AlertNotifications 2017.01 en
AlertNotifications 2017.01 en
AlertNotifications 2017.01 en
ALERT NOTIFICATIONS
CEF | LEEF | CSV | XML | JSON | TXT
RELEASE 2017.01
Contents
Supported Products 7
Overview 9
Alerts 10
Domain Match 10
Infection Match 10
Local Callback 10
Local Infection 10
Malware Callback (Generic) 11
Malware Callback (DTI.Callback) 11
Malware Object (with AV-Suite Detection) 11
Malware Object (with Zero-Day Callback) 11
Riskware Callback 12
Riskware Object 12
Web Infection 12
Web Infection (malware.binary.url) 13
Concise, Extended, and Normal Format Outputs 13
Source and Destination Addresses 13
Abbreviations Used in This Manual 13
References 14
CEF Notifications 15
Sample CEF Notifications per Event Type 18
domain-match (CM Series) 18
domain-match (NX Series) 18
infection-match (CM Series) 18
infection-match (NX Series) 19
© 2017 FireEye 3
Contents
LEEF Notifications 61
Sample LEEF Notifications per Event Type 63
Event: domain-match 63
Event: infection-match (NX Series) 63
Event: malware-callback 64
Event: web-infection 64
Event: malware-object (NX Series) 64
Event: malware-object (EX Series) 65
Event: ips-event 65
Event: riskware-callback 65
Event: riskware-object 66
LEEF Extension Field Key=Value Pair Definitions 67
4 © 2017 FireEye
Contents
CSV Notifications 81
Sample CSV Notifications per Event Type 84
Event: domain-match 84
Event: infection-match (NX Series) 84
Event: malware-callback 85
Event: malware-object (NX Series) 85
Event: malware-object (EX Series) 86
Event: web-infection 86
Event: ips-event 86
CSV Extension Field Key=Value Pair Definitions 87
© 2017 FireEye 5
Contents
6 © 2017 FireEye
Release 2017.01
Supported Products
The 2017.01 release of the Alert Notifications supports the following releases and earlier of
the FireEye products:
l AX Series: Version 7.7
l CM Series: Version 7.9
l EX Series: Version 7.9
l FX Series: Version 7.7
l HX Series: Version 3.5
l NX Series: Version 7.9
© 2017 FireEye 7
Alert Notifications CEF | LEEF | CSV | XML | JSON | TXT Supported Products
8 © 2017 FireEye
Alert Notifications CEF | LEEF | CSV | XML | JSON | TXT
Overview
The FireEye appliance Multi-Vector Execution (MVX) Engine detects stealthy web, file, or
email-based malware that uses malicious techniques to exploit client browsers, operating
systems, emails and applications. FireEye’s detection of a malicious event generates alert
details that can be sent from the appliance to an email, HTTP, SNMP, or rsyslog server or
Security Information and Event Management (SIEM) platform in multiple formats,
including CEF. This guide provides information about alert and event collection in the
following formats:
This guide focuses on the formats that can be consumed by programs. FireEye
also provides human-readable ASCII TEXT notifications that are not discussed
in detail in this guide.
The FireEye appliance Web UI Settings>Notifications menu provides the options for
configuring alert notifications for each supported format to be sent to email, HTTP, SNMP,
rsyslog or SIEM servers. The servers, in turn, must be configured to receive the
notifications in the respective format(s).
When configuring a FireEye appliance to send alert notifications in CEF format, for
example, an administrator must confirm that the rsyslog trap-sink server supports CEF.
The CEF output is accessible for parsing only on the rsyslog server and cannot be viewed
from the FireEye appliance CLI or Web UI.
© 2017 FireEye 9
Alert Notifications CEF | LEEF | CSV | XML | JSON | TXT Overview
Alerts
Whenever the FireEye appliances detect malware, an alert is generated. This section gives
more details about the alert types and provides recommendations of what to do.
Domain Match
Domain-match alerts show when an endpoint has requested Domain Name System (DNS)
to resolve a known malicious hostname. This alert means that the DNS was resolved. It
does not indicate that any malicious payloads have been downloaded or that exploitative
content has been accessed. Domain matches are not blocked because they are just name
resolutions. There is no target IP address in this type of match. The alert has the exact time
that the NX series appliance picked up the DNS traffic.
By itself, this type of alert is for informational purposes only. If a high volume of domain
matches is occurring, the endpoint might be compromised and needs to be cleaned.
Infection Match
This alert indicates that the endpoint attempted to browse to a URL that is known to be
exploitative. If no other alerts from the endpoint are present, it is unlikely that the endpoint
is infected. If the NX Series appliance is in blocking mode, infection matches are blocked
It is possible that other channels are being used in such a way that they are undetectable or
that the endpoint is compromised but using a different point on the network for its traffic.
Check if anything suspicious happened around this time. If you have the FireEye IPS
license and known exploit details are available, check if the vulnerable software versions
are being used. Check local security logs and security information and event management
(SIEM) logs. You can also use the HX Series appliance for triage investigation.
Local Callback
Local-callback alerts refer to malicious URLs that were fetched during dynamic virtual
analysis by binaries or Web traffic. If the NX Series appliance is in blocking mode, local
callbacks are blocked.
The likelihood that the endpoint is infected is high. The endpoint should be investigated
immediately and potentially removed from the network during this process.
Local Infection
Local-infection alerts happen after a malicious binary or exploitative server traffic is
detected. If the NX Series appliance is in blocking mode, local infections are blocked. The
exact URL location that the threat was accessed from is detected or blocked in the future,
depending on your settings.
Check if anything suspicious happened around this time. If you have the FireEye IPS
license and known exploit details are available, check if the vulnerable software versions
10 © 2017 FireEye
Release 2017.01 Alerts
are being used. Check local security logs and SIEM logs. You can also use the HX Series
appliance for triage investigation.
© 2017 FireEye 11
Alert Notifications CEF | LEEF | CSV | XML | JSON | TXT Overview
If the end user ran the binary, it is likely that the endpoint is compromised, unless the
binary only works on certain software versions. In this case, the endpoint should be
removed from the network for additional analysis. Check local security logs and SIEM
logs. You can also use the HX Series appliance for triage investigation.
Riskware Callback
Riskware-callback alerts indicate that the endpoint is sending confirmed callback traffic to
a command-and-control server. This alert occurs if a riskware object was downloaded and
launched on an endpoint.
The endpoint should be investigated immediately and removed from the network during
the process. Check local security logs and SIEM logs. You can also use the HX Series
appliance for triage investigation.
Riskware Object
Riskware-object alerts indicate that the endpoint downloaded known riskware.
The endpoint should be investigated for the presence of riskware. If the end user
knowingly downloaded the file but did not execute it, the endpoint might be clean. It is
possible that the file was dropped and executed without the userʼs knowledge.
If the end user ran the binary, it is likely that the endpoint is compromised, unless the
binary only works on certain software versions. In this case, the endpoint should be
removed from the network for additional analysis. Check local security logs and SIEM
logs. You can also use the HX Series appliance for triage investigation.
Web Infection
Web-infection alerts indicate that the endpoint accessed a Web page that was determined
by the MVX engine to exploit the endpoint. Subsequent Web infections are blocked,
depending on your configuration.
Check if anything suspicious happened around this time. If you have the FireEye IPS
license and known exploit details are available, check if the vulnerable software versions
are being used. Check local security logs and SIEM logs. You can also use the HX Series
appliance for triage investigation.
Starting in the 7.9 release, there are now three flags to differentiate among the types of
URLS:
12 © 2017 FireEye
Release 2017.01 Concise, Extended, and Normal Format Outputs
If you are sending alert notifications in XML or JSON to a rsyslog server using the
extended output option, the size of the alert notification is likely to exceed the 4K
UDP limit. To avoid this limit, use TCP as the transportation layer instead of
UDP.
BA binary-analysis
DM domain-match
IE ips-event
© 2017 FireEye 13
Alert Notifications CEF | LEEF | CSV | XML | JSON | TXT Overview
IM infection-match
MC malware-callback
MO malware-object
MW malware-analysis-done
RC riskware-callback
RO riskware-object
WI web-infection
The following product abbreviations are used in CEF, LEEF, and CSV alert notifications:
Abbreviation Product
CMS CM Series
eMPS EX Series
fMPS FX Series
MAS AX Series
MPS NX Series
The following product abbreviations are used in XML and JSON alert notifications:
Abbreviation Product
CMS CM Series
MAS AX Series
References
[1] ArcSight. The ArcSight platform:
https://www.protect724.hpe.com/login.jspa?referer=%2Fcommunity%2Farcsight
[2] ArcSight. Common event format: https://www.protect724.hpe.com/docs/DOC-1072
[3] syslogd, the enhanced syslogd for Linux and UNIX: http://www.rsyslog.com
14 © 2017 FireEye
CEF Notifications
Common Event Format (CEF) [2] is an ArcSight [1] supported format for rsyslog [3]. ArcSight provides an open standard for log
management and interoperability of security related information from different devices, network appliances and applications. The open log
format (that is, CEF) is adopted by FireEye for sending FireEye malware event notifications to an ArcSight channel. This format contains the
most relevant event information, making it available for event consumers to parse and use the data interoperably. To integrate the events,
the syslog message format is used as a transport mechanism. This mechanism is structured to include a common prefix applied to each
message, and contains the date and hostname as shown:
Jan 18 11:07:53 host <message>
where message=<header>|<extension>
The message in CEF format includes a header and an extension as a set of key=value pairs. For additional information, refer to the ArcSight
Common Event Format white paper [2] for a detailed description of the ArcSight CEF format.
The FireEye CEF message header is defined as follows:
CEF:0|<vendor>|<product name>|<version>|<cef event type>|<event-name>|<severity>|<extension>
where
© 2017 FireEye 15
CEF Notifications
16 © 2017 FireEye
CEF Notifications
l malware-callback
l web-infection
l binary-analysis (relevant only for Releases 5.x and 6.0)
l infection-match
l mw-analysis-done (relevant only for Releases 5.x and 6.0)
l domain-match
l malware-object (replaces binary-infection in Release 6.1 and later)
l ips-event
l riskware-object
l riskware-callback
<severity> The possible severity of an event ranges between 0 - 10, where 10 is the highest malware
severity.
<extension> Extensions include all the alert detection details, labeled in categories; for example: rt= , fileHash=, src=, cn1=,
cn2=, cn3=, cn1Label=, cn2Label=, cn3Label=, cs1=, cs2=, cs3=, cs4=, cs5=, cs6=, cs1Label=, cs2Label=, cs3Label=,
cs4Label=, cs5Label=, cs6Label=, request=, shost=, proto=, smac=, externalID=, dvchost=, spt=, dpt=, dst=, dvc=,
dmac=, suser=, msg=, filePath=, duser=, dproc=, eventURL=, sID=, sName=, sType=
The definitions for these extension field labels are provided in CEF Extension Field Key=Value Pair
Definitions on page 25. Not all products reference the same CEF field labels in their alert notifications.
© 2017 FireEye 17
CEF Notifications
The product names in CEF notifications are ‘MPS’ (for the NX Series), ‘eMPS’ (for the EX Series) ‘fMPS’ (for the FX Series),
‘MAS’ (for the AX Series), and ‘CMS’ (for the CM Series).
