not_content_indexed	boolean (true/false)
attrib.readonly	boolean (true/false)
attrib.recall_on_open	text
attrib.reparse_point	text
attrib.security	text
attrib.sparse	text
attrib.system	boolean (true/false)
attrib.temporary	boolean (true/false)
attrib.value	text
buildtime	date and time
category_name	text
certinfo.catfile	text
certinfo.creator_name	text
certinfo.creator_url	text
certinfo.item.alg	text
certinfo.item.ca	text
certinfo.item.eku	text
certinfo.item.flags	text
certinfo.item.from	date and time
certinfo.item.hash_alg	text
certinfo.item.hash_alg_type	text
certinfo.item.issuer.C	text
certinfo.item.issuer.CN	text
certinfo.item.issuer.DC	text
certinfo.item.issuer.L	text
certinfo.item.issuer.O	text
certinfo.item.issuer.OU	text
certinfo.item.issuer.SERIALNUMBER	text
certinfo.item.issuer.ST	text
certinfo.item.sn	text
certinfo.item.subject.C	text
certinfo.item.subject.CN	text
certinfo.item.subject.DC	text
certinfo.item.subject.L	text
certinfo.item.subject.O	text
certinfo.item.subject.OU	text
certinfo.item.subject.SERIALNUMBER	text
certinfo.item.subject.ST	text
certinfo.item.thumbprint	text
certinfo.item.thumbprint_sha256	text
certinfo.item.to	date and time
certinfo.timestamp	date and time
certinfo.type	text
ctime	date and time
device_characteristics	text
device_type	text
eainfo.item.data	text
eainfo.item.name	text
eainfo.item.size	text
easize	integer
hash.md5	text
hash.pemd5	text
hash.pesha1	text
hash.pesha256	text
hash.pesha384	text
hash.pesha512	text
hash.sha1	text
hash.sha256	text
info.format	text
info.sparse	text
is_inspected	boolean (true/false)
links	integer
path	text
pdb	text
signed	boolean (true/false)
size	integer
stat.atime	text
stat.attrs	text
stat.ctime	text
stat.gid	text
stat.mode	text
stat.mtime	text
stat.size	text
stat.uid	text
type	text
verinfo.company	text
verinfo.descr	text
verinfo.file_version_num	text
verinfo.origname	text
verinfo.product_name	text
verinfo.product_version	text
verinfo.product_version_num	text
verinfo.version	text
wtime	date and time
zone_transfer.app_id	text
zone_transfer.host_url	text
zone_transfer.id	text
zone_transfer.referrer_url	text
zone_transfer.package_name	text

fixes

Fixes

Parameter name	Parameter type
__type__	text
caption	text
category.id	text
category.name	text
category_name	text
comment	text
csname	text
descr	text
hidden	text
id	text
installed_by	text
installed_on	date and time
need_reboot	text
type	text

hosts

Hosts

Parameter name	Parameter type
category_name	text
ip.address	IP-address
ip.category	text
ip.domain.address	text
ip.domain.category	text
line	integer
path	text
text	text

installed_apps

Installed applications

Parameter name	Parameter type
category_name	text
hidden	text
id	text
location	text
name	text
sid	text
uninstall	text

modules

Modules

Parameter name	Parameter type
category_name	text
path	text

msi_apps

MSI applications

Parameter name	Parameter type
category_name	text
id	text
language	integer
msi_package_code	text
msi_product_code	text
name	text
vendor	text
version	text

net_connections

Network connections

Parameter name	Parameter type
__type__	text
category_name	text
local_addr	IP-address
local_port	integer
local_scopeid	text
path	text
pid	integer
remote_addr	IP-address
remote_port	integer
remote_scopeid	text
state	text
type	text

net_providers:namespaces

Network providers (namespaces)

Parameter name	Parameter type
active	boolean (true/false)
broken	boolean (true/false)
category_name	text
guid	text
name	text
namespace	text
path	text
version	text
wow64	boolean (true/false)

net_providers:protocols

Network providers (protocols)

