|
•artefacts_fs
•defender:computer_status
•defender:preference
•defender:threat
•defender:threat_detection
•disk_bootsect
•drivers
•drweb:bases
•drweb:components
•drweb:info
•drweb:launched_modules
•drweb:licenses
•drweb:products
•events
•files
•fixes
•hosts
•installed_apps
•modules
•msi_apps
•net_connections
•net_providers:namespaces
•net_providers:protocols
•processes
•services
•startups:mstasks
•startups:registry
•startups:wmi
•sysobj:chromium_config
•sysobj:chromium_extensions
•sysobj:detects
•sysobj:firefox_addons
•sysobj:firefox_config
•sysobj:ie
•sysobj:mstasks
•sysobj:proxy
•sysobj:registry
•sysobj:shortcuts
•sysobj:wmi
•system:accounts
•system:antivirus
•system:bios
•system:cpu
•system:dep
•system:dirs
•system:dns
•system:firewall
•system:hdd
•system:kernel_va_shadowing
•system:locale
•system:machine_scores
•system:mapped_disks
•system:memory
•system:net_adapters
•system:os
•system:persisted_routes
•system:policies
•system:routes
•system:secure_boot
•system:security_providers
•system:sessions
•system:shares
•system:smart
•system:speculation_control
•system:user_privelegies
•system:users
•system_reg_export
•winstore_apps
artefacts_fs
Файловые артефакты
Поле
|
Тип данных
|
analysis_results.metawave.datetime
|
date
|
analysis_results.metawave.result
|
text
|
analysis_results.metawave.status
|
text
|
category_name
|
text
|
hash.sha1
|
text
|
modify_datetime
|
date
|
path
|
text
|
sha1
|
text
|
size
|
long
|
defender:computer_status
Состояние компьютера по данным Microsoft Defender
Поле
|
Тип данных
|
am_engine_version
|
keyword
|
am_product_version
|
keyword
|
am_service_enabled
|
boolean
|
am_service_version
|
keyword
|
antispyware_enabled
|
boolean
|
antispyware_signature_age
|
long
|
antispyware_signature_last_updated
|
date
|
antispyware_signature_version
|
keyword
|
antivirus_enabled
|
boolean
|
antivirus_signature_age
|
long
|
antivirus_signature_last_updated
|
date
|
antivirus_signature_version
|
keyword
|
behavior_monitor_enabled
|
boolean
|
category_name
|
text
|
computer_id
|
text
|
computer_state
|
long
|
full_scan_age
|
long
|
full_scan_end_time
|
text
|
full_scan_start_time
|
text
|
ioav_protection_enabled
|
boolean
|
last_full_scan_source
|
long
|
last_quick_scan_source
|
long
|
nis_enabled
|
boolean
|
nis_engine_version
|
keyword
|
nis_signature_age
|
long
|
nis_signature_last_updated
|
date
|
on_access_protection_enabled
|
boolean
|
quick_scan_age
|
long
|
quick_scan_end_time
|
date
|
quick_scan_start_time
|
date
|
real_time_protection_enabled
|
boolean
|
real_time_scan_direction
|
long
|
defender:preference
Настройки Microsoft Defender
Поле
|
Тип данных
|
category_name
|
text
|
check_for_signatures_before_running_scan
|
boolean
|
computer_id
|
text
|
disable_archive_scanning
|
boolean
|
disable_auto_exclusions
|
boolean
|
disable_behavior_monitoring
|
boolean
|
disable_catchup_full_scan
|
boolean
|
disable_catchup_quick_scan
|
boolean
|
disable_email_scanning
|
boolean
|
disable_intrusion_prevention_system
|
text
|
disable_ioav_protection
|
boolean
|
disable_privacy_mode
|
boolean
|
disable_realtime_monitoring
|
boolean
|
disable_removable_drive_scanning
|
boolean
|
disable_restore_point
|
boolean
|
disable_scanning_mapped_network_drives_for_full_scan
|
boolean
|
disable_scanning_network_files
|
boolean
|
disable_script_scanning
|
boolean
|
exclusion_path
|
text
|
high_threat_default_action
|
long
|
low_threat_default_action
|
long
|
maps_reporting
|
long
|
moderate_threat_default_action
|
long
|
quarantine_purge_items_after_delay
|
long
|
randomize_schedule_task_times
|
boolean
|
real_time_scan_direction
|
long
|
remediation_schedule_day
|
long
|
reporting_additional_action_time_out
|
long
|
reporting_critical_failure_time_out
|
long
|
reporting_non_critical_time_out
|
long
|
scan_only_if_idle_enabled
|
boolean
|
scan_parameters
|
long
|
scan_purge_items_after_delay
|
long
|
scan_schedule_day
|
long
|
scan_schedule_quick_scan_time
|
date
|
scan_schedule_time
|
date
|
severe_threat_default_action
|
long
|
signature_au_grace_period
|
long
|
signature_definition_update_file_shares_sources
|
text
|
signature_disable_update_on_startup_without_engine
|
boolean
|
signature_fallback_order
|
text
|
signature_first_au_grace_period
|
long
|
signature_schedule_day
|
long
|
signature_schedule_time
|
date
|
signature_update_catchup_interval