18 © 2017 FireEye
CEF Notifications
© 2017 FireEye 19
CEF Notifications
20 © 2017 FireEye
CEF Notifications
© 2017 FireEye 21
CEF Notifications
riskware-callback (IPv4)
Nov 22 03:41:03 jingalala.mrl.fireeye.com fenotify-10.warning: CEF:0|FireEye|MPS|7.9.2.581998|RC|riskware-
callback|1|rt=Nov 22 2016 11:47:26 UTC start=Nov 22 2016 11:47:26 UTC end=Nov 22 2016 11:47:26 UTC
src=xxx.xxx.xxx.xxx dst=xxx.xxx.xxx.xxx
request=http://fortd.serverdld.eu/36175/cdn/winpalace/WinPalace20130622034203.msi cs1Label=sname
cs1=Adware.Hastingsin act=notified dvc=xxx.xxx.xxx.xxx dvchost=Jingalala.mrl.fireeye.com smac=00:20:18:11:01:66
dmac=00:01:6c:a9:2f:27 spt=49215 dpt=80 cn1Label=vlan cn1=0 externalId=1005 msg=risk ware detected:10 proto=tcp
cs4Label=link cs4=https://Jingalala.mrl.fireeye.com/notification_url/riskware?ev_id\=10&inf_id\=1005&inf_
type\=Riskware%20Callback cs6Label=channel cs6=GET /36175/cdn/winpalace/WinPalace20130622034203.msi
HTTP/1.1::~~Connection: Keep-Alive::~~Accept: */*::~~User-Agent: Windows Installer::~~Host:
fortd.serverdld.eu::~~::~~
riskware-callback (IPv6)
Jan 30 22:57:19 jingalala.mrl.fireeye.com fenotify-5.alert: CEF:0|FireEye|MPS|7.9.2.602260|RC|riskware-
callback|1|rt=Jan 31 2017 07:05:20 UTC start=Jan 31 2017 07:05:20 UTC end=Jan 31 2017 07:05:20 UTC
c6a2=2011::1:6e1c:e3c3 c6a2Label=Victim IP c6a3=2011::1:22b4:b249 c6a3Label=Attacker IP
request=http://stats.statsmyapp.com/apps.gif?action\=uninstall&browser\=ie&browserver\=10&ver\=1_34_2_
13&bic\=&app\=52258&appver\=0&verifier\=&srcid\=0&subid\=0&zdata\=0&xpiver\=0&crxver\=0&default\=ie&chver\=25&f
fver\=13&iever\=10&installtime\=1444697300&curtime\=1444697300&lifetime\=0&procstarttime\=1444697299&rnd\=14446
97315 cs1Label=sname cs1=Adware.Crossrider act=notified dvc=xxx.xxx.xxx.xxx dvchost=Jingalala.mrl.fireeye.com
smac=00:20:18:11:01:65 dmac=00:01:6c:a9:2f:27 spt=49198 dpt=80 cn1Label=vlan cn1=0 externalId=100 msg=risk ware
detected:5 proto=tcp cs4Label=link cs4=https://Jingalala.mrl.fireeye.com/notification_url/riskware?ev_
id\=5&inf_id\=100&inf_type\=Riskware%20Callback cs6Label=channel cs6=GET
/apps.gif?action\=uninstall&browser\=ie&browserver\=10&ver\=1_34_2_
22 © 2017 FireEye
CEF Notifications
13&bic\=&app\=52258&appver\=0&verifier\=&srcid\=0&subid\=0&zdata\=0&xpiver\=0&crxver\=0&default\=ie&chver\=25&f
fver\=13&iever\=10&installtime\=1444697300&curtime\=1444697300&lifetime\=0&procstarttime\=1444697299&rnd\=14446
97315 HTTP/1.1::~~Host: stats.statsmyapp.com::~~Connection: Keep-Alive::~~Cache-Control: no-cache::~~::~
riskware-object (IPv4)
Nov 22 03:38:41 jingalala.mrl.fireeye.com fenotify-9.warning: CEF:0|FireEye|MPS|7.9.2.581998|RO|riskware-
object|1|rt=Nov 22 2016 11:45:06 UTC start=Nov 22 2016 11:43:36 UTC end=Nov 22 2016 11:45:06 UTC
src=xxx.xxx.xxx.xxx dst=xxx.xxx.xxx.xxx request=xxx.xxx.xxx.xxx/5ed4437e0027415a829b9951941cdda0 cs1Label=sname
cs1=Win.Adware.Multiplug-55768 act=notified dvc=xxx.xxx.xxx.xxx dvchost=Jingalala.mrl.fireeye.com
fileHash=5ed4437e0027415a829b9951941cdda0 smac=10:60:4b:a9:b4:0a dmac=10:60:4b:a9:86:3a spt=35682 dpt=80
cn1Label=vlan cn1=0 requestMethod=GET externalId=916 msg=risk ware detected:9 proto=tcp cs3Label=osinfo
cs3=Microsoft WindowsXP 32-bit 5.1 sp3 16.0901 cs4Label=link
cs4=https://Jingalala.mrl.fireeye.com/notification_url/riskware?ev_id\=9&inf_id\=916&inf_
type\=Riskware%20Object flexString4Label=proto-header flexString4=GET /5ed4437e0027415a829b9951941cdda0
HTTP/1.0::~~User-Agent: Wget/1.12 (linux-gnu)::~~Accept: */*::~~Host: xxx.xxx.xxx.xxx::~~Connection: Keep-
Alive::~~HTTP/1.1 200 OK::~~Date: Thu, 08 Oct 2015 21:05:15 GMT::~~Server: Apache/2.2.15 (CentOS)::~~Last-
Modified: Thu, 08 Oct 2015 21:04:41 GMT::~~ETag: "1940780-49c00-5219e363a8b4c"::~~Accept-Ranges:
bytes::~~Content-Length: 302080::~~Connection: close::~~Content-Type: text/plain; charset=UTF-8::~~
riskware-object (IPv6)
Jan 30 22:57:19 jingalala.mrl.fireeye.com fenotify-5.alert: CEF:0|FireEye|MPS|7.9.2.602260|RC|riskware-
callback|1|rt=Jan 31 2017 07:05:20 UTC start=Jan 31 2017 07:05:20 UTC end=Jan 31 2017 07:05:20 UTC
c6a2=2011::1:6e1c:e3c3 c6a2Label=Victim IP c6a3=2011::1:22b4:b249 c6a3Label=Attacker IP
request=http://stats.statsmyapp.com/apps.gif?action\=uninstall&browser\=ie&browserver\=10&ver\=1_34_2_
13&bic\=&app\=52258&appver\=0&verifier\=&srcid\=0&subid\=0&zdata\=0&xpiver\=0&crxver\=0&default\=ie&chver\=25&f
fver\=13&iever\=10&installtime\=1444697300&curtime\=1444697300&lifetime\=0&procstarttime\=1444697299&rnd\=14446
97315 cs1Label=sname cs1=Adware.Crossrider act=notified dvc=xxx.xxx.xxx.xxx dvchost=Jingalala.mrl.fireeye.com
smac=00:20:18:11:01:65 dmac=00:01:6c:a9:2f:27 spt=49198 dpt=80 cn1Label=vlan cn1=0 externalId=100 msg=risk ware
detected:5 proto=tcp cs4Label=link cs4=https://Jingalala.mrl.fireeye.com/notification_url/riskware?ev_
id\=5&inf_id\=100&inf_type\=Riskware%20Callback cs6Label=channel cs6=GET
/apps.gif?action\=uninstall&browser\=ie&browserver\=10&ver\=1_34_2_
13&bic\=&app\=52258&appver\=0&verifier\=&srcid\=0&subid\=0&zdata\=0&xpiver\=0&crxver\=0&default\=ie&chver\=25&f
fver\=13&iever\=10&installtime\=1444697300&curtime\=1444697300&lifetime\=0&procstarttime\=1444697299&rnd\=14446
97315 HTTP/1.1::~~Host: stats.statsmyapp.com::~~Connection: Keep-Alive::~~Cache-Control: no-cache::~~::~
© 2017 FireEye 23
CEF Notifications
24 © 2017 FireEye
CEF Notifications
The following table provides definitions for each extension field key in a CEF message.
The event types “binary-analysis” (BA) and “malware-analysis-done” (MW) are relevant only for FireEye Releases 5.X/6.0.
The other event types are relevant for all releases and/or Release 6.1.0 and 6.2.0 and they are defined as follows:
The Z character at the end of a time stamp indicates that the time displayed is in the UTC time zone. Starting in the 7.0.0
release, the time is displayed in UTC by default. To change the displayed time to your local time, use the following CLI
command: fenotify default timezone localtime
© 2017 FireEye 25
CEF Notifications
Ext.
Event Data
Field Description Products Release
Type Type
Key
26 © 2017 FireEye
CEF Notifications
Ext.
Event Data
Field Description Products Release
Type Type
Key
© 2017 FireEye 27
CEF Notifications
Ext.
Event Data
Field Description Products Release
Type Type
Key
28 © 2017 FireEye
CEF Notifications
Ext.
Event Data
Field Description Products Release
Type Type
Key
© 2017 FireEye 29
CEF Notifications
Ext.
Event Data
Field Description Products Release
Type Type
Key
30 © 2017 FireEye
CEF Notifications
Ext.
Event Data
Field Description Products Release
Type Type
Key
© 2017 FireEye 31
CEF Notifications
Ext.
Event Data
Field Description Products Release
Type Type
Key
32 © 2017 FireEye
CEF Notifications
Ext.
Event Data
Field Description Products Release
Type Type
Key
© 2017 FireEye 33
CEF Notifications
Ext.
Event Data
Field Description Products Release
Type Type
Key
34 © 2017 FireEye
CEF Notifications
Ext.
Event Data
Field Description Products Release
Type Type
Key
© 2017 FireEye 35
CEF Notifications
Ext.
Event Data
Field Description Products Release
Type Type
Key
36 © 2017 FireEye
CEF Notifications
Ext.
Event Data
Field Description Products Release
Type Type
Key
© 2017 FireEye 37
CEF Notifications
Ext.
Event Data
Field Description Products Release
Type Type
Key
38 © 2017 FireEye
CEF Notifications
Ext.
Event Data
Field Description Products Release
Type Type
Key
© 2017 FireEye 39
CEF Notifications
Ext.
Event Data
Field Description Products Release
Type Type
Key
40 © 2017 FireEye
CEF Notifications
Ext.
Event Data
Field Description Products Release
Type Type
Key
© 2017 FireEye 41
CEF Notifications
Ext.
Event Data
Field Description Products Release
Type Type
Key
42 © 2017 FireEye
CEF Notifications
Ext.
Event Data
Field Description Products Release
Type Type
Key
© 2017 FireEye 43
CEF Notifications
Ext.
Event Data
Field Description Products Release
Type Type
Key
44 © 2017 FireEye
CEF Notifications
Ext.
Event Data
Field Description Products Release
Type Type
Key
© 2017 FireEye 45
CEF Notifications
Ext.
Event Data
Field Description Products Release
Type Type
Key
46 © 2017 FireEye
CEF Notifications
Ext.
Event Data
Field Description Products Release
Type Type
Key
© 2017 FireEye 47
CEF Notifications
Ext.
Event Data
Field Description Products Release
Type Type
Key
48 © 2017 FireEye
CEF Notifications
Ext.
Event Data
Field Description Products Release
Type Type
Key
© 2017 FireEye 49
CEF Notifications
Ext.
Event Data
Field Description Products Release
Type Type
Key
50 © 2017 FireEye
CEF Notifications
Ext.
Event Data
Field Description Products Release
Type Type
Key
© 2017 FireEye 51
CEF Notifications
Ext.
Event Data
Field Description Products Release
Type Type
Key
52 © 2017 FireEye
CEF Notifications
Ext.
Event Data
Field Description Products Release
Type Type
Key
© 2017 FireEye 53
CEF Notifications
Ext.
Event Data
Field Description Products Release
Type Type
Key
54 © 2017 FireEye
CEF Notifications
Ext.
Event Data
Field Description Products Release
Type Type
Key
fileType fileType represents the file type of the detected malware. NX MO File 7.x
AX MC extension,
For example:
FX such as:
fileType=jar EX
l exe
CM
l pdf
l ppt
l doc
l docx
l and
so
on...
devicePayloadId devicePayloadId represents the unique identifier for the payload NX MC String 7.x
associated with the event. AX MO
128
FX WI
For example: characters
EX DM
devicePayloadId=12bb338c-1482-48e2-b7b6-05afdcdfbece CM IM
© 2017 FireEye 55
CEF Notifications
Ext.
Event Data
Field Description Products Release
Type Type
Key
start Date when the event was originally analyzed by the appliance. EX MO Date in the 7.x
following
For example:
format:
start=Nov 17 2016 10:30:38 UTC MMM dd
yyyy
HH:mm:ss
UTC
56 © 2017 FireEye
CEF Notifications
The following table describes the CEF fields and values used for ETP Cloud notifications.
© 2017 FireEye 57
CEF Notifications
fileHash Hash value of the file/URL String Yes Yes 255 The format is
characters MD5.
58 © 2017 FireEye
CEF Notifications
cs4 URL to the alert page on the String Yes Yes 4000 —
ETP portal characters
© 2017 FireEye 59
CEF Notifications
60 © 2017 FireEye
LEEF Notifications
Like CEF, the alert notification in LEEF format includes a header and an extension as a set of key=value pairs.
The FireEye LEEF message header is defined as follows. The header fields are separated using the pipe ('|') character, and the body fields
are separated using the caret ('^') character.
LEEF:1.0|<vendor>|<product name>|<version>|<LEEF eventID>|<extension>
where
© 2017 FireEye 61
LEEF Notifications
l malware-callback
l web-infection
l binary-analysis (relevant only for Releases 5.x and 6.0)
l infection-match
l mw-analysis-done (relevant only for Releases 5.x and 6.0)
l domain-match
l malware-object (replaces binary-infection in Release 6.1 and later)
l ips-event
l riskware-callback
l riskware-object
<extension> Extensions include all the alert detection details, labeled in categories; for example: fileHash=, src=, request=, proto=,
dvchost=, srcPort=, dvc=, filePath=, sname=, dstmac=, vlan=, cncHost=, externalID=, devTime=, sID=, cncPort=, link=,
srcMAC=, dst=, dstPort=, cncChannel=, osinfo=, targetApp=, anomaly=
The definitions for these extension field labels are provided in LEEF Extension Field Key=Value Pair
Definitions on page 67. Not all products reference the same LEEF field labels in their alert notifications.
62 © 2017 FireEye
LEEF Notifications
The product names in CEF notifications are ‘MPS’ (for the NX Series), ‘eMPS’ (for the EX Series) ‘fMPS’ (for the FX Series),
‘MAS’ (for the AX Series), and ‘CMS’ (for the CM Series).