Parameter name	Parameter type
broken	boolean (true/false)
category_name	text
entryid	text
flags	text
guid	text
name	text
path	text
protocol	text
scheme	text
version	text
wow64	boolean (true/false)

processes

Processes

Parameter name	Parameter type
appid	text
base	text
bit	integer
category_name	text
cmdline	text
create_time	date and time
curdir	text
handles	integer
ilevel	text
isdebugged	boolean (true/false)
kernel_time	text
memory_usage.other_op	long
memory_usage.pagefaults	long
memory_usage.pagefile_usage	long
memory_usage.peak_pagefile_usage	long
memory_usage.peak_virtual_size	long
memory_usage.peak_workingset	long
memory_usage.quota_non_pagedpool	long
memory_usage.quota_pagedpool	long
memory_usage.quota_peak_non_pagedpool	long
memory_usage.quota_peak_pagedpool	long
memory_usage.read_op	long
memory_usage.virtual_size	long
memory_usage.workingset	long
memory_usage.write_op	long
mitigations.aslr_policy.disallow_stripped_images	text
mitigations.aslr_policy.enable_bottom_up_randomization	text
mitigations.aslr_policy.enable_force_relocate_images	text
mitigations.aslr_policy.enable_high_entropy	text
mitigations.cfg_policy.enable_cfg	text
mitigations.cfg_policy.enable_export_suppression	text
mitigations.cfg_policy.strict_mode	text
mitigations.child_process_policy.allow_secure_process_creation	text
mitigations.child_process_policy.audit_no_child_process_creation	text
mitigations.child_process_policy.no_child_process_creation	text
mitigations.dynamic_code_policy.allow_remote_downgrade	text
mitigations.dynamic_code_policy.allow_thread_opt_out	text
mitigations.dynamic_code_policy.audit_prohibit_dynamic_code	text
mitigations.dynamic_code_policy.prohibit_dynamic_code	text
mitigations.extension_point_disable_policy.disable_extension_points	text
mitigations.font_disable_policy.audit_non_system_font_loading	text
mitigations.font_disable_policy.disable_non_system_fonts	text
mitigations.image_load_policy.audit_no_low_mandatory_label_images	text
mitigations.image_load_policy.audit_no_remote_images	text
mitigations.image_load_policy.no_low_mandatory_label_images	text
mitigations.image_load_policy.no_remote_images	text
mitigations.image_load_policy.prefer_system32_images	text
mitigations.payload_restriction_policy.audit_export_address_filter	text
mitigations.payload_restriction_policy.audit_export_address_filter_plus	text
mitigations.payload_restriction_policy.audit_import_address_filter	text
mitigations.payload_restriction_policy.audit_rop_caller_check	text
mitigations.payload_restriction_policy.audit_rop_sim_exec	text
mitigations.payload_restriction_policy.audit_rop_stack_pivot	text
mitigations.payload_restriction_policy.enable_export_address_filter	text
mitigations.payload_restriction_policy.enable_export_address_filter_plus	text
mitigations.payload_restriction_policy.enable_import_address_filter	text
mitigations.payload_restriction_policy.enable_rop_caller_check	text
mitigations.payload_restriction_policy.enable_rop_sim_exec	text
mitigations.payload_restriction_policy.enable_rop_stack_pivot	text
mitigations.redirection_trust_policy.audit_redirectiont_rust	text
mitigations.redirection_trust_policy.enforce_redirection_trust	text
mitigations.side_channel_isolation_policy.disable_page_combine	text
mitigations.side_channel_isolation_policy.isolate_security_domain	text
mitigations.side_channel_isolation_policy.smt_branch_target_isolation	text
mitigations.side_channel_isolation_policy.speculative_store_bypass_disable	text
mitigations.signature_policy.audit_microsoft_signed_only	text
mitigations.signature_policy.audit_store_signed_only	text
mitigations.signature_policy.microsoft_signed_only	text
mitigations.signature_policy.mitigation_opt_in	text
mitigations.signature_policy.store_signed_only	text
mitigations.strict_handle_check_policy.handle_exceptions_permanently_enabled	text
mitigations.strict_handle_check_policy.raise_exception_on_invalid_handle_reference	text
mitigations.syscall_disable_policy.audit_disallow_win32k_syscalls	text
mitigations.syscall_disable_policy.disallow_win32k_syscalls	text
mitigations.systemcall_filter_policy.filter_id	text
mitigations.user_pointer_auth_policy.enable_pointer_auth_user_ip	text
mitigations.user_shadow_stack_policy.audit	text
mitigations.user_shadow_stack_policy.audit_block_non_cet_binaries	text
mitigations.user_shadow_stack_policy.audit_set_context_ip_validation	text
mitigations.user_shadow_stack_policy.block_non_cet_binaries	text
mitigations.user_shadow_stack_policy.block_non_cet_binaries_non_ehcont	text
mitigations.user_shadow_stack_policy.cet_dynamic_apis_out_of_proc_only	text
mitigations.user_shadow_stack_policy.enable	text
mitigations.user_shadow_stack_policy.enable_strict_mode	text
mitigations.user_shadow_stack_policy.set_context_ip_validation	text
mitigations.user_shadow_stack_policy.set_context_ip_validation_relaxed_mode	text
module.arkstatus	text
module.base	text
module.buildtime	date and time
module.path	text
module.size	long
path	text
peb	text
pid	integer
ppid	integer
priority	integer
protection_audit	text
protection_level	text
protection_signer	text
protection_type	text
section_info.checksum	text
section_info.committed_stack_size	long
section_info.dll_characteristics	text
section_info.image_characteristics	text
section_info.image_contains_code	boolean (true/false)
section_info.image_file_size	long
section_info.image_flags	text
section_info.loader_flags	text
section_info.machine	text
section_info.max_stack_size	long
section_info.os_major_ver	text
section_info.os_minor_ver	text
section_info.subsystem	text
section_info.subsystem_major_ver	text
section_info.subsystem_minor_ver	text
section_info.transfer_address	text
section_info.zero_bits	text
session_id	text
shell_info	text
shortcut	text
size	long
threads.count	text
threads.thread.base_priority	text
threads.thread.create_time	text
threads.thread.kernel_time	text
threads.thread.path	text
threads.thread.priority	text
threads.thread.start_address	text
threads.thread.state	text
threads.thread.tid	text
threads.thread.user_time	text
threads.thread.win32_start_address	text
title	text
type	text
unique_id	text
user_time	text
window_flags	text