|
long
|
signature_update_interval
|
long
|
submit_samples_consent
|
long
|
ui_lockdown
|
boolean
|
unknown_threat_default_action
|
long
|
defender:threat
Угрозы, выявленные Microsoft Defender
Поле
|
Тип данных
|
category_id
|
long
|
category_name
|
text
|
did_threat_execute
|
boolean
|
is_active
|
boolean
|
resources
|
text
|
rollup_status
|
long
|
schema_version
|
keyword
|
severity_id
|
long
|
threat_id
|
long
|
threat_name
|
text
|
type_id
|
long
|
defender:threat_detection
Детектирование угрозы через Microsoft Defender
Поле
|
Тип данных
|
action_success
|
boolean
|
additional_actions_bit_mask
|
long
|
am_product_version
|
keyword
|
category_name
|
text
|
cleaning_action_id
|
long
|
current_threat_execution_status_id
|
long
|
detection_id
|
text
|
detection_source_type_id
|
long
|
domain_user
|
text
|
initial_detection_time
|
date
|
last_threat_status_change_time
|
date
|
process_name
|
text
|
remediation_time
|
text
|
resources
|
text
|
threat_id
|
long
|
threat_status_error_code
|
long
|
threat_status_id
|
long
|
disk_bootsect
Загрузочные сектора дисков
Поле
|
Тип данных
|
block.end_lba
|
text
|
block.start_lba
|
text
|
bytes_per_sector
|
integer
|
category_name
|
text
|
cylinders
|
integer
|
gpt.header.backup_lba
|
text
|
gpt.header.disk_guid
|
text
|
gpt.header.first_usable_lba
|
text
|
gpt.header.header_crc
|
text
|
gpt.header.header_size
|
text
|
gpt.header.last_usable_lba
|
text
|
gpt.header.num_parts
|
text
|
gpt.header.part_entries_crc
|
text
|
gpt.header.part_entry_lba
|
text
|
gpt.header.primary_lba
|
text
|
gpt.header.reserved
|
text
|
gpt.header.revision
|
text
|
gpt.header.signature
|
text
|
gpt.header.sizeof_part_entry
|
text
|
gpt.partition.arkstatus
|
text
|
gpt.partition.attrib
|
text
|
gpt.partition.end_lba
|
text
|
gpt.partition.guid
|
text
|
gpt.partition.index
|
text
|
gpt.partition.name
|
text
|
gpt.partition.start_lba
|
text
|
gpt.partition.type
|
text
|
id
|
integer
|
mbr.arkstatus
|
text
|
mbr.disk_signature
|
long
|
mbr.disk_signature
|
text
|
mbr.partition.arkstatus
|
text
|
mbr.partition.boot_id
|
integer
|
mbr.partition.boot_id
|
text
|
mbr.partition.index
|
integer
|
mbr.partition.index
|
text
|
mbr.partition.size_in_sectors
|
long
|
mbr.partition.size_in_sectors
|
text
|
mbr.partition.start_lba
|
long
|
mbr.partition.start_lba
|
text
|
mbr.partition.type
|
text
|
mbr.signature
|
integer
|
mbr.zero_padding
|
integer
|
media_type
|
integer
|
part_style
|
text
|
sectors_per_track
|
integer
|
size
|
long
|
tracks_per_cylinder
|
integer
|
drivers
Драйверы
Поле
|
Тип данных
|
base
|
text
|
category_name
|
text
|
path
|
text
|
size
|
long
|
drweb:bases
Антивирусные базы Dr.Web
Поле
|
Тип данных
|
category_name
|
text
|
name
|
text
|
path
|
text
|
records
|
long
|
timestamp
|
date
|
type
|
integer
|
version
|
text
|
drweb:components
Компоненты Dr.Web
Поле
|
Тип данных
|
category_name
|
text
|
installation_datetime
|
date
|
name
|
text
|
drweb:info
Информация о продукте Dr.Web
Поле
|
Тип данных
|
bases_path
|
text
|
category_name
|
text
|
hash
|
text
|
hash_sha1
|
text
|
install_path
|
text
|
product_mode
|
text
|
product_type
|
text
|
product_version
|
text
|
repo_path
|
text
|
drweb:launched_modules
Запущенные модули Dr.Web
Поле
|
Тип данных
|
launched
|
boolean
|
drweb:licenses
Лицензии Dr.Web
Поле
|
Тип данных
|
category_name
|
text
|
key.applications
|
text
|
key.created
|
date
|
key.expires
|
date
|
key.product_spec
|
text
|
key.product_type
|
text
|
key.products
|
text
|
key.subscription_expires
|
date
|
path
|
text
|
settings.app_control
|
text
|
settings.AppControl
|
text
|
settings.file_server
|
text
|
settings.FileServer
|
text
|
settings.inet_gateway
|
text
|
settings.InetGateway
|
text
|
settings.lotus_spam_filter
|
text
|
settings.LotusSpamFilter
|
text
|
settings.mail_server
|
text
|
settings.MailServer
|
text
|
settings.spam_filter
|
text
|
settings.SpamFilter
|
text
|
settings.Users
|
text
|
settings.users
|
text
|
user.computers
|
integer
|
user.name
|
text
|
user.number
|
text
|
drweb:products
Продукты Dr.Web
Поле
|
Тип данных
|
category_name
|
text
|
installation_datetime
|
date
|
name
|
text
|
engine_detects
Угрозы, выявленные по базе сигнатур
Поле
|
Тип данных
|
category_name
|
text
|
path
|
text
|
threat
|
text
|
type
|
text
|
events
События
Поле
|
Тип данных
|
category
|