Event: domain-match
LEEF Notification Message:
Jul 19 00:30:11 xxx.xxx.xxx.xxx fenotify-1999.warning: LEEF:1.0|FireEye|MPS|7.9.0.476843|domain-match|
sev=1^sname=Trojan.Win32.Dogrobot.gen.E^shost=119-168-188-108.rev.home.ne.jp^srcMAC=92:73:75:00:00:35
^proto=udp^srcPort=1025^vlan=0^dstMAC=00:19:d1:fd:a2:52^dvc=xxx.xxx.xxx.xxx^action=notified^dvchost=tikka
^cncHost=the.microgood.net^externalId=1999^devTime=Jul 19 2016 07:37:13 UTC
^sid=89017273^cncPort=53^link=https://tikka.mrl.fireeye.com/event_stream/events_for_bot?ev_id\=1999
^filePath=the.microgood.net^src=xxx.xxx.xxx.xxx^
© 2017 FireEye 63
LEEF Notifications
Event: malware-callback
LEEF Notification Message:
Jul 19 00:30:02 xxx.xxx.xxx.xxx fenotify-2000.warning: LEEF:1.0|FireEye|MPS|7.9.0.476843|malware-callback|
sev=7^srcMAC=92:73:75:00:00:35^request=hxxp://the.microgood.net/newad.exe^srcPort=1176^
shost=119-168-188-108.rev.home.ne.jp^proto=tcp^dst=xxx.xxx.xxx.xxx^
cncHost=xxx.xxx.xxx.xxx^externalId=2000^sid=89042535^cncChannel=GET /newad.exe HTTP/1.1::~~Accept:
*/*::~~Accept-Encoding: gzip, deflate::~~User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
SV1)::~~Host: the.microgood.net::~~Connection: Keep-Alive::~~::~~^sname=Trojan.Downloader.Delf.UD^
vlan=0^dvchost=tikka^cncPort=80^link=https://tikka.mrl.fireeye.com/event_stream/events_for_bot?ev_
id\=2000^dstPort=80^src=xxx.xxx.xxx.xxx^dstMAC=00:19:d1:fd:a2:52^dvc=xxx.xxx.xxx.xxx^devTime=Jul 19 2016
07:37:13 UTC^action=notified^
Event: web-infection
LEEF Notification Message:
Jul 19 02:06:56 xxx.xxx.xxx.xxx fenotify-627.warning: LEEF:1.0|FireEye|MPS|7.9.0.476843|web-infection|
osinfo=Microsoft WindowsXP 32-bit 5.1 sp3 15.1218^sev=4^dstPort=80^sname=Exploit.Browser^
proto=tcp^targetApp=InternetExplorer 8.0^dvchost=tikka^vlan=0^srcPort=1057^
dvc=xxx.xxx.xxx.xxx^action=notified^cncHost=google.com^externalId=627^devTime=Jul 19 2016 09:13:48
UTC^cncPort=80^link=https://tikka.mrl.fireeye.com/event_stream/events_for_bot?inc_
id\=627^filePath=zorosro.cf/index.html^src=xxx.xxx.xxx.xxx^anomaly=98304^srcMAC=d6:96:0a:84:24:15^
64 © 2017 FireEye
LEEF Notifications
Event: ips-event
LEEF Notification Message:
07-19-2016 11:55:37 Local4.Critical xxx.xxx.xxx.xxx fenotify-118891.crit:
LEEF:1.0|FireEye|MPS|7.9.0.480292|ips-event|id=118891^devTime=Jul 19 2016 06:22:29
GMT^src=xxx.xxx.xxx.xxx^srcPort=80^srcMAC=00:1b:78:75:79:68^dst=xxx.xxx.xxx.xxx^dstPort=1044^dstMAC=00:0c:29:a6
:54:20^sev=6^sigId=85300440^sigrevision=11^matchcount=1^signame=Microsoft Color Management System Crafted Path
Name Buffer Overflow^cve_id=CVE-2008-2245^action=notified^attack_
mode=client^url=https://xxx.xxx.xxx.xxx/notification_url/ips_events?ev_id\=118891&lms_
iden\=0CC47A31F77E^devTimeFormat=MMM dd yyyy HH:mm:ss z^cat=ips-event^mvxStatus=N/A^proto=6
Event: riskware-callback
LEEF Notification Message:
Sep 20 15:16:37 axhwmps.eng.fireeye.com fenotify-824.warning: LEEF:1.0|FireEye|MPS|7.9.0.542582|
riskware-callback|devTime=Aug 14 2016 08:38:56 UTC^devTimeFormat=MMM dd yyyy HH:mm:ss z^sev=1^proto=tcp^
src=xxx.xxx.xxx.xxx^dst=xxx.xxx.xxx.xxx^srcPort=1072^dstPort=80^
srcMAC=00:20:18:11:01:43^dstMAC=00:01:6c:a9:2f:27^url=http://49939.northstar.api.socdn.com/installer/ad0d8641-
dff0-11e3-8a58-80c16e6f498c/12932238/config^link=https://axhwmps.eng.fireeye.com/notification_url/riskware?ev_
id=824&inf_id=15370&inf_type=Riskware%20Callback^vlan=0^externalId=15370^
dvchost=axhwmps.eng.fireeye.com^action=notified^sname=Adware.MultiPlug^cncChannel=GET /installer/ad0d8641-dff0-
11e3-8a58-80c16e6f498c/12932238/config HTTP/1.1::~~Accept-Language: en-XX::~~User-Agent: DownloadMR/1.2.4+
(MSIE 8.0; Windows NT 5.1 SP3; DB\=ie; 9bf59659-7f5b-02eb-8c69-ce6a8ca6b231; m\=wXuH; u\=admin;
aurora)::~~Host: 49939.northstar.api.socdn.com::~~Connection: Keep-Alive::~~::~~^
© 2017 FireEye 65
LEEF Notifications
Event: riskware-object
LEEF Notification Message:
Sep 20 15:16:32 axhwmps.eng.fireeye.com fenotify-2762.warning: LEEF:1.0|FireEye|MPS|7.9.0.542582|
riskware-object|devTime=Sep 02 2016 20:02:57 UTC^devTimeFormat=MMM dd yyyy HH:mm:ss z^sev=1^proto=tcp^
src=xxx.xxx.xxx.xxx^dst=xxx.xxx.xxx.xxx^
srcPort=37646^dstPort=80^srcMAC=10:60:4b:a9:b4:06^dstMAC=10:60:4b:a9:86:1a^
url=xxx.xxx.xxx.xxx/ba4ca624c2e5d01cfcf537891ec5c^link=https://axhwmps.eng.fireeye.com/notification_
url/riskware?ev_id=2762&inf_id=52767&inf_type=Riskware%20Callback^
vlan=0^externalId=52767^dvchost=axhwmps.eng.fireeye.com^action=notified^sname=PUA.Win.Packer.InnoInstallerCo-
2^fileHash=e36f7b5e0de486b0de5481a68cd0dc4b^osinfo=Microsoft WindowsXP 32-bit 5.1 sp3 15.1218^proto-header=GET
/ba4ca624c2e5d01cfcf537891ec5c HTTP/1.0::~~User-Agent: Wget/1.12 (linux-gnu)::~~Accept: */*::~~Host:
xxx.xxx.xxx.xxx::~~Connection: Keep-Alive::~~HTTP/1.1 200 OK::~~Date: Wed, 30 Sep 2015 16:02:39 GMT::~~Server:
Apache/2.2.15 (CentOS)::~~Last-Modified: Tue, 29 Sep 2015 22:56:32 GMT::~~ETag: "1940779-ba988-
520eab99e6191"::~~Accept-Ranges: bytes::~~Content-Length: 764296::~~Connection: close::~~Content-Type:
text/plain; charset\=UTF-8::~~^
66 © 2017 FireEye
LEEF Notifications
The following table provides definitions for each extension field key in a CEF message.
The event types “binary-analysis” (BA) and “malware-analysis-done” (MW) are relevant only for FireEye Releases 5.X/6.0.
The other event types are relevant for all releases and/or Release 6.1.0 and 6.2.0 and they are defined as follows:
The Z character at the end of a time stamp indicates that the time displayed is in the UTC time zone. Starting in the 7.0.0
release, the time is displayed in UTC by default. To change the displayed time to your local time, use the following CLI
command: fenotify default timezone localtime
Ext. Event
Description Products Data Type Release
Field Key Type
© 2017 FireEye 67
LEEF Notifications
Ext. Event
Description Products Data Type Release
Field Key Type
68 © 2017 FireEye
LEEF Notifications
Ext. Event
Description Products Data Type Release
Field Key Type
© 2017 FireEye 69
LEEF Notifications
Ext. Event
Description Products Data Type Release
Field Key Type
70 © 2017 FireEye
LEEF Notifications
Ext. Event
Description Products Data Type Release
Field Key Type
© 2017 FireEye 71
LEEF Notifications
Ext. Event
Description Products Data Type Release
Field Key Type
72 © 2017 FireEye
LEEF Notifications
Ext. Event
Description Products Data Type Release
Field Key Type
© 2017 FireEye 73
LEEF Notifications
Ext. Event
Description Products Data Type Release
Field Key Type
74 © 2017 FireEye
LEEF Notifications
Ext. Event
Description Products Data Type Release
Field Key Type
© 2017 FireEye 75
LEEF Notifications
Ext. Event
Description Products Data Type Release
Field Key Type
76 © 2017 FireEye
LEEF Notifications
Ext. Event
Description Products Data Type Release
Field Key Type
© 2017 FireEye 77
LEEF Notifications
Ext. Event
Description Products Data Type Release
Field Key Type
78 © 2017 FireEye
LEEF Notifications
Ext. Event
Description Products Data Type Release
Field Key Type
© 2017 FireEye 79
LEEF Notifications
Ext. Event
Description Products Data Type Release
Field Key Type
start Date when the event was originally analyzed by the appliance. EX MO Date in the 7.x
following
For example:
format:
start=Nov 17 2016 10:30:38 UTC MMM dd
yyyy
HH:mm:ss
UTC
80 © 2017 FireEye
CSV Notifications
CSV (Comma Separated Values File Format) is similar to CEF format with one exception: there can be multiple alert messages per event.
This means that for each low-level event, URL, CnC service and OS change, a separate message is generated. In this way, CSV format
provides more details when compared to CEF format.
Similar to CEF, the message in CSV format includes a header and an extension as a set of key-value pairs detailing additional information.
Jan 18 11:07:53 host <message>
where message=<header>|<extension>.
The CSV header consists of a set of attributes delimited by a colon (:), and body field separated by commas. The FireEye CSV message
header attributes are defined as follows:
CSV:0|FireEye|<product name>|<event-type>|<event-name>|<extension>
© 2017 FireEye 81
CSV Notifications
<event-name> For event name, FireEye uses the signature name as the event name in CSV message headers; if there are multiple
signature names in a single detected malicious event, then notification messages will be generated separately for each:
l malware-callback
l web-infection
l binary-analysis (relevant only for Releases 5.x and 6.0)
l infection-match
l mw-analysis-done (relevant only for Releases 5.x and 6.0)
l domain-match
l malware-object (replaces binary-infection in Release 6.1 and later)
l ips-event
82 © 2017 FireEye
CSV Notifications
<extension> Extensions include all the alert detection details, labeled in categories; for example: osinfo=, sev=, malware_type=,
alertid=, app=, spt=, locations=, smac=, header=, cnchost=, alertType=, shost=, dst=, original_name=, application=, sid=,
malware-note=, objurl=, profile=, dmac=, product=, sname=, fileHash=, dvchost=, release=, link=, cncport=, src=, dpt=,
anomaly=, dvc=, channel=, action=, os=, stype=
The definitions for these extension field labels are provided in CSV Extension Field Key=Value Pair
Definitions on page 87. Not all products reference the same CEF field labels in their alert notifications.
© 2017 FireEye 83
CSV Notifications
The product names in CSV notifications are ‘MPS’ (for the NX Series), ‘eMPS’ (for the EX Series) ‘fMPS’ (for the FX Series),
‘MAS’ (for the AX Series), and ‘CMS’ (for the CM Series).
Event: domain-match
CSV Notification Message:
Jul 19 00:30:12 xxx.xxx.xxx.xxx fenotify-1999.warning: CSV:0:FireEye:Web MPS:7.9.0.476843:DM:domain-match
osinfo= sev=minr malware_type= alertid=1999 app= spt=1025 locations= smac=92:73:75:00:00:35 header=
cnchost=the.microgood.net alertType=domain-match shost=119-168-188-108.rev.home.ne.jp dst= original_name=
application= sid=89017273 malware-note= objurl= mwurl= profile= dmac=00:19:d1:fd:a2:52 product=Web MPS
sname=Trojan.Win32.Dogrobot.gen.E fileHash= dvchost=tikka occurred=2016-07-19 07:37:13+00 release=7.9.0.476843
link=https://tikka.mrl.fireeye.com/event_stream/events_for_bot?ev_id=1999 cncport=53 src=xxx.xxx.xxx.xxx dpt=
anomaly= dvc=xxx.xxx.xxx.xxx channel= action=notified os= stype=blacklist
84 © 2017 FireEye
CSV Notifications
Event: malware-callback
CSV Notification Message:
Jul 19 00:30:03 xxx.xxx.xxx.xxx fenotify-2000.warning: CSV:0:FireEye:Web MPS:7.9.0.476843:MC:malware-callback
osinfo= sev=crit malware_type= alertid=2000 app= spt=1176 locations=US/CA/Rancho Cordova smac=92:73:75:00:00:35
header= cnchost=xxx.xxx.xxx.xxx alertType=malware-callback shost=119-168-188-108.rev.home.ne.jp
dst=xxx.xxx.xxx.xxx original_name= application= sid=89042535 malware-note= objurl= mwurl= profile=
dmac=00:19:d1:fd:a2:52 product=Web MPS sname=Trojan.Downloader.Delf.UD fileHash= dvchost=tikka occurred=2016-
07-19 07:37:13+00 release=7.9.0.476843 link=https://tikka.mrl.fireeye.com/event_stream/events_for_bot?ev_
id=2000 cncport=80 src=xxx.xxx.xxx.xxx dpt=80 anomaly= dvc=xxx.xxx.xxx.xxx channel=GET /newad.exe
HTTP/1.1::~~Accept: */*::~~Accept-Encoding: gzip deflate::~~User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1; SV1)::~~Host: the.microgood.net::~~Connection: Keep-Alive::~~::~~ action=notified os=
stype=bot-command
© 2017 FireEye 85
CSV Notifications
Event: web-infection
CSV Notification Message:
Jul 19 02:06:57 xxx.xxx.xxx.xxx fenotify-627.warning: CSV:0:FireEye:Web MPS:7.9.0.476843:WI:web-infection
osinfo=Microsoft WindowsXP 32-bit 5.1 sp3 15.1218 sev=majr malware_type= alertid=627 app=InternetExplorer 8.0
spt=1057 locations= smac=d6:96:0a:84:24:15 header= cnchost=google.com alertType=web-infection shost= dst=
original_name= application= sid= malware-note= objurl=zorosro.cf/index.html mwurl= profile= dmac= product=Web
MPS sname=Exploit.Browser;Exploit.Dropper.url.MVX;HTML.Infector.Ramnit fileHash= dvchost=tikka occurred=2016-
07-19 09:13:48+00 release=7.9.0.476843 link=https://tikka.mrl.fireeye.com/event_stream/events_for_bot?inc_
id=627 cncport=80 src=xxx.xxx.xxx.xxx dpt=80 anomaly=98304 dvc=xxx.xxx.xxx.xxx channel= action=notified
os=Microsoft WindowsXP 32-bit 5.1 sp3 15.1218 stype=24
Event: ips-event
CSV Notification Message:
07-19-2016 11:50:34 Local4.Critical xxx.xxx.xxx.xxx fenotify-118890.crit: CSV:0:FireEye:Web
MPS:7.9.0.480292:IE:ips-event,id=118890,occurred=2016-07-
19T06:19:48Z,src=xxx.xxx.xxx.xxx,spt=80,smac=00:1b:78:75:79:68,dst=xxx.xxx.xxx.xxx,dpt=2415,dmac=00:0c:29:96:b8
:5f,sev=majr,sigId=85304723,sigrevision=14,matchcount=1,signame=Apple QuickTime TeXML textBox Element Memory
Corruption,cve_id=CVE-2013-1015,action_taken=notified,attack_
mode=client,url=https://xxx.xxx.xxx.xxx/notification_url/ips_events?ev_id=118890&lms_iden=0CC47A31F77E,mvx_
status=N/A
86 © 2017 FireEye
CSV Notifications
The following table provides definitions for each extension field key in a CSV message.