services

Services

Parameter name	Parameter type
category_name	text
checkpoint	text
cmdline	text
controls_accepted	text
depends	text
display_name	text
error_control	text
flags	text
group	text
name	text
path	text
pid	integer
start_name	text
startmode	text
state	text
svc_exitcode	text
tagid	text
type	text
waithint	text
win32_exitcode	text

startups:mstasks

Startup objects (task scheduler tasks)

Parameter name	Parameter type
args	text
category_name	text
clsid	text
command	text
enabled	text
is_job	text
name	text
path	text
state	text
type	text
workdir	text

startups:registry

Startup objects (registry)

Parameter name	Parameter type
arkstatus	text
category_name	text
clsid	text
data	text
id	text
full_key	text
key	text
path	text
sid	text
value	text

startups:wmi

Startup objects (WMI)

Parameter name	Parameter type
arkstatus	text
category_name	text
class	text
clsid	text
instance	text
name	text
namespace	text
path	text
value	text
workdir	text

sysobj:chromium_config

System objects (Chromium settings)

Parameter name	Parameter type
browser	text
category_name	text
profile	text
sid	text
url	text

sysobj:chromium_extensions

System objects (Chromium extensions)

Parameter name	Parameter type
browser	text
category_name	text
id	text
name	text
path	text
profile	text
sid	text
url	text
version	text

sysobj:detects

System objects (detected threats)

Parameter name	Parameter type
category_name	text
data	text
id	text
object	text
path	text
threat	text
type	text

sysobj:dns

System objects (DNS)

Parameter name	Parameter type
category_name	text
data	text
id	text
key	text
sid	text
value	text

sysobj:firefox_addons

System objects (Firefox addons)

Parameter name	Parameter type
browser	text
category_name	text
id	text
name	text
path	text
profile	text
sid	text
type	text
url	text
version	text

sysobj:firefox_config

System objects (Firefox settings)

Parameter name	Parameter type
browser	text
category_name	text
profile	text
sid	text
url	text

sysobj:ie

System objects

Parameter name	Parameter type
category_name	text
data	text
id	text
key	text
sid	text
value	text

sysobj:mstasks

System objects (task scheduler tasks)

Parameter name	Parameter type
category_name	text
clsid	text
command	text
enabled	text
is_job	text
name	text
path	text
state	text
type	text
workdir	text

sysobj:proxy

System objects (proxy)

Parameter name	Parameter type
category_name	text
data	text
id	text
key	text
sid	text
value	text

sysobj:registry

System objects (registry)

Parameter name	Parameter type
arkstatus	text
category_name	text
clsid	text
data	text
full_key	text
id	text
key	text
path	text
sid	text
threat	text
value	text

sysobj:shortcuts

System objects (shortcuts)