text
|
category_name
|
text
|
code
|
text
|
computer
|
text
|
content
|
text
|
id
|
text
|
index
|
text
|
instance_id
|
text
|
keywords
|
text
|
logfile
|
text
|
msg
|
text
|
opcode
|
text
|
pid
|
text
|
source
|
text
|
task
|
text
|
tid
|
text
|
time
|
date
|
type
|
text
|
user
|
text
|
files
Файлы
Поле
|
Тип данных
|
analysis_results.metawave.datetime
|
date
|
analysis_results.metawave.result
|
text
|
analysis_results.metawave.status
|
text
|
arkstatus.cert
|
text
|
arkstatus.cloud
|
text
|
arkstatus.confidence
|
text
|
arkstatus.file
|
text
|
arkstatus.soft_type
|
text
|
arkstatus.soft_white
|
text
|
arkstatus.threat
|
text
|
arkstatus.type
|
text
|
atime
|
date
|
attrib.archive
|
boolean
|
attrib.compressed
|
text
|
attrib.dir
|
boolean
|
attrib.ea
|
text
|
attrib.hidden
|
boolean
|
attrib.invalid
|
boolean
|
attrib.normal
|
boolean
|
attrib.not_content_indexed
|
boolean
|
attrib.readonly
|
boolean
|
attrib.recall_on_open
|
text
|
attrib.reparse_point
|
text
|
attrib.security
|
text
|
attrib.sparse
|
text
|
attrib.system
|
boolean
|
attrib.temporary
|
boolean
|
attrib.value
|
text
|
buildtime
|
date
|
category_name
|
text
|
certinfo.catfile
|
text
|
certinfo.creator_name
|
text
|
certinfo.creator_url
|
text
|
certinfo.item.alg
|
text
|
certinfo.item.ca
|
text
|
certinfo.item.eku
|
text
|
certinfo.item.flags
|
text
|
certinfo.item.from
|
date
|
certinfo.item.hash_alg
|
text
|
certinfo.item.hash_alg_type
|
text
|
certinfo.item.issuer.C
|
text
|
certinfo.item.issuer.CN
|
text
|
certinfo.item.issuer.DC
|
text
|
certinfo.item.issuer.L
|
text
|
certinfo.item.issuer.O
|
text
|
certinfo.item.issuer.OU
|
text
|
certinfo.item.issuer.ST
|
text
|
certinfo.item.sn
|
text
|
certinfo.item.subject.C
|
text
|
certinfo.item.subject.CN
|
text
|
certinfo.item.subject.DC
|
text
|
certinfo.item.subject.L
|
text
|
certinfo.item.subject.O
|
text
|
certinfo.item.subject.OU
|
text
|
certinfo.item.subject.SERIALNUMBER
|
text
|
certinfo.item.subject.ST
|
text
|
certinfo.item.thumbprint
|
text
|
certinfo.item.thumbprint_sha256
|
text
|
certinfo.item.to
|
date
|
certinfo.timestamp
|
date
|
certinfo.type
|
text
|
ctime
|
date
|
device_characteristics
|
text
|
device_type
|
text
|
eainfo.item.data
|
text
|
eainfo.item.name
|
text
|
eainfo.item.size
|
text
|
easize
|
integer
|
hash.pemd5
|
text
|
hash.pesha1
|
text
|
hash.pesha256
|
text
|
hash.pesha512
|
text
|
hash.sha1
|
text
|
hash.sha256
|
text
|
links
|
integer
|
path
|
text
|
signed
|
boolean
|
size
|
long
|
verinfo.company
|
text
|
verinfo.descr
|
text
|
verinfo.file_version_num
|
text
|
verinfo.origname
|
text
|
verinfo.product_name
|
text
|
verinfo.product_version
|
text
|
verinfo.product_version_num
|
text
|
verinfo.version
|
text
|
wtime
|
date
|
zone_transfer.host_url
|
text
|
zone_transfer.id
|
text
|
zone_transfer.referrer_url
|
text
|
zone_transfer.package_name
|
text
|
fixes
Исправления
Поле
|
Тип данных
|
__type__
|
text
|
caption
|
text
|
category.id
|
text
|
category.name
|
text
|
category_name
|
text
|
comment
|
text
|
csname
|
text
|
descr
|
text
|
hidden
|
text
|
id
|
text
|
installed_by
|
text
|
installed_on
|
date
|
need_reboot
|
text
|
hosts
Хосты
Поле
|
Тип данных
|
category_name
|
text
|
ip.address
|
ip
|
ip.category
|
text
|
ip.domain.address
|
text
|
ip.domain.category
|
text
|
line
|
integer
|
path
|
text
|
text
|
text
|
installed_apps
Установленные приложения
Поле
|
Тип данных
|
category_name
|
text
|
hidden
|
text
|
id
|
text
|
location
|
text
|
name
|
text
|
uninstall
|
text
|
modules
Модули
Поле
|
Тип данных
|
category_name
|
text
|
path
|
text
|
msi_apps
Приложения MSI
Поле
|
Тип данных
|
category_name
|
text
|
id
|
text
|
language
|
integer
|
msi_package_code
|
text
|
msi_product_code
|
text
|
name
|
text
|
vendor
|
text
|
version
|
text
|
net_connections
Сетевые подключения
Поле
|
Тип данных
|
__type__
|
text
|
category_name
|
text
|
local_addr
|
ip
|
local_port
|
integer
|
local_scopeid
|
text
|
path
|
text
|
pid
|
integer
|
remote_addr
|
ip
|
remote_port
|
integer
|
remote_scopeid
|
text
|
state
|
text
|
net_providers:namespaces
Провайдеры сети (пространства имен)
Поле
|
Тип данных
|
active
|
boolean
|
broken
|
boolean
|
category_name
|
text
|
guid
|
text
|
name
|
text
|
namespace
|
text
|
path
|
text
|
version
|
text
|
wow64
|
boolean
|
net_providers:protocols
Провайдеры сети (протоколы)