The event types “binary-analysis” (BA) and “malware-analysis-done” (MW) are relevant only for FireEye Releases 5.X/6.0.
The other event types are relevant for all releases and/or Release 6.1.0 and 6.2.0 and they are defined as follows:
MC (malware-callback), WI (web-infection), IM (infection-match), DM (domain-match), MO (malware-object).
The Z character at the end of a time stamp indicates that the time displayed is in the UTC time zone. Starting in the 7.0.0
release, the time is displayed in UTC by default. To change the displayed time to your local time, use the following CLI
command: fenotify default timezone localtime
Ext. Event
Description Products Data Type Release
Field Key Type
filehash=3174990d783f4a1bd5e99db60176b920
© 2017 FireEye 87
CSV Notifications
Ext. Event
Description Products Data Type Release
Field Key Type
88 © 2017 FireEye
CSV Notifications
Ext. Event
Description Products Data Type Release
Field Key Type
dvchost=dave
dvc=xxx.xxx.xxx.xxx
© 2017 FireEye 89
CSV Notifications
Ext. Event
Description Products Data Type Release
Field Key Type
90 © 2017 FireEye
CSV Notifications
Ext. Event
Description Products Data Type Release
Field Key Type
alertid=218799
© 2017 FireEye 91
CSV Notifications
Ext. Event
Description Products Data Type Release
Field Key Type
app=Firefox 4.0.0
dst=xxx.xxx.xxx.xxx
dst=20
92 © 2017 FireEye
CSV Notifications
Ext. Event
Description Products Data Type Release
Field Key Type
© 2017 FireEye 93
CSV Notifications
Ext. Event
Description Products Data Type Release
Field Key Type
94 © 2017 FireEye
CSV Notifications
Ext. Event
Description Products Data Type Release
Field Key Type
© 2017 FireEye 95
CSV Notifications
Ext. Event
Description Products Data Type Release
Field Key Type
96 © 2017 FireEye
CSV Notifications
Ext. Event
Description Products Data Type Release
Field Key Type
© 2017 FireEye 97
CSV Notifications
Ext. Event
Description Products Data Type Release
Field Key Type
98 © 2017 FireEye
CSV Notifications
Ext. Event
Description Products Data Type Release
Field Key Type
anomaly=misc-anomaly, datatheft-anomaly
© 2017 FireEye 99
CSV Notifications
Ext. Event
Description Products Data Type Release
Field Key Type
Ext. Event
Description Products Data Type Release
Field Key Type
Ext. Event
Description Products Data Type Release
Field Key Type
Ext. Event
Description Products Data Type Release
Field Key Type
objurl= The objurl element provides details about the detected NX MC String 6.0
malware URL. AX WI 6.1
1023
FX BA 6.2
characters
EX IM 6.3
CM MW 6.4
DM 7.x
MO
IE
RC
RO
Ext. Event
Description Products Data Type Release
Field Key Type
Ext. Event
Description Products Data Type Release
Field Key Type
link= Link link represents the local path or URL of the malware NX BA String 6.0
object (local to the detecting appliance). AX WI 6.1
1023
FX MC 6.2
For example: characters
EX IM 6.3
link=https://tikka.mrl.fireeye.com/event_stream/events_for_ CM DM 6.4
bot?ev_id=1999 MO 7.x
MW
RC
RO
Ext. Event
Description Products Data Type Release
Field Key Type
protocol= protocol represents the transport protocol detected by the EX MC Integer 6.x
FireEye appliance MVX. CM WI 7.x
Valid values
BA
For example: are 8 (URL),
IM
9
protocol=8 MW
(attachment),
DM
and 10
MO
(header).
IE
RC
RO
Ext. Event
Description Products Data Type Release
Field Key Type
subject= subject represents the SMTP email message subject line on EX MC String 6.x
the infected email. CM WI 1023 7.x
BA characters
For example:
IM
Subject: noti-test User-Agent: Heirloom mailx 12.4 7/29/08 MW
MIME-Version: 1.0 Content-Type: text/plain; DM
MO
IE
RC
RO
date= Date when the alert was found. EX MC Time stamp 6.x
CM WI in the 7.x
For example:
BA following
date=Wed, 27 Jul 2016 12:28:33 -0700 IM format:
MW yyyy-mm-
DM ddTHH:mm
MO
IE
RC
RO
Ext. Event
Description Products Data Type Release
Field Key Type
last- last-malware represents the name associated with last EX MC String 6.x
malware= malicious email infection. CM WI 7.x
1023
BA
For example: characters
IM
last-malware=TestFire.exe MW
DM
MO
IE
RC
RO
Ext. Event
Description Products Data Type Release
Field Key Type
smtp- smtp-header provides the SMTP email message header EX MC String 6.x
header= (including any configured X-header) of the infected email. CM WI 7.x
1023
BA
For example: characters
IM
smtp-header=Received: from ghost.localdomain (unknown MW
[xxx.xx.xx.x]) #011by superman.eng.fireeye.com (Postfix) DM
with ESMTP id 3s04m14LGsz7LSW3 #011for MO
<[email protected]>; Wed, 27 Jul 2016 19:28:33 IE
+0000 (UTC) Received: by ghost.localdomain (Postfix, from RC
userid 0) #011id 876A213C0320; Wed, 27 Jul 2016 12:28:33 RO
-0700 (PDT) Date: Wed, 27 Jul 2016 12:28:33 -0700 To:
[email protected] Subject: noti-test User-Agent:
Heirloom mailx 12.4 7/29/08 MIME-Version: 1.0 Content-
Type: text/plain; charset=us-ascii Content-Transfer-
Encoding: 7bit Message-Id:
<[email protected]>
From: [email protected] (root)
Ext. Event
Description Products Data Type Release
Field Key Type
Ext. Event
Description Products Data Type Release
Field Key Type
Ext. Event
Description Products Data Type Release
Field Key Type
Ext. Event
Description Products Data Type Release
Field Key Type
The following section provides XML notification examples for each infection type. Additional sections describe each element and sub-
element provided by XML notification messages. The XML format is defined in XML Notifications Schema on the next page, XML Schema
for OS Changes—Macintosh on page 291, and XML Schema for OS Changes—Windows on page 216.
If you are sending alert notifications in XML or JSON to a rsyslog server using the extended output option, the size of the alert
notification is likely to exceed the 4K UDP limit. To avoid this limit, use TCP as the transportation layer instead of UDP.
</xs:complexType>
</xs:element>
<xs:element name="field">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="name" use="optional" type="xs:string"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="src">
<xs:complexType>
<xs:all maxOccurs="1" minOccurs="0">
<xs:element ref="ip" minOccurs="0"/>
<xs:element ref="mac" minOccurs="0"/>
<xs:element minOccurs="0" name="host" type="xs:string"/>
<xs:element minOccurs="0" name="port" type="xs:integer"/>
<xs:element maxOccurs="1" minOccurs="0" name="domain" type="xs:string"/>
<xs:element minOccurs="0" name="smtp-mail-from" type="xs:string"/>
<xs:element minOccurs="0" name="repository" type="xs:anyURI"/>
<xs:element minOccurs="0" ref="url"/>
<xs:element name="proxy" type="xs:string" minOccurs="0"/>
</xs:all>
<xs:attribute name="vlan" use="optional" type="xs:integer"/>
</xs:complexType>
</xs:element>
<xs:element name="ip" type="xs:string"/>
<xs:element name="mac" type="xs:string"/>
<xs:element name="alert-url" type="xs:anyURI"/>
<xs:element name="action" type="xs:string"/>
<xs:element name="locations" type="xs:string"/>
<xs:element name="static">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="version" type="xs:string"/>
<xs:attribute name="tool" type="xs:string" form="unqualified" use="required"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:simpleType name="AlertType">
<xs:restriction base="xs:string">
<xs:enumeration value="malware-callback"/>
<xs:enumeration value="domain-match"/>
<xs:enumeration value="infection-match"/>
<xs:enumeration value="web-infection"/>
<xs:enumeration value="malware-object"/>
<xs:enumeration value="ips-event"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="feDateTime">
<xs:restriction base="xs:dateTime">
<xs:whiteSpace value="collapse"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="ProductType">
<xs:restriction base="xs:string">
<xs:enumeration value="Web MPS"/>
<xs:enumeration value="Email MPS"/>
<xs:enumeration value="File MPS"/>
<xs:enumeration value="MAS"/>
<xs:enumeration value="CMS"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="AlertSeverity">
<xs:restriction base="xs:string">
<xs:enumeration value="crit"/>
<xs:enumeration value="majr"/>
<xs:enumeration value="minr"/>
<xs:enumeration value="unkn"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="AnalysisType">
<xs:restriction base="xs:string">
<xs:enumeration value="replay"/>
<xs:enumeration value="malware"/>
<xs:enumeration value="direct"/>
<xs:enumeration value="binary"/>
<xs:enumeration value="content"/>
<xs:enumeration value="none"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="InterfaceLabel">
<xs:restriction base="xs:string">
<xs:enumeration value="A"/>
<xs:enumeration value="B"/>
<xs:enumeration value="A1"/>
<xs:enumeration value="B1"/>
<xs:enumeration value="A2"/>
<xs:enumeration value="B2"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="InterfaceMode">
<xs:restriction base="xs:string">
<xs:enumeration value="inline"/>
<xs:enumeration value="tap"/>
</xs:restriction>
</xs:simpleType>
</xs:schema>
The XML message elements and attributes set by the schema are specified in XPath notation and described in XML Path (XPath)
Element and Attribute Definitions on page 131.
<alert-url>https://tikka.mrl.fireeye.com/event_stream/events_for_bot?ev_id=2000</alert-url>
<action>notified</action>
</alert>
</alerts>
HTTP/1.1 200 OK
Date: Fri, 22 May 2015 08:43:24 GMT
Server: Apache/2.2.22 (Ubuntu)
Last-Modified: Thu, 03 Jul 2014 10:38:21 GMT
ETag: "4635838-6b8f-4fd479b8c2140"
Accept-Ranges: bytes
Content-Length: 27535
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/rtf</http-header>
<profile>win7-sp1m</profile>
<executed-at>2016-07-19T08:57:23Z</executed-at>
<application>Multiple MS Word X</application>
</malware>
</malware-detected>
</explanation>
<src vlan="0">
<ip>xxx.xxx.xxx.xxx</ip>
<port>1984</port>
<mac>08:00:27:c1:7f:5a</mac>
</src>
<dst>
<ip>xxx.xxx.xxx.xxx</ip>
<mac>52:54:00:12:35:02</mac>
<port>80</port>
</dst>
<occurred>2016-07-19T08:57:23Z</occurred>
<interface mode="tap"></interface>
<alert-url>https://tikka.mrl.fireeye.com/event_stream/events_for_bot?ma_id=432</alert-url>
<action>notified</action>
</alert>
</alerts>
<action>blocked</action>
</alert>
</alerts>
Event: web-infection
<?xml version="1.0" encoding="utf-8"?>
<alerts appliance="tikka.mrl.fireeye.com" appliance-id="0CC47A12279C" msg="concise" product="Web MPS"
version="7.9.0.476843" xmlns="http://www.fireeye.com/alert/2014/AlertSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.fireeye.com/alert/2014/AlertSchema FireEyeAlert.xsd">
<alert class="IPS" id="627" name="web-infection" severity="majr">
<explanation>
.<malware-detected>
<malware name="Exploit.Dropper.url.MVX"/>
</malware-detected>
</explanation>
<src vlan="0">
<ip>xxx.xxx.xxx.xxx</ip>
</src>
<occurred>2016-07-19T09:13:48Z</occurred>
<alert-url>https://tikka.mrl.fireeye.com/event_stream/events_for_bot?inc_id=627</alert-url>
<action>notified</action>
</alert>
</alerts>
Event: domain-match
<?xml version="1.0" encoding="utf-8"?>
<alerts appliance="tikka.mrl.fireeye.com" appliance-id="0CC47A12279C" msg="extended" product="Web MPS"
version="7.9.0.476843" xmlns="http://www.fireeye.com/alert/2014/AlertSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.fireeye.com/alert/2014/AlertSchema FireEyeAlert.xsd">
<alert id="1999" name="domain-match" severity="minr">
<explanation analysis="content" protocol="udp">
.<malware-detected>
<malware name="Trojan.Win32.Dgrobot.gen.E" sid="89017273" stype="blacklist"/>
</malware-detected>
<cnc-services>
<cnc-service port="53" protocol="udp">
<address>the.microgood.net</address>
</cnc-service>
</cnc-services>
</explanation>
<src vlan="0">
<ip>xxx.xxx.xxx.xxx</ip>
<host>119-168-188-108.rev.home.ne.jp</host>
<port>1025</port>
<mac>92:73:75:00:00:35</mac>
</src>
<dst>
<mac>00:19:d1:fd:a2:52</mac>
</dst>
<occurred>2016-07-19T07:37:13Z</occurred>
<interface label="A1" mode="tap">pether3</interface>
<alert-url>https://tikka.mrl.fireeye.com/event_stream/events_for_bot?ev_id=1999</alert-url>
<action>notified</action>
</alert>
</alerts>
Event: ips-event
<?xml version="1.0" encoding="UTF-8"?>