Parameter name	Parameter type
arg	text
arkstatus	text
category_name	text
data	text
mac	text
machine_id	text
malformed	text
name	text
path	text
relative	text
target	text
threat	text
workdir	text

sysobj:wmi

System objects (WMI)

Parameter name	Parameter type
arkstatus	text
category_name	text
class	text
clsid	text
data	text
instance	text
name	text
namespace	text
path	text
threat	text
value	text
workdir	text

system_reg_export

Registry

Parameter name	Parameter type
arkstatus	text
category_name	text
full_key	text
full_name	text
hive	text
lastwrite	date and time
name	text
security	text
subkeys	integer
value.arkstatus	text
value.name	text
value.size	integer
value.type	text
value.value	text
values	integer

system:accounts

System (accounts)

Parameter name	Parameter type
bad_passwd_count	integer
bad_password_count	text
category_name	text
codepage	text
country	text
created	date and time
descr	text
expires	date and time
flags	text
fullname	text
group.name	text
home	text
home_drive	text
id	text
last_logoff	text
last_logon	date and time
logon_server	text
logons_count	integer
logons_server	text
name	text
password_age	text
password_expired	text
primary_group_id	text
profile	text
script	text
type	text
workstation	text

system:antivirus

System (anti-virus)

Parameter name	Parameter type
category_name	text
company	text
enabled	boolean (true/false)
guid	text
name	text
product_exe	text
product_exe_company	text
product_exe_version	text
reporting_exe	text
reporting_exe_company	text
reporting_exe_version	text
timestamp	text
uptodate	boolean (true/false)
version	text

system:bios

System (BIOS)

Parameter name	Parameter type
category_name	text
manufacturer	text
primary	text
release_date	date and time
system_bios_major	integer
system_bios_minor	integer
version	text

system:cpu

System (CPU)

Parameter name	Parameter type
category_name	text
cores	integer
cpuid	text
descr	text
enabled_cores	text
id	text
load	text
logical_cpus	long
manufacturer	text
max_speed	integer
name	text
socket	text
speed	integer
threads	integer
vmmonitor_support	boolean (true/false)
vt_support	boolean (true/false)

system:dep

Parameter name	Parameter type
available	boolean (true/false)
category_name	text
for_32bit	boolean (true/false)
for_drivers	boolean (true/false)
policy	integer

system:dirs

System (directories)

Parameter name	Parameter type
category_name	text
name	text
path	text

system:dns

System DNS

Parameter name	Parameter type
category_name	text
name	text
server	text

system:firewall

System (firewall)

Parameter name	Parameter type
category_name	text
company	text
enabled	boolean (true/false)
guid	text
name	text
product_exe	text
product_exe_company	text
product_exe_version	text
reporting_exe	text
reporting_exe_company	text
reporting_exe_version	text
timestamp	text
version	text

system:hdd

System (HDD)

Parameter name	Parameter type
adapter.accelerated_transfer	text
adapter.address_type	text
adapter.alignment_mask	text
adapter.bus_major	text
adapter.bus_minor	text
adapter.bus_type	text
adapter.command_queueing	text
adapter.max_physical_pages	text
adapter.max_transfer_len	text
adapter.scans_down	text
adapter.srb_type	text
adapter.temperature.critical_temperature	text
adapter.temperature.item.event_generated	text
adapter.temperature.item.index	text
adapter.temperature.item.over_threshold	text
adapter.temperature.item.over_threshold_changable	text
adapter.temperature.item.reserved0	text
adapter.temperature.item.reserved1	text
adapter.temperature.item.under_threshold	text
adapter.temperature.item.under_threshold_changable	text
adapter.temperature.item.value	text
adapter.temperature.sensor.event_generated	text
adapter.temperature.sensor.index	text
adapter.temperature.sensor.over_threshold	text
adapter.temperature.sensor.over_threshold_changable	text
adapter.temperature.sensor.reserved0	text
adapter.temperature.sensor.reserved1	text
adapter.temperature.sensor.under_threshold	text
adapter.temperature.sensor.under_threshold_changable	text
adapter.temperature.sensor.value	text
adapter.temperature.warning_temperature	text
adapter.uses_pio	text
bytes_per_sector	text
category_name	text
device.bus_type	text
device.command_queueing	text
device.data	text
device.modifier	text
device.product_id	text
device.product_rev	text
device.removable	text
device.serial	text
device.temperature.critical_temperature	text
device.temperature.item.event_generated	text
device.temperature.item.index	text
device.temperature.item.over_threshold	text
device.temperature.item.over_threshold_changable	text
device.temperature.item.reserved0	text
device.temperature.item.reserved1	text
device.temperature.item.under_threshold	text
device.temperature.item.under_threshold_changable	text
device.temperature.item.value	text
device.temperature.sensor.event_generated	text
device.temperature.sensor.index	text
device.temperature.sensor.over_threshold	text
device.temperature.sensor.over_threshold_changable	text
device.temperature.sensor.reserved0	text
device.temperature.sensor.reserved1	text
device.temperature.sensor.under_threshold	text
device.temperature.sensor.under_threshold_changable	text
device.temperature.sensor.value	text
device.temperature.warning_temperature	text
device.type	text
device.vendor_id	text
deviceid	text
firmware	text
id	text
loaded	text
logical_sector_size	text
model	text
name	text
partition.block_size	long
partition.bootable	boolean (true/false)
partition.bootpart	boolean (true/false)
partition.id	text
partition.index	text
partition.primary	boolean (true/false)
partition.size	long
partition.start_offset	long
partition.type	text
partition.volume.access	text
partition.volume.compressed	boolean (true/false)
partition.volume.descr	text
partition.volume.dirty	boolean (true/false)
partition.volume.drive	text
partition.volume.drive_type	text
partition.volume.free	long
partition.volume.fs_type	text
partition.volume.media_type	text
partition.volume.name	text
partition.volume.path	text
partition.volume.serial	text
partition.volume.size	long
partition.volume.support_quotas	text
partition.volume.volume_id	text
partitions	integer
path	text
physical_sector_size	text
scsi_bus	text
scsi_logical_unit	text
scsi_port	text
scsi_target_id	text
serial	text
size	long
trim	text
type	text