Поле
|
Тип данных
|
broken
|
boolean
|
category_name
|
text
|
entryid
|
text
|
flags
|
text
|
guid
|
text
|
name
|
text
|
path
|
text
|
protocol
|
text
|
scheme
|
text
|
version
|
text
|
wow64
|
boolean
|
processes
Процессы
Поле
|
Тип данных
|
appid
|
text
|
base
|
text
|
bit
|
integer
|
category_name
|
text
|
cmdline
|
text
|
create_time
|
date
|
curdir
|
text
|
handles
|
integer
|
ilevel
|
text
|
isdebugged
|
boolean
|
kernel_time
|
text
|
memory_usage.other_op
|
long
|
memory_usage.pagefaults
|
long
|
memory_usage.pagefile_usage
|
long
|
memory_usage.peak_pagefile_usage
|
long
|
memory_usage.peak_virtual_size
|
long
|
memory_usage.peak_workingset
|
long
|
memory_usage.quota_non_pagedpool
|
long
|
memory_usage.quota_pagedpool
|
long
|
memory_usage.quota_peak_non_pagedpool
|
long
|
memory_usage.quota_peak_pagedpool
|
long
|
memory_usage.read_op
|
long
|
memory_usage.virtual_size
|
long
|
memory_usage.workingset
|
long
|
memory_usage.write_op
|
long
|
mitigations.aslr_policy.disallow_stripped_images
|
text
|
mitigations.aslr_policy.enable_bottom_up_randomization
|
text
|
mitigations.aslr_policy.enable_force_relocate_images
|
text
|
mitigations.aslr_policy.enable_high_entropy
|
text
|
mitigations.cfg_policy.enable_cfg
|
text
|
mitigations.cfg_policy.enable_export_suppression
|
text
|
mitigations.cfg_policy.strict_mode
|
text
|
mitigations.child_process_policy.allow_secure_process_creation
|
text
|
mitigations.child_process_policy.audit_no_child_process_creation
|
text
|
mitigations.child_process_policy.no_child_process_creation
|
text
|
mitigations.dynamic_code_policy.allow_remote_downgrade
|
text
|
mitigations.dynamic_code_policy.allow_thread_opt_out
|
text
|
mitigations.dynamic_code_policy.audit_prohibit_dynamic_code
|
text
|
mitigations.dynamic_code_policy.prohibit_dynamic_code
|
text
|
mitigations.extension_point_disable_policy.disable_extension_points
|
text
|
mitigations.font_disable_policy.audit_non_system_font_loading
|
text
|
mitigations.font_disable_policy.disable_non_system_fonts
|
text
|
mitigations.image_load_policy.audit_no_low_mandatory_label_images
|
text
|
mitigations.image_load_policy.audit_no_remote_images
|
text
|
mitigations.image_load_policy.no_low_mandatory_label_images
|
text
|
mitigations.image_load_policy.no_remote_images
|
text
|
mitigations.image_load_policy.prefer_system32_images
|
text
|
mitigations.payload_restriction_policy.audit_export_address_filter
|
text
|
mitigations.payload_restriction_policy.audit_export_address_filter_plus
|
text
|
mitigations.payload_restriction_policy.audit_import_address_filter
|
text
|
mitigations.payload_restriction_policy.audit_rop_caller_check
|
text
|
mitigations.payload_restriction_policy.audit_rop_sim_exec
|
text
|
mitigations.payload_restriction_policy.audit_rop_stack_pivot
|
text
|
mitigations.payload_restriction_policy.enable_export_address_filter
|
text
|
mitigations.payload_restriction_policy.enable_export_address_filter_plus
|
text
|
mitigations.payload_restriction_policy.enable_import_address_filter
|
text
|
mitigations.payload_restriction_policy.enable_rop_caller_check
|
text
|
mitigations.payload_restriction_policy.enable_rop_sim_exec
|
text
|
mitigations.payload_restriction_policy.enable_rop_stack_pivot
|
text
|
mitigations.redirection_trust_policy.audit_redirectiont_rust
|
text
|
mitigations.redirection_trust_policy.enforce_redirection_trust
|
text
|
mitigations.side_channel_isolation_policy.disable_page_combine
|
text
|
mitigations.side_channel_isolation_policy.isolate_security_domain
|
text
|
mitigations.side_channel_isolation_policy.smt_branch_target_isolation
|
text
|
mitigations.side_channel_isolation_policy.speculative_store_bypass_disable
|
text
|
mitigations.signature_policy.audit_microsoft_signed_only
|
text
|
mitigations.signature_policy.audit_store_signed_only
|
text
|
mitigations.signature_policy.microsoft_signed_only
|
text
|
mitigations.signature_policy.mitigation_opt_in
|
text
|
mitigations.signature_policy.store_signed_only
|
text
|
mitigations.strict_handle_check_policy.handle_exceptions_permanently_enabled
|
text
|
mitigations.strict_handle_check_policy.raise_exception_on_invalid_handle_reference
|
text
|
mitigations.syscall_disable_policy.audit_disallow_win32k_syscalls
|
text
|
mitigations.syscall_disable_policy.disallow_win32k_syscalls