<alerts appliance="nx-7400-142.eng.fireeye.com" appliance-id="0CC47A31F77E" msg="extended" product="Web MPS"
version="7.9.0.480292" xmlns="http://www.fireeye.com/alert/2014/AlertSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.fireeye.com/alert/2014/AlertSchema FireEyeAlert.xsd"> <alert id="118892"
name="ips-event" severity="crit" class="IPS">
<explanation>
<ips-detected>
<ips-event>
<sig-id>85303600</sig-id>
<sig-revision>9</sig-revision>
<sig-name>McAfee ePolicy Orchestrator Framework Services HTTP Buffer Overflow</sig-name>
<match-count>1</match-count>
<cve-id></cve-id>
<action-taken>may be blocked in future by the default policy</action-taken>
<attack-mode>server</attack-mode>
<mvx-status>N/A</mvx-status>
</ips-event>
</ips-detected>
</explanation>
<src vlan="0">
<ip>xxx.xxx.xxx.xxx</ip>
<port>52686</port>
<mac>00:0e:a6:97:0b:bc</mac>
</src>
<dst>
<ip>xxx.xxx.xxx.xxx</ip>
<port>8081</port>
<mac>00:0c:29:93:aa:97</mac>
</dst>
<occurred>2016-07-19T06:40:11Z</occurred>
<interface label="B2" mode="tap">pether6</interface>
<alert-url>https://xxx.xxx.xxx.xxx/notification_url/ips_events?ev_id=118892&lms_
iden=0CC47A31F77E</alert-url>
<action>notified</action>
</alert>
</alerts>
Event: riskware-callback
<alerts appliance="axhwmps.eng.fireeye.com" appliance-id="0025908673D0" msg="normal" product="Web MPS"
version="7.9.0.517470" xmlns="http://www.fireeye.com/alert/2014/AlertSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.fireeye.com/alert/2014/AlertSchema FireEyeAlert.xsd">
<alert id="14863" name="riskware-callback" severity="minr" class="RISKWARE">
<explanation analysis="content" protocol="tcp">
<malware-detected>
<malware name="Adware.SoftPulse" malicious="no" type="">
<url>http://stan.mxp2142.com/__dmp__/</url>
<downloaded-at>2016-08-13T04:29:51Z</downloaded-at>
<executed-at>2016-08-13T04:29:51Z</executed-at>
</malware>
</malware-detected>
<cnc-services>
<cnc-service port="80" protocol="tcp">
<address>stan.mxp2142.com</address>
<channel>POST /__dmp__/ HTTP/1.1::~~User-Agent: session::~~Host: stan.mxp2142.com::~~Content-Length:
925::~~Cache-Control: no-cache::~~::~~</channel>
</cnc-service>
</cnc-services>
</explanation>
<src vlan="0">
<ip>2011::1:6d0d:c391</ip>
<port>1077</port>
<mac>00:20:18:11:01:43</mac>
</src>
<dst>
<ip>2011::1:2085:c506</ip>
<port>80</port>
<mac>00:01:6c:a9:2f:27</mac>
</dst>
<occurred>2016-08-13T04:29:51Z</occurred>
<alert-url>https://axhwmps.eng.fireeye.com/notification_url/riskware?ev_id=610&inf_id=14863&inf_
type=Riskware%20Callback</alert-url>
<action>notified</action>
</alert>
</alerts>
Event: riskware-object
<alerts appliance="axhwmps.eng.fireeye.com" appliance-id="0025908673D0" msg="normal" product="Web MPS"
version="7.9.0.517470" xmlns="http://www.fireeye.com/alert/2014/AlertSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.fireeye.com/alert/2014/AlertSchema FireEyeAlert.xsd">
<alert id="1966" name="riskware-object" severity="minr" class="RISKWARE">
<explanation analysis="binary" protocol="tcp">
<malware-detected>
<malware name="PUP.Generic.MVX" malicious="no" type="exe">
<url>xxx.xxx.xxx.xxx/4e3abdb86d76859a2595766512743196</url>
<downloaded-at>2016-08-10T03:29:53Z</downloaded-at>
<md5sum>4e3abdb86d76859a2595766512743196</md5sum>
<sha256>911c7379ac995628da64606a0726305d961c64be6e5a1a1421081cde1884f370</sha256>
<http-header>GET /4e3abdb86d76859a2595766512743196 HTTP/1.0::~~User-Agent: Wget/1.12 (linux-
gnu)::~~Accept: */*::~~Host: xxx.xxx.xxx.xxx::~~Connection: Keep-Alive::~~HTTP/1.1 200 OK::~~Date: Wed, 30 Sep
2015 16:01:03 GMT::~~Server: Apache/2.2.15 (CentOS)::~~Last-Modified: Tue, 29 Sep 2015 22:18:09 GMT::~~ETag:
"1940777-a390a-520ea305bb73d"::~~Accept-Ranges: bytes::~~Content-Length: 669962::~~Connection:
close::~~Content-Type: text/plain; charset=UTF-8::~~</http-header>
<executed-at>2016-08-10T03:29:54Z</executed-at>
</malware>
</malware-detected>
</explanation>
<src vlan="0">
<ip>2011::1:1a6c:8246</ip>
<port>37644</port>
<mac>10:60:4b:a9:b4:06</mac>
</src>
<dst>
<ip>2011::1:5406:6cdd</ip>
<port>80</port>
<mac>10:60:4b:a9:86:1a</mac>
</dst>
<occurred>2016-08-10T03:29:54Z</occurred>
<alert-url>https://axhwmps.eng.fireeye.com/notification_url/riskware?ev_id=66&inf_id=1966&inf_
type=Riskware%20Callback</alert-url>
<action>notified</action>
</alert>
</alerts>
The Z character at the end of a time stamp indicates that the time displayed is in the UTC time zone. Starting in the 7.0.0
release, the time is displayed in UTC by default. To change the displayed time to your local time, use the following CLI
command: fenotify default timezone localtime
Event
Element Name Description Products Data Type Release
Type
alerts alerts represents the topmost element NX MC (See more examples in XML 6.0
NAME in the notification XPath. AX WI Notification Examples per 6.1
FX BA Infection Type on page 122.) 6.2
For example:
EX IM 6.3
(not applicable for release 6.0; same for l /appliance
CM MW 6.4
releases 6.1 and later) DM l /appliance-id 7.x
<alerts appliance= "2001:470:84a7: MO l /product
1720:2e0:81ff:fe4f:ac03" product="Web IE
l /version
MPS" version="6.2.0.75853" RC
... RO l /msg
<alert id="29129" name="malware- object" l /alert/id
severity="majr">
l /alert/name
<explanation analysis="content"
protocol=""> l /alert/severity
<malware-detected> l /alert/src/vlan
<malware name="Trojan.Down loader"
l /alert/smtp-message/id
stype="av-match"/>
<malwarename= "VirTool.Win32. l /alert/interface/label
DelfInject.gen.AA" sid="89016770;"
l /alert/interface/mode
stype="vm-bot-coand;av- match"
type="exe">... l /alert/explanation/analysis
<alert severity="minr" name="domain- l /alert/explanation/protocol
match" id="918">
l /alert/explanation/urls
<explanation protocol="udp"
analysis="binary"> l /alert/explanation/
-<malware-detected> malware-detected/
<malware name="InfoSte malware/content
aler.Banker.Zbot.DNS" stype="blacklist"
Event
Element Name Description Products Data Type Release
Type
sid="80440378"/> l /alert/explanation/
</malware-detected> malware-detected/
-<cnc-services> malware/name
-<cnc-service pro tocol="udp" port="53">
l /alert/explanation/
<address> elesssnet.net </address>
malware-detected/
</cnc-service>
malware/scan
</cnc-services>
</explanation> l /alert/explanation/
malware-detected/
malware/sid
l /alert/explanation/
malware-detected/
malware/type
l /alert/explanation/
malware-detected/
malware/stype
l /alert/explanation/
malware-detected/
malware/archives
l /alert/explanation/
malware-detected/
malware/parent
l /alert/explanation/
malware-detected/
malware/origid
Event
Element Name Description Products Data Type Release
Type
l /alert/explanation/
malware-detected/
malware/
malicious
l /alert/explanation/
stolen_data/event_id
l /alert/explanation/
stolen_data/size
l /alert/explanation/
stolen_data/info/
decrypted
l /alert/explanation/
stolen_data/
info/encryption
l /alert/explanation/
stolen_data/info/
type
l /alert/explanation/
stolen_data/info/
field/name
l /alert/explanation/
cnc-services/
cnc-service/port
Event
Element Name Description Products Data Type Release
Type
l /alert/explanation/
cnc-services/
cnc-service/protocol
l /alert/explanation/
os-changes/osinfo
l /alert/explanation/
os-changes/id
l /alert/explanation/
os-changes/
version
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
alerts/ alert represents the element REF= in the NX MC “/alert” is the secondary level 6.0
alert notification XPath. AX WI element of each notification 6.1
FX BA message. It may include at least 6.2
For example:
EX IM one of the following sub- 6.3
(not applicable for release 6.0; same for CM MW elements: 6.4
releases 6.1 and later) DM 7.x
(See more examples in XML
<explanation analysis="content" MO
Notification Examples per
protocol="udp"> IE
Infection Type on page 122):
<malware-detected> RC
<malware name="Bot.Mariposa.DNS" RO l /src
sid="80442827" stype="blacklist"/> l /explanation
</malware-detected>
l /alert-url
<cnc-services>
<cnc-service port="53" protocol="udp"> l /action
<address>nx.51ylb.cn</address> l /locations
</cnc-service>
l /occurred
</cnc-services>
</explanation>
<src vlan="0">
<ip>118.125.102.68</ip>
<port>1025</port>
<mac>42:54:11:11:01:35</mac>
</src>
<dst>
<mac>00:19:d1:fd:a2:52</mac>
</dst>
<occurred>2014-06-27
02:30:12+00</occurred>
Event
Element Name Description Products Data Type Release
Type
<alert-url>https://xxx.xxx.xxx.xxx/event_
stream/events_for_bot?ev_
id=476&lms_
iden=00:25:90:86:73:D0</alert-url>
<action>notified</action>
Event
Element Name Description Products Data Type Release
Type
alerts/ src represents the element REF for the NX MC This element might include at 6.0
alert/ infected host. The source is either an email AX WI least one of the following sub- 6.1
src address or an IP address. The source FX BA elements or attributes in the 6.2
IP address is that of the victim of the EX IM notification: 6.3
infection, not the origin of the malware. CM MW 6.4
l /alerts/alert/src
DM 7.x
For example:
MO l /alerts/alert/src/vlan
(not applicable for release 6.0; same for IE l /alerts/alert/src/ip
releases 6.1 and later) RC
l /alerts/alert/src/mac
-<src> RO
<ip> .12.191.101 </ip> l /alerts/alert/src/url
<port> 62918 </port> l /alerts/alert/src/host
<mac> 00:1b:63:9c:52:95 </mac> </src>
l /alerts/alert/src/port
l /alerts/alert/src/
or domain
l /alerts/alert/src/
-<src> smtp-mail-from
<domain>automation.local</domain> l /alerts/alert/src/
<smtp-mail-from>fqpuqiryllcubz- repository
[email protected]</smtp-mail-
l /alerts/alert/src/
from>
proxy
<url>/analysis/3fYy54121kz389Qc-0-
Email-68684_ These sub-elements and
54dc08ace6293de5fef23a4a8d492bd5</url> attributes are further described in
</src> other rows of this table.
Event
Element Name Description Products Data Type Release
Type
alerts/ ip represents the IP address of the infected NX MC String. IPv4 or IPv6 address 6.0
alert/ host. AX WI 6.1
src/ FX BA 6.2
For example:
ip EX IM 6.3
(not applicable for release 6.0; same for CM MW 6.4
releases 6.1 and later) DM 7.x
-<src vlan="0"> MO
<ip> 128.12.191.101 </ip> IE
i</src> RC
RO
Event
Element Name Description Products Data Type Release
Type
alerts/ mac represents the MAC address of the NX MC MAC Address 6.0
alert/ infected host AX WI Six colon-separated hexadecimal 6.1
src/ FX BA numbers 6.2
For example:
mac EX IM 6.3
(not applicable for release 6.0; same for CM MW 6.4
releases 6.1 and later) DM 7.x
-<src vlan="0"> MO
<mac> 00:1b:63:9c:52:95 </mac> </src> IE
RC
RO
alerts/ url represents the URL associated with the NX MC HTTP or HTTPS source URL of 6.0
alert/ malware. AX WI the malware. 6.1
src/ FX BA 6.2
For example:
url EX IM 6.3
(not applicable for release 6.0; same for CM MW 6.4
releases 6.1 and later) DM 7.x
-<url> MO
https://xxx.xxx.xxx.xxx/ IE
event_stream/ RC
events_for_bot?ma_id\ RO
=51056&lms_iden\
=00:25:90:54:7E:6E cs1Label
=sname cs1=Trojan. Generic
</url>
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
alerts/ occurred represents the date and time of NX MC Time stamp. There are two 6.0
alert/ the malware infection. AX WI formats: 6.1
occurred FX BA 6.2
For example: l yyyy-mm-ddTHH:mm
EX IM 6.3
(not applicable for release 6.0; same for CM MW l standard XML daytime 6.4
releases 6.1 and later) DM format 7.x
-<occurred> MO
2012-10-11T20:09:39Z IE
</occurred> RC
RO
Event
Element Name Description Products Data Type Release
Type
alerts/ For EX Series appliances, dst represents NX MC This element might include at 6.x
alert/ the email destination of the targeted host. AX WI least one of the following sub- 7.x
dst For NX Series appliances, dst represents FX BA elements in the notification:
the destination host targeted by the EX IM
l alerts/alert/dst/mac
infected source host. CM MW
DM l alerts/alert/dst/port
For example, for an EX Series appliance:
MO l alerts/alert/dst/ip
(not applicable for release 6.0; same for IE
releases 6.1 and later) l alerts/alert/dst/smtp-to
RC
-<dst><ip> RO l alerts/alert/dst/smtp-cc
xxx.xxx.xxx.xxx These sub-elements are described
</ip><mac> further in other rows of this
00:10:db:ff:20:80 table.