system:kernel_va_shadowing

Parameter name	Parameter type
category_name	text
enabled	boolean (true/false)
flags	integer
invalid_pte_bit	text
invpcid	text
invpcid_flushing_optimization	boolean (true/false)
l1_data_cache_flush_supported	text
l1_terminal_fault_mitigation_present	text
pcid	text
pcid_flushing_optimization	boolean (true/false)
required	text
required_available	text
status	text
user_global	text
user_pages_marked_global	boolean (true/false)

system:locale

System (locale)

Parameter name	Parameter type
bias	text
category_name	text
code	text
codeset	text
country	text
daylight_bias	text
daylight_name	text
descr	text
mui	text
name	text
oslang	text

system:machine_scores

System (performance index)

Parameter name	Parameter type
category_name	text
cpu	float
direct3d	float
disk	float
graphics	float
memory	float
timetaken	text
winsat_state	text
winsprlevel	float

system:mapped_disks

System (mapped disks)

Parameter name	Parameter type
category_name	text
drive	text
free	text
fs_type	text
item.drive	text
item.free	text
item.fs_type	text
item.path	text
item.session_id	text
item.size	text
item.volume_name	text
path	text
session_id	text
size	text
volume_name	text

system:memory

System (RAM)

Parameter name	Parameter type
category_name	text
free	long
free_virtual	long
total	long
total_virtual	long

system:net_adapters

Network (interfaces)

Parameter name	Parameter type
category_name	text
default_ip_gateway	IP-address
dhcp_enabled	boolean (true/false)
dhcp_server	IP-address
dns	text
dns_server_search_order	IP-address
id	text
index	text
ip_enabled	boolean (true/false)
mac	text
name	text
subnet	IP-address

system:os

System (OS)

Parameter name	Parameter type
bit	integer
boot_device	text
boot_mode	text
build	text
category_name	text
code_integrity	text
debug	boolean (true/false)
install_date	date and time
last_bootup_time	date and time
local_time	date and time
name	text
pae	text
sku	text
sp	text
suite	text
type	text
version	text

system:persisted_routes

Parameter name	Parameter type
caption	text
category_name	text
descr	text
destination	text
item.caption	text
item.descr	text
item.destination	text
item.mask	text
item.metric1	text
item.name	text
item.next_hop	text
mask	text
metric1	text
name	text
next_hop	text

system:policies

System policies

Parameter name	Parameter type
__type__	text
category_name	text
full_key	text
key.item.name	text
key.item.size	integer
key.item.value	text
key.name	text
name	text
sid	text
type	text
value.name	text
value.size	text
value.value	text

system:recovery

Parameter name	Parameter type
auto_reboot	boolean (true/false)
category_name	text
dump_path	text
dump_type	integer
kernel_dump_only	boolean (true/false)
mini_dump_dir	text
overwrite_existing_dump	boolean (true/false)
send_admin_alert	boolean (true/false)
write_debug_info	boolean (true/false)
write_to_eventlog	boolean (true/false)

system:routes

Network (static routes)