|
text
|
mitigations.systemcall_filter_policy.filter_id
|
text
|
mitigations.user_shadow_stack_policy.audit
|
text
|
mitigations.user_shadow_stack_policy.audit_block_non_cet_binaries
|
text
|
mitigations.user_shadow_stack_policy.audit_set_context_ip_validation
|
text
|
mitigations.user_shadow_stack_policy.block_non_cet_binaries
|
text
|
mitigations.user_shadow_stack_policy.block_non_cet_binaries_non_ehcont
|
text
|
mitigations.user_shadow_stack_policy.cet_dynamic_apis_out_of_proc_only
|
text
|
mitigations.user_shadow_stack_policy.enable
|
text
|
mitigations.user_shadow_stack_policy.enable_strict_mode
|
text
|
mitigations.user_shadow_stack_policy.set_context_ip_validation
|
text
|
mitigations.user_shadow_stack_policy.set_context_ip_validation_relaxed_mode
|
text
|
module.arkstatus
|
text
|
module.base
|
text
|
module.buildtime
|
date
|
module.path
|
text
|
module.size
|
long
|
path
|
text
|
peb
|
text
|
pid
|
integer
|
ppid
|
integer
|
priority
|
integer
|
protection_level
|
text
|
section_info.checksum
|
text
|
section_info.committed_stack_size
|
long
|
section_info.dll_characteristics
|
text
|
section_info.image_characteristics
|
text
|
section_info.image_contains_code
|
boolean
|
section_info.image_file_size
|
long
|
section_info.image_flags
|
text
|
section_info.loader_flags
|
text
|
section_info.machine
|
text
|
section_info.max_stack_size
|
long
|
section_info.os_major_ver
|
text
|
section_info.os_minor_ver
|
text
|
section_info.subsystem
|
text
|
section_info.subsystem_major_ver
|
text
|
section_info.subsystem_minor_ver
|
text
|
section_info.transfer_address
|
text
|
section_info.zero_bits
|
text
|
session_id
|
text
|
shell_info
|
text
|
shortcut
|
text
|
size
|
long
|
threads.count
|
text
|
threads.thread.base_priority
|
text
|
threads.thread.create_time
|
text
|
threads.thread.kernel_time
|
text
|
threads.thread.path
|
text
|
threads.thread.priority
|
text
|
threads.thread.start_address
|
text
|
threads.thread.state
|
text
|
threads.thread.tid
|
text
|
threads.thread.user_time
|
text
|
threads.thread.win32_start_address
|
text
|
title
|
text
|
type
|
text
|
unique_id
|
text
|
user_time
|
text
|
window_flags
|
text
|
services
Службы
Поле
|
Тип данных
|
category_name
|
text
|
checkpoint
|
text
|
cmdline
|
text
|
controls_accepted
|
text
|
depends
|
text
|
display_name
|
text
|
error_control
|
text
|
flags
|
text
|
group
|
text
|
name
|
text
|
path
|
text
|
pid
|
integer
|
start_name
|
text
|
startmode
|
text
|
state
|
text
|
svc_exitcode
|
text
|
tagid
|
text
|
type
|
text
|
waithint
|
text
|
win32_exitcode
|
text
|
startups:mstasks
Элементы автозагрузки (задачи планировщика заданий)
Поле
|
Тип данных
|
args
|
text
|
category_name
|
text
|
clsid
|
text
|
command
|
text
|
enabled
|
text
|
is_job
|
text
|
name
|
text
|
path
|
text
|
state
|
text
|
type
|
text
|
workdir
|
text
|
startups:registry
Элементы автозагрузки (реестр)
Поле
|
Тип данных
|
arkstatus
|
text
|
category_name
|
text
|
clsid
|
text
|
data
|
text
|
id
|
text
|
full_key
|
text
|
key
|
text
|
path
|
text
|
sid
|
text
|
value
|
text
|
startups:wmi
Элементы автозагрузки (WMI)
Поле
|
Тип данных
|
arkstatus
|
text
|
category_name
|
text
|
class
|
text
|
clsid
|
text
|
instance
|
text
|
name
|
text
|
namespace
|
text
|
path
|
text
|
value
|
text
|
workdir
|
text
|
sysobj:chromium_config
Системные объекты (настройки Chromium)
Поле
|
Тип данных
|
browser
|
text
|
category_name
|
text
|
profile
|
text
|
sid
|
text
|
url
|
text
|
sysobj:chromium_extensions
Системные объекты (расширения Chromium)
Поле
|
Тип данных
|
browser
|
text
|
category_name
|
text
|
id
|
text
|
name
|
text
|
path
|
text
|
profile
|
text
|
sid
|
text
|
url
|
text
|
version
|
text
|
sysobj:detects
Системные объекты (выявленные угрозы)
Поле
|
Тип данных
|
category_name
|
text
|
data
|
text
|
id
|
text
|
object
|
text
|
path
|
text
|
threat
|
text
|
type
|
text
|
sysobj:firefox_addons
Системные объекты (дополнения Firefox)
Поле
|
Тип данных
|
browser
|
text
|
category_name
|
text
|
id
|
text
|
name
|
text
|
path
|
text
|
profile
|
text
|
sid
|
text
|
type
|
text
|
url
|
text
|
version
|
text
|
sysobj:firefox_config
Системные объекты (настройки Firefox)
Поле
|
Тип данных
|
browser
|
text
|
category_name
|
text
|
profile
|
text
|
sid
|
text
|
url
|
text
|
sysobj:ie
Системные объекты
Поле
|
Тип данных
|