</mac><port>
80
</port></dst>
For example, for an NX Series appliance:
(not applicable for release 6.0; same for
releases 6.1 and later)
<dst><ip>
xxx.xxx.xxx.xxx
</ip><mac>
00:09:0f:e2:a6:31
</mac><port>
80
</port></dst>
Event
Element Name Description Products Data Type Release
Type
alerts/ mac represents the MAC address of the NX MC MAC Address 6.x
alert/ attacker host. AX WI 7.x
Six colon-separated hexadecimal
dst/ FX BA
For example: numbers
mac EX IM
(not applicable for release 6.0; same for CM MW
releases 6.1 and later) DM
-<dst> MO
<mac> IE
00:10:db:ff:20:80 RC
</mac> RO
</dst>
Event
Element Name Description Products Data Type Release
Type
alerts/ ip represents the IP address of the attacker NX MC The <ip> element value is a 1. 6.x
alert/ host. AX WI 7.x
6-byte integer IPv4 address
dst/ FX BA
For example:
ip EX IM
(not applicable for release 6.0; same for CM MW
releases 6.1 and later) DM
-<dst><ip> MO
xxx.xx.xxx.xxx IE
</ip></dst> RC
RO
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
</smtp-message>
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
alerts/ The explanation element provides NX MC This element might include at 6.0
alert/ supporting details about the MVX AX WI least one of the following 6.1
explanation analysis and detected malware. FX BA attributes in the notification: 6.2
EX IM 6.3
For example: l alerts/alert/
CM MW 6.4
(not applicable for release 6.0; same for explanation/analysis
DM 7.x
releases 6.1 and later) MO l alerts/alert/
<explanation analysis="content" IE explanation/protocol
protocol=""> RC l alerts/alert/
<malware-detected> RO explanation/urls
<malware name="Trojan.Down
l alerts/alert/
loader" stype="av-match"/>
explanation/service
<malware name= "VirTool.Win32
.DelfInject.gen.AA" l alerts/alert/
sid="89016770;" explanation/anomaly
stype="vm-bot-coand; l alerts/alert/
av-match" type="exe"> explanation/
<downloaded-at> target-application
2012-10-10T04:06:35Z
l alerts/alert/
</downloaded-at>
explanation/target-os
<md5sum>4c40057a9b2412e61
472154d66df4c0d l alerts/alert/
</md5sum> explanation/
<original> stolen_data
load.exe l alerts/alert/
</original> explanation/
<http-header> malware-detected/
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
alerts/ The “explanation” element’s attribute NX MC The type of malware analysis 6.0
alert/ analysis describes the type of analysis AX WI model used with the following 6.1
explanation/ performed by the FireEye appliance MVX. FX BA possible values: 6.2
analysis EX IM 6.3
For example: l none
CM MW 6.4
(not applicable for release 6.0; same for DM l replay 7.x
releases 6.1 and later) MO l direct-entry
<explanation analysis="content" IE
l malware
protocol=""> RC
... RO l binary-analysis
</explanation> l content-analysis
Event
Element Name Description Products Data Type Release
Type
alerts/ The “explanation” element’s attribute urls NX MC URLs that may have been 6.0
alert/ represents the URLs detected by the AX WI involved in an infection. 6.1
explanation/ FireEye appliance MVX. FX BA 6.2
urls EX IM 6.3
For example:
CM MW 6.4
(not applicable for release 6.0; same for DM 7.x
releases 6.1 and later) MO
-<explanation urls=https://xxx.xxx.xxx.xxx/ IE
event_stream/events_for_bot?ma_id\ RC
=51056&l ms_iden\=00:25:90:54:7E:6E RO
cs1Label=sname cs1=Trojan. Generic>
...
</explanation>
Event
Element Name Description Products Data Type Release
Type
alerts/ The anomaly element defines the type of NX MC Available values for the type of 6.0
alert/ anomalous event detected by the FireEye AX WI anomaly detected: 6.1
explanation/ appliance MVX. FX BA 6.2
l anomaly-tag
anomaly EX IM 6.3
For example:
CM MW l datatheft 6.4
(not applicable for release 6.0; same for DM 7.x
l keylogger
releases 6.1 and later) MO
l misc-anomaly
-<explanation> IE
<anomaly> RC
misc-anomaly RO
</anomaly>
</explanation>
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
alerts/ The stolen-data element provides NX MC This element might include at 6.0
alert/ information about data stolen at the time AX WI least one of the following 6.1
explanation/ of infection. FX BA attributes in the notification: 6.2
stolen_data EX IM 6.3
For example: l alerts/alert/
CM MW 6.4
(not applicable for release 6.0; same for explanation/
DM 7.x
releases 6.1 and later) stolen_data/
MO
event_id
<stolen_data size="99"> IE
<info type="identity" encryp tion="RC4" l alerts/alert/
decrypted="yes"> explanation/
<description> stolen_data/size
FireEye sample malware-call back data- l alerts/alert/
theft plugin output for sid 2345 explanation/
</description> stolen_data/info/
<severity>3</severity> decrypted
<field name="service">
l alerts/alert/
https://www.fe-examples.com/
explanation/
samples/reporting/login
stolen_data/info/
</field>
encryption
<field name="user">usr-abc</ field>
<field name="password">pass- yz</field> l alerts/alert/
</info> explanation/
<info type="identity" encryp tion="pki" stolen_data/
decrypted="yes"> info/type
<description> l alerts/alert/
FireEye sample malware-call back data- explanation/
theft plugin output for sid 2345 stolendata/info/
</description> description
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
alerts/ The size attribute represents the size of the NX MC String 6.0
alert/ stolen data in bytes. AX WI 6.1
1023 characters
explanation/ FX BA 6.2
For example:
stolen_data/ EX IM 6.3
size (not applicable for release 6.0; same for CM MW 6.4
releases 6.1 and later) DM 7.x
-<explanation> MO
<stolen-data size=107 > IE
</stolen-data> RC
</explanation> RO
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
</stolen-data>
</explanation>
Event
Element Name Description Products Data Type Release
Type
alerts/ The malware-detected element provides NX MC This element might include at 6.0
alert/ details about detected malware. AX WI least one of the following 6.1
explanation/ FX BA attributes in the notification: 6.2
For example:
malware-detected EX IM 6.3
(not applicable for release 6.0; same for l alerts/alert/
CM MW 6.4
releases 6.1 and later) explanation/
DM 7.x
malware-detected/
-<explanation analysis="binary" MO
malware
protocol="udp"> IE
< malware-detected > RC l alerts/alert/
<malware name="InfoStealer RO explanation/
.Ban xker.Zbot.DNS" sid="80440378" malware-detected/
stype="blacklist"/> malware/content
</malware-detected> l alerts/alert/
</explanation> explanation/
malware-detected/
malware/name
l alerts/alert/
explanation/
malware-detected/
malware/scan
l alerts/alert/
explanation/
malware-detected/
malware/sid
Event
Element Name Description Products Data Type Release
Type
l alerts/alert/
explanation/
malware-detected/
malware/type
l alerts/alert/
explanation/
malware-detected/
malware/stype
l alerts/alert/
explanation/
malware-detected/
malware/archives
l alerts/alert/explanation/
malware-detected/
malware/parent
l alerts/alert/explanation/
malware-detected/
malware/origid
l alerts/alert/explanation/
malware-detected/
malware/archive
l alerts/alert/explanation/
malware-detected/
malware/malicious
Event
Element Name Description Products Data Type Release
Type
l alerts/alert/explanation/
malware-detected/
malware/note
l alerts/alert/explanation/
malware-detected/
malware/url
l alerts/alert/explanation/
malware-detected/
malware/profile
l alerts/alert/explanation/
malware-detected/
malware/md5sum
l alerts/alert/explanation/
malware-detected/
malware/application
l alerts/alert/explanation/
malware-detected/
malware/http-header
l alerts/alert/explanation/
malware-detected/
malware/domain
l alerts/alert/explanation/
malware-detected/
malware/user
Event
Element Name Description Products Data Type Release
Type
l alerts/alert/explanation/
malware-detected/
malware/original
l alerts/alert/explanation/
malware-detected/
malware/downloaded-at
l alerts/alert/explanation/
malware-detected/
malware/executed-at
l alerts/alert/explanation/
malware-detected/
malware/objurl
Event
Element Name Description Products Data Type Release
Type
alerts/ The malware element uses attributes that NX MC This element might include at 6.0
alert/ define the detected malware. AX WI least one of the following 6.1
explanation/ FX BA attributes in the notification: 6.2
For example:
malware-detected/ EX IM 6.3
(not applicable for release 6.0; same for l content
malware CM MW 6.4
releases 6.1 and later) DM l name 7.x
-<explanation analysis="binary" MO l scan
protocol="udp"> IE
l sid
<malware-detected> RC
< malware name="InfoStealer. RO l type
xBanker.Zbot.DNS" sid="80440378" l stype
stype="blacklist"/>
l archives
</malware-detected>
</explanation> l parent
l origid
l malicious
Event
Element Name Description Products Data Type Release
Type
alerts/ The content attribute defines the content NX MC Content attribute options: 6.0
alert/ type of a URL associated with the detected AX WI 6.1
l mime
explanation/ malware. FX BA 6.2
malware-detected/ EX IM l text 6.3
For example:
malware/ CM MW l and so on... 6.4
content (not applicable for release 6.0; same for DM 7.x
releases 6.1 and later) MO
-<explanation analysis="content" IE
protocol=""> RC
<malware-detected> RO
<malware content=”mime”
name="Trojan.Down loader" stype="av-
match"/>
<malware name="VirTool.Win32
.DelfInject.gen.AA" sid="89016770;"
stype="vm-bot-coand;av- match"
type="exe">
<downloaded-at> 2012-10-10T04:06:35Z
</downloaded-at>
<md5sum> 4c40057a9b2412e
61472154d 66df4c0d
</md5sum>
<original>
load.exe
</original>
<http-header>...
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
alerts/ The type attribute specifies the file type of NX MC Possible values: 6.0
alert/ the detected malware. AX WI 6.1
l exe
explanation/ FX BA 6.2
For example:
malware-detected/ EX IM l pdf 6.3
malware/ (not applicable for release 6.0; same for CM MW 6.4
l ppt
type releases 6.1 and later) DM 7.x
l doc
-<explanation analysis="binary" MO
protocol="udp"> IE l docx
<malware-detected> RC l and so on...
<malware name="InfoStealer.Ban RO
xker.Zbot.DNS" sid="80440378"
type=”exe”
stype="blacklist"/>
</malware-detected>
</explanation>
Event
Element Name Description Products Data Type Release
Type
alerts/ The stype attribute specifies the FireEye- NX MC Possible values: 6.0
alert/ assigned signature for the detected AX WI 6.1
'unknown',
explanation/ malware. FX BA 6.2
'generated-content',
malware-detected/ EX IM 6.3
For example: 'fireeye-content',
malware/ CM MW 6.4
'bot-coand',
stype (not applicable for release 6.0; same for DM 7.x
'fqc',
releases 6.1 and later) MO
‘known-md5sum',
-<explanation analysis="binary" IE
'duplicate-md5sum',
protocol="udp"> RC
'av-match',
<malware-detected> RO
'vm-bot-coand',
<malware name="InfoStealer.Ban 'blacklist',
xker.Zbot.DNS" sid="80440378" 'yara',
stype="blacklist"/ > 'avs',
</malware-detected> 'archive',
</explanation> 'encoding',
'timestamp'
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
alerts/ The note element allows the system to add NX MC String 6.0
alert/ notes or details to alert notifications about AX WI 6.1
1023 characters
explanation/ the detected malware. FX BA 6.2
malware-detected/ EX IM 6.3
For example:
malware/ CM MW 6.4
note (not applicable for release 6.0; same for DM 7.x
releases 6.1 and later) MO
<explanation analysis="content" IE
protocol=""> RC
<malware-detected> RO
<malware name="Trojan.Down loader"
stype="av-match"/>
<malware name="VirTool.
Win32.DelfInject.gen.AA" sid="89016770;"
stype="vm- bot-coand;av-match"
type="exe">
<note>
“AttackZone3”
</note>
<md5sum> 4c40057a9b241
2e61472154d66df4c0d
</md5sum>
<original>load.exe
</original>
</malware-detected>
</explanation>
Event
Element Name Description Products Data Type Release
Type
alerts/ The url element provides the primary URL NX MC HTTP or HTTPS 6.0
alert/ associated with the detected malware. AX WI 6.1
explanation/ FX BA 6.2
For example:
malware-detected/ EX IM 6.3
malware/ (not applicable for release 6.0; same for CM MW 6.4
url releases 6.1 and later) DM 7.x
-<explanation analysis="binary" MO
protocol="udp"> IE
<malware-detected> RC
<malware name="InfoStealer.Ban RO
xker.Zbot.DNS"
<url>https://xxx.xxx.xxx.xxx/event_stream/
events_for_bot?ma_id\=51056&lms_iden\
=00:25:90:54:7E:6E cs1Label=sname
cs1=Trojan. Generic </url>
</malware>
</malware-detected>
</explanation>
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
alerts/ The user element specifies the user name NX MC String 6.0
alert/ of the appliance user that has submitted AX WI 6.1
1023 characters
explanation/ the malware for analysis. FX BA 6.2
malware-detected/ EX IM 6.3
For example:
malware/ CM MW 6.4
user (not applicable for release 6.0; same for DM 7.x
releases 6.1 and later) MO
-<explanation analysis="binary" IE
protocol="udp"> RC
<malware-detected> RO
<malware name="InfoStealer.Ban
xker.Zbot.DNS"
<user> lroberrie</user>
</malware>
</malware-detected>
</explanation>
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
alerts/ The address element specifies the IP NX MC IPv4 or IPv6 IP address 6.0
alert/ address associated with the malware’s AX WI 6.1
explanation/ command and control center. FX BA 6.2
cnc-services/ EX IM 6.3
For example:
address CM MW 6.4
(not applicable for release 6.0; same for DM 7.x
releases 6.1 and later) MO
-<explanation analysis="binary" IE
protocol="udp"> RC
<address> RO
xxx.xxx.xxx.xxx
</address>
</explanation>
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
alerts/ The os-changes element uses attributes NX MC This element might include at 6.0
alert/ that detail MVX operating system AX WI least one of the following 6.1
explanation information at the time of infection. FX BA attributes in the notification: 6.2
/os-changes EX IM 6.3
For example: os-changes
CM MW 6.4
(not applicable for release 6.0; same for DM l osinfo 7.x
releases 6.1 and later) MO l id
-<explanation analysis= IE
l version
"binary" protocol="udp"> RC
<os-changes RO
osinfo=”Microsoft WindowsXP
Professional 5.1 base” id=”34872232”
version= ”6.2.0.75853”>
</os-changes>
</explanation>
Event
Element Name Description Products Data Type Release
Type
alerts/ The static-analysis element uses attributes NX MC This element might include at 6.0
alert/ that detail information about the static AX WI least one of the following 6.1
explanation analysis tool(s) used during malware FX BA attributes in the notification: 6.2
/static-analysis analysis. EX IM 6.3
static-analysis
CM MW 6.4
For example:
DM l tool 7.x
(not applicable for release 6.0; same for MO l version
releases 6.1 and later) IE
-<explanation RC
analysis="binary" protocol="udp"> RO
<static-analysis
tool=”sophos”
version=”5.1”/>
</explanation>
Event
Element Name Description Products Data Type Release
Type
javacall The javacall element is reported when the NX MC This element might include at 7.x
Java method of interest is called. AX WI least one of the following items
FX BA in the notification:
For example (with repeat attribute
EX IM
present): l context
CM MW
<javacall context= Always set to "not-signed-
DM
"not-signed-applet" timestamp="3249" applet".