Parameter name	Parameter type
age	text
caption	IP-address
category_name	text
descr	text
destination	IP-address
information	text
interface_index	text
mask	IP-address
metric1	text
metric2	text
metric3	text
metric4	text
metric5	text
name	IP-address
next_hop	IP-address
protocol	text
type	text

system:secure_boot

Parameter name	Parameter type
capable	boolean (true/false)
category_name	text
enabled	boolean (true/false)

system:security_providers

Parameter name	Parameter type
category_name	text
health	text
name	text

system:sessions

System (sessions)

Parameter name	Parameter type
category_name	text
client_device_id	text
client_dir	text
client_ip	text
client_name	text
connect_time	date and time
disconnect_time	date and time
domain	text
envid	text
id	text
is_rdp	text
last_input_time	date and time
logon_time	date and time
name	text
remote_ip	text
state	text
station_name	text
user	text

system:shares

System (shared directories)

Parameter name	Parameter type
caption	text
category_name	text
descr	text
name	text
path	text
type	integer

system:smart

S.M.A.R.T. attributes

Parameter name	Parameter type
attribute.index	integer
attribute.name	text
attribute.raw	integer
attribute.threshold	integer
attribute.value	integer
attribute.worst	integer
category_name	text
firmware	text
id	text
model	text
serial_number	text

system:speculation_control

Parameter name	Parameter type
bpb_disabled_kernel_to_user	text
bpb_disabled_no_hardware_support	text
bpb_disabled_system_policy	text
bpb_enabled	text
branch_prediction_mitigation.disabled_by_system_policy	boolean (true/false)
branch_prediction_mitigation.disabled_no_microcode_update	boolean (true/false)
branch_prediction_mitigation.enabled	boolean (true/false)
category_name	text
cpu_microcode_support_pred_cmd.enabled	boolean (true/false)
cpu_microcode_support_pred_cmd.window_use_ibpb	boolean (true/false)
cpu_microcode_support_spec_ctrl.enabled	boolean (true/false)
cpu_microcode_support_spec_ctrl.windows_use_ibrs	boolean (true/false)
cpu_microcode_support_spec_ctrl.windows_use_stipb	boolean (true/false)
enhanced_ibrs	text
enhanced_ibrs_reported	text
flags	long
hv_l1tf_migitation_enabled	text
hv_l1tf_migitation_not_enabled_hardware	text
hv_l1tf_migitation_not_enabled_load_option	text
hv_l1tf_processor_not_affected	text
hv_l1tf_status_available	text
hvl_1tf_migitation_not_enabled_core_scheduler	text
ibrs_present	text
mb_clear_enabled	text
mb_clear_reported	text
mds_hardware_protected	text
smep_present	text
spec_cmd_enumerated	text
spec_ctrl_enumerated	text
spec_ctrl_import_optimization_enabled	text
spec_ctrl_retpoline_enabled	text
speculative_store_bypas_sdisable_supported	text
speculative_store_bypass_disable_available	text
speculative_store_bypass_disable_required	text
speculative_store_bypass_disable_supported	text
speculative_store_bypass_disabled_kernel	text
speculative_store_bypass_disabled_system_wide	text
status	text
stibp_present	text

system:user_privelegies

User privileges in the system

Parameter name	Parameter type
category_name	text
enabled	boolean (true/false)
name	text

system:users

System (users)

Parameter name	Parameter type
category_name	text
folder.name	text
folder.path	text
home	text
name	text
network_drive.connect_flags	text
network_drive.connection_type	text
network_drive.defer_flags	text
network_drive.letter	text
network_drive.provider_name	text
network_drive.provider_type	text
network_drive.remote_path	text
network_drive.username	text
sid	text
type	integer

winstore_apps

Applications from Microsoft App Store

Parameter name	Parameter type
arch	text
category_name	text
id	text
name	text
vendor.C	text
vendor.CN	text
vendor.L	text
vendor.O	text
vendor.OID.1.3.6.1.4.1.311.60.2.1.2	text
vendor.OID.1.3.6.1.4.1.311.60.2.1.3	text
vendor.OID.2.5.4.15	text
vendor.OU	text
vendor.S	text
vendor.SERIALNUMBER	text
version	text