category_name
|
text
|
data
|
text
|
id
|
text
|
key
|
text
|
sid
|
text
|
value
|
text
|
sysobj:mstasks
Системные объекты (задачи планировщика заданий)
Поле
|
Тип данных
|
category_name
|
text
|
clsid
|
text
|
command
|
text
|
enabled
|
text
|
is_job
|
text
|
name
|
text
|
path
|
text
|
state
|
text
|
type
|
text
|
workdir
|
text
|
sysobj:proxy
Системные объекты (прокси)
Поле
|
Тип данных
|
category_name
|
text
|
data
|
text
|
id
|
text
|
key
|
text
|
sid
|
text
|
value
|
text
|
sysobj:registry
Системные объекты (реестр)
Поле
|
Тип данных
|
arkstatus
|
text
|
category_name
|
text
|
clsid
|
text
|
data
|
text
|
full_key
|
text
|
id
|
text
|
key
|
text
|
path
|
text
|
sid
|
text
|
threat
|
text
|
value
|
text
|
sysobj:shortcuts
Системные объекты (ярлыки)
Поле
|
Тип данных
|
arg
|
text
|
arkstatus
|
text
|
category_name
|
text
|
data
|
text
|
mac
|
text
|
machine_id
|
text
|
name
|
text
|
path
|
text
|
relative
|
text
|
target
|
text
|
threat
|
text
|
workdir
|
text
|
sysobj:wmi
Системные объекты (WMI)
Поле
|
Тип данных
|
arkstatus
|
text
|
category_name
|
text
|
class
|
text
|
clsid
|
text
|
data
|
text
|
instance
|
text
|
name
|
text
|
namespace
|
text
|
path
|
text
|
threat
|
text
|
value
|
text
|
workdir
|
text
|
system_reg_export
Реестр
Поле
|
Тип данных
|
arkstatus
|
text
|
category_name
|
text
|
hive
|
text
|
lastwrite
|
date
|
name
|
text
|
security
|
text
|
subkeys
|
integer
|
value.arkstatus
|
text
|
value.name
|
text
|
value.size
|
integer
|
value.type
|
text
|
value.value
|
text
|
values
|
integer
|
system:accounts
Данные о системе (учетные записи)
Поле
|
Тип данных
|
bad_passwd_count
|
integer
|
category_name
|
text
|
codepage
|
text
|
country
|
text
|
descr
|
text
|
expires
|
date
|
flags
|
text
|
fullname
|
text
|
group.name
|
text
|
home
|
text
|
home_drive
|
text
|
last_logoff
|
text
|
last_logon
|
date
|
logons_count
|
integer
|
logons_server
|
text
|
name
|
text
|
password_age
|
text
|
profile
|
text
|
script
|
text
|
type
|
text
|
workstation
|
text
|
system:antivirus
Данные о системе (антивирус)
Поле
|
Тип данных
|
category_name
|
text
|
company
|
text
|
enabled
|
boolean
|
guid
|
text
|
name
|
text
|
product_exe
|
text
|
product_exe_company
|
text
|
product_exe_version
|
text
|
reporting_exe
|
text
|
reporting_exe_company
|
text
|
reporting_exe_version
|
text
|
timestamp
|
text
|
uptodate
|
boolean
|
version
|
text
|
system:bios
Данные о системе (BIOS)
Поле
|
Тип данных
|
category_name
|
text
|
manufacturer
|
text
|
primary
|
text
|
release_date
|
date
|
system_bios_major
|
integer
|
system_bios_minor
|
integer
|
version
|
text
|
system:cpu
Данные о системе (ЦП)
Поле
|
Тип данных
|
category_name
|
text
|
cores
|
integer
|
cpuid
|
text
|
descr
|
text
|
enabled_cores
|
text
|
id
|
text
|
load
|
text
|
logical_cpus
|
long
|
manufacturer
|
text
|
max_speed
|
integer
|
name
|
text
|
socket
|
text
|
speed
|
integer
|
threads
|
integer
|
vmmonitor_support
|
boolean
|
vt_support
|
boolean
|
system:dep
Поле
|
Тип данных
|
available
|
boolean
|
category_name
|
text
|
for_32bit
|
boolean
|
for_drivers
|
boolean
|
policy
|
integer
|
system:dirs
Данные о системе (каталоги)
Поле
|
Тип данных
|
category_name
|
text
|
name
|
text
|
path
|
text
|
system:dns
DNS системы
Поле
|
Тип данных
|
category_name
|
text
|
name
|
text
|
server
|
text
|
system:firewall
Данные о системе (брандмауэр)
Поле
|
Тип данных
|
category_name
|
text
|
company
|
text
|
enabled
|
boolean
|
guid
|
text
|
name
|
text
|
product_exe
|
text
|
product_exe_company
|
text
|
product_exe_version
|
text
|
reporting_exe
|
text
|
reporting_exe_company
|
text
|
reporting_exe_version
|
text
|
timestamp
|
text
|
version
|
text
|
system:hdd
Данные о системе (жесткий диск)
Поле
|
Тип данных
|
category_name
|
text
|
deviceid
|
text
|
firmware
|
text
|
model
|
text
|
name
|
text
|
partition.block_size
|
long
|
partition.bootable
|
boolean
|
partition.bootpart
|
boolean
|
partition.id
|
text
|
partition.index
|
text
|
partition.primary
|
boolean
|
partition.size
|
long
|
partition.start_offset
|
long
|
partition.type
|
text
|
partition.volume.compressed
|
boolean
|
partition.volume.descr
|
text
|
partition.volume.dirty
|
boolean
|
partition.volume.drive
|
text
|
partition.volume.drive_type
|
text
|
partition.volume.free
|
long
|
partition.volume.fs_type
|
text
|
partition.volume.media_type