MO
repeat="100"> IE l timestamp
<processinfo> RC A relative VM time.
<pid>3276</pid> RO l repeat
<imagepath>c:\Program Files
Optional. Avoids
\Internet Explorer\iexplore.exe
reporting too many
</imagepath></processinfo>
events. XML nodes
<class>java/lang/System</class>
marked with (*) are not
<method>setSecurityManager
present if the repeat
</method>
attribute is present.
<params><param id="1">
0x0484A3B0 l pid
</param></params> Java VM process ID.
</javacall> l imagepath
For example (without repeat attribute): Process path.
Event
Element Name Description Products Data Type Release
Type
</imagepath></processinfo> l method
<class>java/lang/System Java method name
</class><parentClass> (method of interest). Two
Lsun/plugin/AppletViewer; special cases <clinit> and
</parentClass> <init> are reported as
<parentMethod>initEnvironment "CLASS-CONSTRUCTOR"
</parentMethod> and "CONSTRUCTOR",
<method> respectively.
setSecurityManager
l parentClass/parentMethod
</method>
The class and method that
<this>static</this>
made a call to the method
<params><param id="1">
of interest.
0x0484A3B0
</param></params> l this
</javacall> Address of this class
instance.
l static
The method is static.
l params/param
A list of parameters and
their values.
Event
Element Name Description Products Data Type Release
Type
javaevent The javaevent attribute is reported when NX MC This element might include at 7.x
an action is taken to modify the current AX WI least one of the following in the
Java SecurityManager state. FX BA notification:
EX IM
For example: l context
CM MW
<javaevent context="not-signed-applet" Always set to "not-signed-
DM
timestamp="3249"> applet".
MO
<id>sm-reset-init IE l timestamp
</id></javaevent> RC A relative VM time.
RO l sm-reset-init
Reported when the Java
SecurityManager is getting
initialized. This value is
nonmalicious.
l sm-reset-null
Reported when a non-null
pointer to the Java
SecurityManager is getting
reset to null. This value is
highly malicious.
Event
Element Name Description Products Data Type Release
Type
l sm-reset-value
Reported with a non-null
pointer to the Java
SecurityManager is set to
another non-null instance
of the Java Security
Manager. This value is
inconclusive.
dialog-dismissed The dialog-dismissed element is reported NX MC This element might include at 7.x
when a dialog box is recognized and AX WI least one of the following items
about to be dismissed. FX BA in the notification:
EX IM
For example: l timestamp
CM MW
<dialog-dismissed A relative VM time.
DM
timestamp="12345"> MO l pid
<pid>123</pid> IE The process ID that owns
<dlg-id>g_SampleID</dlg-id> RC the dialog box to be
<note>Dialog was dismissed with RO dismissed.
a click on default button</note>
l dlg-id
</dialog-dismissed>
A unique dialog box
identifier.
l note
A user friendly string
describing the dismissal
method.
Event
Element Name Description Products Data Type Release
Type
popup-dialog The popup-dialog element is reported NX MC This element might include at 7.x
when a recognized dialog box is shown AX WI least one of the following items
from a browser process. FX BA in the notification:
EX IM
For example: l timestamp
CM MW
<popup-dialog timestamp="12345"> A relative VM time.
DM
<title>System Settings</title> MO l title
<processinfo> IE The dialog box title.
<pid>3456</pid> RC l pid
<tid>123</tid> RO The process ID that owns
<imagepath>c:\Program Files\Internet
the dialog box to be
Explorer\iexplore.exe</imagepath>
dismissed.
</processinfo>
</popup-dialog> l tid
The thread ID that created
this dialog box.
l imagepath
The process path.
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
thread The thread element is reported for various NX MC This element might include at 7.x
operation on a thread (such as suspended, AX WI least one of the following items
terminated, or hide), for threads created FX BA in the notification:
with NtQueueApcThread EX IM
l source
[Ex]/QueueUserAPC, and for opened CM MW
Specifies the actor (source-
threads (opened or duplicate_opened). DM
process) performing the
MO
action.
IE
RC l target
RO Specifies the target (target-
process) for the action.
l duplicate_source
Specifies the process for
which the thread handle
is duplicated from. It only
applies to duplicate_
opened.
l duplicate_target
Specifies the process for
which the tread handle is
copied to. It only applies
to duplicate_opened.
l desiredaccess
An ACCESS request for
open or duplicate_open.
Event
Element Name Description Products Data Type Release
Type
l ntstatus
The system-call result. The
result is
0x00000000/STATUS_
SUCCESS for successful
operations. For some
operations, both success
and failure are reported.
Event
Element Name Description Products Data Type Release
Type
StackPivot The StackPivot element refers to the stack NX MC This element might include at 7.x
pointer going out of the range maintained AX WI least one of the following items
in the thread execution block (TEB). This FX BA in the notification:
an industry-known indicator of EX IM
l processinfo
exploit/ROP attempts. CM MW
Provides details of the
DM
For example: process where the stack
MO
<stackpivot timestamp="4401541"> pivot is observed.
IE
<processinfo> RC l apiname
<pid>3124</pid> RO The API where the stack
<imagepath> pivot was discovered.
C:\Program Files\Internet Explorer
l StackAddress
\iexplore.exe</imagepath>
The value of the stack
</processinfo>
pointer.
<apiname>VirtualAlloc
</apiname> l StackBottom, StackTop
<StackAddress>0x00042348 The allowed range for the
</StackAddress> stack pointer.
<StackBottom>0x003fc000
</StackBottom>
<StackTop>0x00410000
</StackTop></stackpivot>
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
l gadgets
Encoded using base64.
Crafted disassembly
pieces that perform ROP.
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Content-Type: multipart/mixed;
boundary="=_534593fa
.p4r5tfdz7QrRJ1TOdl/SO7xNZnbs
Uz8kBZCpjvDtyPOve1k7"</smtp-
header>
<date>Wed, 09 Apr 2014 11:39:54 -
0700</date>
<subject>zip file with 5 malicious
files</subject>
</smtp-message>
<xs:element ref="systemshutdown"/>
<xs:element ref="os-inactivity-send-keys"/>
<xs:element ref="dialog-dismissed"/>
<xs:element ref="dialog-detected"/>
<xs:element ref="new-dialog-popup"/>
<xs:element ref="api_patch"/>
<xs:element ref="thread"/>
<xs:element ref="stackpivot"/>
<xs:element ref="popup-dialog"/>
<xs:element ref="javacall"/>
<xs:element ref="javaevent"/>
<xs:element ref="eventlogcmd"/>
<xs:element ref="alive"/>
<xs:element ref="BootSectorModified"/>
<xs:element ref="application"/>
<xs:element ref="Ransom"/>
<xs:element ref="Infector"/>
<xs:element ref="Stealer"/>
<xs:element ref="appexception_data"/>
<xs:element ref="ProtectionChange"/>
<xs:element ref="EmbeddedObject"/>
<xs:element ref="custom-patch"/>
<xs:element ref="log"/>
<xs:element ref="Meterpreter"/>
<xs:element ref="browser-plugin-start"/>
<xs:element ref="high_cpu"/>
<xs:element ref="Quit"/>
<xs:element ref="invert_timing"/>
<xs:element ref="bugcheck"/>
<xs:element ref="FEChannel"/>
<xs:element ref="ProcessToken"/>
<xs:element ref="config-update"/>
<xs:element ref="internal-error"/>
<xs:element ref="SendMessage"/>
<xs:element ref="NullPageMapping"/>
<xs:element ref="kexploit"/>
<xs:element ref="KExploit"/>
<xs:element ref="Flash"/>
<xs:element ref="SMEP"/>
<xs:element ref="MSR"/>
<xs:element ref="action_fopen"/>
<xs:element ref="shellcode"/>
<xs:element ref="stackexec"/>
<xs:element ref="JSData"/>
<xs:element ref="FirstRpidMemOp"/>
<xs:element ref="MemBruteForce"/>
<xs:element ref="CmdOp"/>
<xs:element ref="MemInjectOp"/>
<xs:element ref="ExfilDetect"/>
<xs:element ref="Destructor"/>
</xs:choice>
<xs:element ref="ROP"/>
<xs:element ref="end-of-report" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
<xs:element name="analysis">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="mode" use="required" type="xs:string"/>
<xs:attribute name="ftype" use="required" type="xs:string"/>
<xs:attribute name="version" use="required" type="xs:string"/>
<xs:attribute name="product" use="optional" type="xs:string"/>
<xs:attribute name="type" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="os">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="name" use="required" type="xs:string"/>
<xs:attribute name="version" use="required" type="xs:string"/>
<xs:attribute name="sp" use="optional" type="xs:string"/>
<xs:attribute name="arch" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="os_monitor">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="build" type="xs:integer"/>
<xs:attribute name="date" type="xs:string"/>
<xs:attribute name="time" type="xs:string"/>
<xs:attribute name="version" use="optional" type="xs:string"/>
<xs:attribute name="dtype" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="event_logger">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="build" use="required" type="xs:string"/>
<xs:attribute name="date" use="required" type="xs:string"/>
<xs:attribute name="time" use="required" type="xs:string"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="keyloggerdetected">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="processinfo"/>
<xs:element name="idhook" type="xs:string" minOccurs="0"/>
<xs:element name="hookprocaddr" type="xs:string" minOccurs="0"/>
<xs:element name="moduleaddr" type="xs:string" minOccurs="0"/>
<xs:element name="threadid" type="xs:long" minOccurs="0"/>
<xs:element name="module-name" type="xs:string" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="tainted" use="optional" type="xs:string"/>
</xs:complexType>
</xs:element>
<xs:element name="into">
<xs:complexType>
<xs:sequence>
<xs:element ref="processinfo"/>
</xs:sequence>
<xs:attribute name="tainted" use="optional" type="xs:string"/>
</xs:complexType>
</xs:element>
<xs:element name="vbr_change">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="processinfo" minOccurs="0"/>
<xs:element name="partition" minOccurs="0" type="xs:integer"/>
<xs:element name="md5_original" minOccurs="0" type="xs:string"/>
<xs:element name="md5_current" minOccurs="0" type="xs:string"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="dtype" use="required" type="xs:string"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="prop">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="pname" use="optional" type="xs:string"/>
<xs:attribute name="chunk" use="optional" type="xs:integer"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="doc_summary">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:sequence>
<xs:element ref="processinfo" minOccurs="0"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="prop"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:sequence>
<xs:attribute name="Application" use="optional" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
<xs:attribute name="mode" use="optional" type="xs:string"/>
<xs:attribute name="count" use="optional" type="xs:integer"/>
<xs:attribute name="close-handler" use="optional" type="xs:integer"/>
<xs:attribute name="open-handler" use="optional" type="xs:integer"/>
<xs:attribute name="macro-protected" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="xaw_bin">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="processinfo" minOccurs="0"/>
<xs:element name="InstructionPointer" minOccurs="0" type="xs:string"/>
<xs:element name="WritingModule" minOccurs="0" type="xs:string"/>
<xs:element name="WrittenModule" minOccurs="0" type="xs:string"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="dtype" use="required" type="xs:string"/>
<xs:attribute name="type" use="required" type="xs:string"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="kci">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="processinfo" minOccurs="0"/>
<xs:element name="InstructionPointer" minOccurs="0" type="xs:string"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element name="dll" minOccurs="0" type="xs:string"/>
<xs:element ref="into" minOccurs="0"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="dtype" use="required" type="xs:string"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="codeinjection">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="source" minOccurs="0"/>
<xs:element ref="target" minOccurs="0"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element ref="memory" minOccurs="0"/>
<xs:element ref="droppedfile" minOccurs="0"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="mode" use="required" type="xs:string"/>
<xs:attribute name="src_thread" use="optional" type="xs:string"/>
<xs:attribute name="suppressed" use="optional" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
<xs:attribute name="repeat" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="source">
<xs:complexType>
<xs:sequence>
<xs:element ref="processinfo"/>
</xs:sequence>
<xs:attribute name="tainted" use="optional" type="xs:string"/>
</xs:complexType>
</xs:element>
<xs:element name="target">
<xs:complexType>
<xs:sequence>
<xs:element name="internal_process" type="xs:string" minOccurs="0"/>
<xs:element ref="processinfo" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="tainted" use="optional" type="xs:string"/>
</xs:complexType>
</xs:element>
<xs:element name="driver">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element minOccurs="0" name="ntstatus" type="xs:string"/>
<xs:element ref="processinfo"/>
<xs:element ref="registrypath"/>
<xs:element ref="driverimage"/>
<xs:element name="method" type="xs:string"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="mode" use="required" type="xs:string"/>
<xs:attribute name="src_thread" use="optional" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
<xs:attribute name="repeat" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="registrypath" type="xs:string"/>
<xs:element name="driverimage" type="xs:string"/>
<xs:element name="Attr">
<xs:complexType>
<xs:all>
<xs:element name="Value" minOccurs="0" type="xs:string"/>
<xs:element name="OldValue" minOccurs="0" type="xs:string"/>
<xs:element name="NewValue" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="name" use="optional" type="xs:string"/>
</xs:complexType>
</xs:element>
<xs:element name="Element">
<xs:complexType>
<xs:sequence>
<xs:element ref="Attr" maxOccurs="unbounded" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="AttrList">
<xs:complexType>
<xs:sequence>
<xs:element ref="Attr" maxOccurs="unbounded" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="ElemList">
<xs:complexType>
<xs:sequence>
<xs:element ref="Element" maxOccurs="unbounded" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="wmicontent">
<xs:complexType>
<xs:all>
<xs:element name="lang" minOccurs="0" type="xs:string"/>
<xs:element name="query" minOccurs="0" type="xs:string"/>
<xs:element name="flags" minOccurs="0" type="xs:string"/>
<xs:element name="iwbemcontext" minOccurs="0" type="xs:string"/>
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="wmicontents">
<xs:complexType>
<xs:sequence>
<xs:element ref="wmicontent" maxOccurs="unbounded" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="NewHtmTag">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="processinfo"/>
<xs:element ref="AttrList" minOccurs="0" />
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="new_tag" use="optional" type="xs:string"/>