|
text
|
partition.volume.name
|
text
|
partition.volume.serial
|
text
|
partition.volume.size
|
long
|
partitions
|
integer
|
serial
|
text
|
size
|
long
|
type
|
text
|
system:kernel_va_shadowing
Поле
|
Тип данных
|
category_name
|
text
|
enabled
|
boolean
|
flags
|
integer
|
invalid_pte_bit
|
text
|
invpcid
|
text
|
invpcid_flushing_optimization
|
boolean
|
l1_data_cache_flush_supported
|
text
|
l1_terminal_fault_mitigation_present
|
text
|
pcid
|
text
|
pcid_flushing_optimization
|
boolean
|
required
|
text
|
required_available
|
text
|
status
|
text
|
user_global
|
text
|
user_pages_marked_global
|
boolean
|
system:locale
Данные о системе (локаль)
Поле
|
Тип данных
|
category_name
|
text
|
code
|
text
|
codeset
|
text
|
country
|
text
|
descr
|
text
|
name
|
text
|
oslang
|
text
|
system:machine_scores
Данные о системе (индекс производительности)
Поле
|
Тип данных
|
category_name
|
text
|
cpu
|
float
|
direct3d
|
float
|
disk
|
float
|
graphics
|
float
|
memory
|
float
|
timetaken
|
text
|
winsat_state
|
text
|
winsprlevel
|
float
|
system:mapped_disks
Данные о системе (сопоставленные диски)
Поле
|
Тип данных
|
category_name
|
text
|
drive
|
text
|
free
|
text
|
fs_type
|
text
|
item.drive
|
text
|
item.free
|
text
|
item.fs_type
|
text
|
item.path
|
text
|
item.session_id
|
text
|
item.size
|
text
|
item.volume_name
|
text
|
path
|
text
|
session_id
|
text
|
size
|
text
|
volume_name
|
text
|
system:memory
Данные о системе (оперативная память)
Поле
|
Тип данных
|
category_name
|
text
|
free
|
long
|
free_virtual
|
long
|
total
|
long
|
total_virtual
|
long
|
system:net_adapters
Сеть (интерфейсы)
Поле
|
Тип данных
|
category_name
|
text
|
default_ip_gateway
|
ip
|
dhcp_enabled
|
boolean
|
dhcp_server
|
ip
|
dns
|
text
|
dns_server_search_order
|
ip
|
id
|
text
|
index
|
text
|
ip_enabled
|
boolean
|
mac
|
text
|
name
|
text
|
subnet
|
ip
|
system:os
Данные о системе (ОС)
Поле
|
Тип данных
|
bit
|
integer
|
boot_device
|
text
|
boot_mode
|
text
|
build
|
text
|
category_name
|
text
|
code_integrity
|
text
|
debug
|
boolean
|
install_date
|
date
|
last_bootup_time
|
date
|
local_time
|
date
|
name
|
text
|
pae
|
text
|
sp
|
text
|
suite
|
text
|
type
|
text
|
version
|
text
|
system:persisted_routes
Поле
|
Тип данных
|
caption
|
text
|
category_name
|
text
|
descr
|
text
|
destination
|
text
|
item.caption
|
text
|
item.descr
|
text
|
item.destination
|
text
|
item.mask
|
text
|
item.metric1
|
text
|
item.name
|
text
|
item.next_hop
|
text
|
mask
|
text
|
metric1
|
text
|
name
|
text
|
next_hop
|
text
|
system:policies
Политики системы
Поле
|
Тип данных
|
__type__
|
text
|
category_name
|
text
|
full_key
|
text
|
key.item.name
|
text
|
key.item.size
|
integer
|
key.item.value
|
text
|
key.name
|
text
|
name
|
text
|
sid
|
text
|
value.name
|
text
|
value.size
|
text
|
value.value
|
text
|
system:recovery
Поле
|
Тип данных
|
auto_reboot
|
boolean
|
category_name
|
text
|
dump_path
|
text
|
dump_type
|
integer
|
kernel_dump_only
|
boolean
|
mini_dump_dir
|
text
|
overwrite_existing_dump
|
boolean
|
send_admin_alert
|
boolean
|
write_debug_info
|
boolean
|
write_to_eventlog
|
boolean
|
system:routes
Данные о сети (статические маршруты)
Поле
|
Тип данных
|
age
|
text
|
caption
|
ip
|
category_name
|
text
|
descr
|
text
|
destination
|
ip
|
information
|
text
|
interface_index
|
text
|
mask
|
ip
|
metric1
|
text
|
metric2
|
text
|
metric3
|
text
|
metric4
|
text
|
metric5
|
text
|
name
|
ip
|
next_hop
|
ip
|
protocol
|
text
|
type
|
text
|
system:secure_boot
Поле
|
Тип данных
|
capable
|
boolean
|
category_name
|
text
|
enabled
|
boolean
|
system:security_providers
Поле
|
Тип данных
|
category_name
|
text
|
health
|
text
|
name
|
text
|
system:sessions
Данные о системе (сеансы)
Поле
|
Тип данных
|
category_name
|
text
|
client_device_id
|
text
|
client_dir
|
text
|
client_ip
|
text
|
client_name
|
text
|
connect_time
|
date
|
disconnect_time
|
date
|
domain
|
text
|
envid
|
text
|
id
|
text
|
is_rdp
|
text
|
last_input_time
|
date
|
logon_time
|
date
|
name
|
text
|
remote_ip
|
text
|
state
|
text
|
station_name
|
text
|
user
|
text
|
system:shares
Данные о системе (общие каталоги)
Поле
|
Тип данных
|
caption
|
text
|
category_name
|
text
|
descr
|
text
|
name
|
text
|
path
|
text
|
type
|
integer
|
system:smart
Атрибуты S.M.A.R.T.
Поле
|
Тип данных
|
attribute.index
|
integer
|
attribute.name
|
text
|
attribute.raw
|
integer
|
attribute.threshold
|
integer
|
attribute.value
|
integer
|
attribute.worst
|
integer
|
category_name
|
text
|
firmware
|
text
|
id
|
text
|
model
|
text
|
serial_number
|
text
|
system:speculation_control
Поле
|
Тип данных
|
bpb_disabled_kernel_to_user
|
text
|
bpb_disabled_no_hardware_support
|
text
|
bpb_disabled_system_policy
|
text
|
bpb_enabled
|
text
|
branch_prediction_mitigation.disabled_by_system_policy
|
boolean
|
branch_prediction_mitigation.disabled_no_microcode_update
|
boolean
|
branch_prediction_mitigation.enabled
|
boolean
|
category_name
|
text
|
cpu_microcode_support_pred_cmd.enabled
|
boolean
|
cpu_microcode_support_pred_cmd.window_use_ibpb
|
boolean
|
cpu_microcode_support_spec_ctrl.enabled
|
boolean
|
cpu_microcode_support_spec_ctrl.windows_use_ibrs
|
boolean
|
cpu_microcode_support_spec_ctrl.windows_use_stipb
|
boolean
|
enhanced_ibrs
|
text
|
enhanced_ibrs_reported
|
text
|
flags
|
long
|
hv_l1tf_migitation_enabled
|
text
|
hv_l1tf_migitation_not_enabled_hardware
|
text
|
hv_l1tf_migitation_not_enabled_load_option
|
text
|
hv_l1tf_processor_not_affected
|
text
|
hv_l1tf_status_available
|
text
|
hvl_1tf_migitation_not_enabled_core_scheduler
|
text
|
ibrs_present
|
text
|
mb_clear_enabled
|
text
|
mb_clear_reported
|
text
|
mds_hardware_protected
|
text
|
smep_present
|
text
|
spec_cmd_enumerated
|
text
|
spec_ctrl_enumerated
|
text
|
spec_ctrl_import_optimization_enabled
|
text
|
spec_ctrl_retpoline_enabled
|
text
|
speculative_store_bypas_sdisable_supported
|
text
|
speculative_store_bypass_disable_available
|
text
|
speculative_store_bypass_disable_required
|
text
|
speculative_store_bypass_disable_supported
|
text
|
speculative_store_bypass_disabled_kernel
|
text
|
speculative_store_bypass_disabled_system_wide
|
text
|
status
|
text
|
stibp_present
|
text
|
system:user_privelegies
Права пользователя в системе
Поле
|
Тип данных
|
category_name
|
text
|
enabled
|
boolean
|
name
|
text
|
system:users
Данные о системе (пользователи)
Поле
|
Тип данных
|
category_name
|
text
|
folder.name
|
text
|
folder.path
|
text
|
home
|
text
|
name
|
text
|
network_drive.connect_flags
|
text
|
network_drive.connection_type
|
text
|
network_drive.defer_flags
|
text
|
network_drive.letter
|
text
|
network_drive.provider_name
|
text
|
network_drive.provider_type
|
text
|
network_drive.remote_path
|
text
|
network_drive.username
|
text
|
sid
|
text
|
type
|
integer
|
winstore_apps
Приложения из магазина Microsoft Store
Поле
|
Тип данных
|
arch
|
text
|
category_name
|
text
|
id
|
text
|
name
|
text
|
vendor.C
|
text
|
vendor.CN
|
text
|
vendor.L
|
text
|
vendor.O
|
text
|
vendor.OID.1.3.6.1.4.1.311.60.2.1.2
|
text
|
vendor.OID.1.3.6.1.4.1.311.60.2.1.3
|
text
|
vendor.OID.2.5.4.15
|
text
|
vendor.OU
|
text
|
vendor.S
|
text
|
vendor.SERIALNUMBER
|
text
|
version
|
text
|
| 