<xs:attribute name="type" use="optional" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="triggers">
<xs:complexType>
<xs:sequence>
<xs:element name="trigger" minOccurs="0" maxOccurs="unbounded" type="xs:string"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="wmiquery">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="processinfo"/>
<xs:element ref="wmicontents" minOccurs="0"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="ProcessTelemetryReport">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="processinfo"/>
<xs:element ref="triggers" minOccurs="0"/>
</xs:complexType>
</xs:element>
<xs:element name="submit-details">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:sequence>
<xs:element ref="submit-try" minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
<xs:attribute name="count" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="input-fields">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:sequence>
<xs:element ref="text" minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
<xs:attribute name="count" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="select">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:attribute name="name" use="optional" type="xs:string"/>
<xs:attribute name="class-name" use="optional" type="xs:string"/>
<xs:attribute name="title" use="optional" type="xs:string"/>
<xs:attribute name="place-holder" use="optional" type="xs:string"/>
<xs:attribute name="alt" use="optional" type="xs:string"/>
<xs:attribute name="select-index" use="optional" type="xs:integer"/>
<xs:attribute name="select-text" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="select-box">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:sequence>
<xs:element ref="select" minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
<xs:attribute name="count" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="hyperlinks">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:sequence>
<xs:element name="link" type="xs:string" minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
<xs:attribute name="count" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="ba-form-data">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="submit-details" minOccurs="0" />
<xs:element ref="buttons" minOccurs="0" />
<xs:element ref="password-text-fields" minOccurs="0" />
<xs:element ref="input-fields" minOccurs="0" />
<xs:element ref="ba-form-attributes" minOccurs="0" />
<xs:element ref="hyperlinks" minOccurs="0" />
<xs:element ref="select-box" minOccurs="0" />
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
<xs:attribute name="form-number" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="ba-post-data">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:sequence>
<xs:element ref="ba-data" minOccurs="0" maxOccurs="unbounded" />
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:sequence>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="browser-automation">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element name="url" minOccurs="0" type="xs:string"/>
<xs:element name="statusbar-text-on-load" minOccurs="0" type="xs:string"/>
<xs:element name="total-number-of-elements" minOccurs="0" type="xs:integer"/>
<xs:element name="number-of-forms" minOccurs="0" type="xs:integer"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="browser-automation-html">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="ba-html" minOccurs="0" />
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="file">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="values" minOccurs="0"/>
<xs:element ref="value" minOccurs="0"/>
<xs:element minOccurs="0" name="filedes"/>
<xs:element minOccurs="0" ref="filesize"/>
<xs:element ref="md5sum" minOccurs="0"/>
<xs:element ref="sha1sum" minOccurs="0"/>
<xs:element minOccurs="0" name="target" type="xs:string"/>
<xs:element ref="processinfo"/>
<xs:element minOccurs="0" name="old_name" type="xs:string"/>
<xs:element minOccurs="0" name="new_name" type="xs:string"/>
<xs:element minOccurs="0" name="creationTime" type="xs:string"/>
<xs:element minOccurs="0" name="lastWriteTime" type="xs:string"/>
<xs:element minOccurs="0" name="changeTime" type="xs:string"/>
<xs:element minOccurs="0" name="newCreationTime" type="xs:string"/>
<xs:element minOccurs="0" name="newLastWriteTime" type="xs:string"/>
<xs:element minOccurs="0" name="newChangeTime" type="xs:string"/>
<xs:element minOccurs="0" ref="fid"/>
<xs:element minOccurs="0" name="perm" type="xs:string"/>
<xs:element minOccurs="0" name="failure" type="xs:string"/>
<xs:element minOccurs="0" name="ntstatus" type="xs:string"/>
<xs:element minOccurs="0" ref="EaName"/>
<xs:element minOccurs="0" name="EaValueLength" type="xs:string"/>
<xs:element minOccurs="0" name="EaValue" type="xs:string"/>
<xs:element minOccurs="0" name="CreateOptions" type="xs:string"/>
<xs:element minOccurs="0" ref="PE"/>
<xs:element minOccurs="0" name="content_after" type="xs:string"/>
<xs:element minOccurs="0" name="job_target" type="xs:string"/>
<xs:element minOccurs="0" name="job_parameter" type="xs:string"/>
<xs:element minOccurs="0" name="job_workingdir" type="xs:string"/>
<xs:element minOccurs="0" name="file_content" type="xs:string"/>
<xs:element minOccurs="0" name="old_target" type="xs:string"/>
<xs:element minOccurs="0" name="new_target" type="xs:string"/>
<xs:element name="source" minOccurs="0" type="xs:string"/>
<xs:element name="settime" minOccurs="0" type="xs:string"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="mode" use="required" type="xs:string"/>
<xs:attribute name="src_thread" use="optional" type="xs:string"/>
<xs:attribute name="type" use="optional" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
<xs:attribute name="repeat" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="EaName">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="Index" use="required" type="xs:long"/>
<xs:attribute name="Count" use="required" type="xs:long"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="folder">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="value" minOccurs="0"/>
<xs:element minOccurs="0" name="old_name" type="xs:string"/>
<xs:element minOccurs="0" name="new_name" type="xs:string"/>
<xs:element minOccurs="0" name="creationTime" type="xs:string"/>
<xs:element minOccurs="0" name="lastWriteTime" type="xs:string"/>
<xs:element minOccurs="0" name="changeTime" type="xs:string"/>
<xs:element minOccurs="0" name="newCreationTime" type="xs:string"/>
<xs:element minOccurs="0" name="newLastWriteTime" type="xs:string"/>
<xs:element minOccurs="0" name="newChangeTime" type="xs:string"/>
<xs:element ref="processinfo"/>
<xs:element minOccurs="0" name="ntstatus" type="xs:string"/>
<xs:element minOccurs="0" ref="EaName"/>
<xs:element minOccurs="0" name="EaValueLength" type="xs:string"/>
<xs:element minOccurs="0" name="EaValue" type="xs:string"/>
<xs:element minOccurs="0" name="CreateOptions" type="xs:string"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:sequence>
<xs:element minOccurs="0" ref="processinfo"/>
<xs:element minOccurs="0" ref="protocol_type"/>
<xs:element minOccurs="0" ref="destination_port"/>
<xs:element minOccurs="0" ref="listen_port"/>
<xs:element minOccurs="0" name="qtype" type="xs:string"/>
<xs:element minOccurs="0" name="winsock_res" type="xs:string"/>
<xs:element minOccurs="0" name="dns_response_code" type="xs:string"/>
<xs:element minOccurs="0" name="hostname" type="xs:string"/>
<xs:element minOccurs="0" name="answer_number" type="xs:string"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="ipaddress"/>
<xs:element name="http_request" type="xs:string" minOccurs="0"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:sequence>
<xs:attribute name="mode" use="required" type="xs:string"/>
<xs:attribute name="src_thread" use="optional" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
<xs:attribute name="repeat" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="protocol_type" type="xs:string"/>
<xs:element name="destination_port" type="xs:string"/>
<xs:element name="listen_port" type="xs:string"/>
<xs:element name="ipaddress" type="xs:string"/>
<xs:element name="http_request" type="xs:string"/>
<xs:element name="process_target">
<xs:complexType>
<xs:sequence>
<xs:element name="internal_process" type="xs:string" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="duplicate_source">
<xs:complexType>
<xs:all>
<xs:element ref="processinfo" minOccurs="0"/>
<xs:element name="internal_process" type="xs:string" minOccurs="0"/>
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="duplicate_target">
<xs:complexType>
<xs:all>
<xs:element ref="processinfo" minOccurs="0"/>
<xs:element name="internal_process" type="xs:string" minOccurs="0"/>
</xs:all>
<xs:attribute name="tainted" use="optional" type="xs:string"/>
</xs:complexType>
</xs:element>
<xs:element name="memory_data">
<xs:complexType>
<xs:all>
<xs:element type="xs:string" name="PeakVirtualSize" minOccurs="0"/>
<xs:element type="xs:string" name="VirtualSize" minOccurs="0"/>
<xs:element type="xs:string" name="PageFaultCount" minOccurs="0"/>
<xs:element type="xs:string" name="PeakWorkingSetSize" minOccurs="0"/>
<xs:element type="xs:string" name="WorkingSetSize" minOccurs="0"/>
<xs:element type="xs:string" name="QuotaPeakPagedPoolUsage" minOccurs="0"/>
<xs:element type="xs:string" name="QuotaPagedPoolUsage" minOccurs="0"/>
<xs:element type="xs:string" name="QuotaPeakNonPagedPoolUsage" minOccurs="0"/>
<xs:element type="xs:string" name="QuotaNonPagedPoolUsage" minOccurs="0"/>
<xs:element type="xs:string" name="PagefileUsage" minOccurs="0"/>
<xs:element type="xs:string" name="PeakPagefileUsage" minOccurs="0"/>
<xs:element type="xs:string" name="PrivateUsage" minOccurs="0"/>
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="telemetry_data">
<xs:complexType>
<xs:all>
<xs:element type="xs:integer" name="child_process_count" minOccurs="0"/>
<xs:element type="xs:integer" name="local_thread_count" minOccurs="0"/>
<xs:element type="xs:integer" name="remote_thread_count" minOccurs="0"/>
<xs:element type="xs:integer" name="mutex_create_count" minOccurs="0"/>
<xs:element type="xs:integer" name="file_failed_count" minOccurs="0"/>
<xs:element type="xs:integer" name="file_open_count" minOccurs="0"/>
<xs:element type="xs:integer" name="file_create_count" minOccurs="0"/>
<xs:element type="xs:integer" name="file_modify_count" minOccurs="0"/>
<xs:element type="xs:integer" name="http_req_count" minOccurs="0"/>
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="process">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="value" minOccurs="0"/>
<xs:element ref="pid" minOccurs="0"/>
<xs:element ref="ppid" minOccurs="0"/>
<xs:element ref="parentname" minOccurs="0"/>
<xs:element ref="cmdline" minOccurs="0"/>
<xs:element ref="filesize" minOccurs="0"/>
<xs:element ref="md5sum" minOccurs="0"/>
<xs:element ref="sha1sum" minOccurs="0"/>
<xs:element name="packed" type="xs:string" minOccurs="0"/>
<xs:element name="desiredaccess" type="xs:string" minOccurs="0"/>
<xs:element name="ntstatus" type="xs:string" minOccurs="0"/>
<xs:element ref="target" minOccurs="0"/>
<xs:element ref="duplicate_source" minOccurs="0"/>
<xs:element ref="duplicate_target" minOccurs="0"/>
<xs:element name="InheritHandle" type="xs:string" minOccurs="0"/>
<xs:element name="Options" type="xs:string" minOccurs="0"/>
<xs:element ref="source" minOccurs="0"/>
<xs:element minOccurs="0" name="gui" type="xs:string"/>
<xs:element minOccurs="0" ref="fid"/>
<xs:element name="args" type="xs:string" minOccurs="0"/>
<xs:element name="app_version" type="xs:string" minOccurs="0"/>
<xs:element name="app_short_version" type="xs:string" minOccurs="0"/>
<xs:element name="app_crash_info" type="xs:string" minOccurs="0"/>
<xs:element name="code_type" type="xs:string" minOccurs="0"/>
<xs:element name="signal" minOccurs="0"/>
<xs:element name="signal_code" minOccurs="0"/>
<xs:element name="trapno" minOccurs="0"/>
<xs:element name="err" minOccurs="0"/>
<xs:element name="cpu_num" minOccurs="0"/>
<xs:element name="faultvaddr" minOccurs="0"/>
<xs:element name="exception_type" minOccurs="0"/>
<xs:element name="exception_code" minOccurs="0"/>
<xs:element name="register_dump" type="xs:string" minOccurs="0"/>
<xs:element name="crash_stack" type="xs:string" minOccurs="0"/>
<xs:element ref="telemetry_data" minOccurs="0"/>
<xs:element ref="memory_data" minOccurs="0"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="mode" use="required" type="xs:string"/>
<xs:all>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="detection-monitor-killed">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="end-of-report">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="processinfo">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="pid" minOccurs="0"/>
<xs:element ref="ppid" minOccurs="0"/>
<xs:element ref="tid" minOccurs="0"/>
<xs:element name="process_cpu" minOccurs="0" type="xs:string"/>
<xs:element ref="imagepath" minOccurs="0"/>
<xs:element ref="cmdline" minOccurs="0"/>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="gadgets">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="enc" use="optional" type="xs:string"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="callsites">
<xs:complexType>
<xs:sequence>
<xs:element maxOccurs="unbounded" minOccurs="0" ref="callsite-entry"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="callsite-entry">
<xs:complexType>
<xs:all>
<xs:element name="address" minOccurs="0" type="xs:string" />
<xs:element name="module-name" minOccurs="0" type="xs:string" />
<xs:element name="count" minOccurs="0" type="xs:integer" />
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="callstack">
<xs:complexType>
<xs:sequence>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="callstack-entry"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="Frame"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="callstack-entry">
<xs:complexType>
<xs:sequence>
<xs:element maxOccurs="unbounded" minOccurs="0" name="frame-number" type="xs:string"/>
<xs:element maxOccurs="unbounded" minOccurs="0" name="instruction-address" type="xs:string"/>
<xs:all>
<xs:element ref="processinfo"/>
<xs:element minOccurs="0" name="data" type="xs:string"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="mode" use="optional" type="xs:string"/>
<xs:attribute name="sequence" use="optional" type="xs:string"/>
<xs:attribute name="src_thread" use="optional" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
<xs:attribute name="repeat" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="debugcontrol">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element minOccurs="0" name="ntstatus" type="xs:string"/>
<xs:element ref="processinfo"/>
<xs:element minOccurs="0" name="controlcode" type="xs:string"/>
<xs:element minOccurs="0" name="codedescription" type="xs:string"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="src_thread" use="optional" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
<xs:attribute name="mode" use="optional" type="xs:string"/>
<xs:attribute name="repeat" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="SUSPICIOUS_OBJECT_CREATION">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="processinfo"/>
<xs:element minOccurs="0" name="clsid" type="xs:string"/>
<xs:element minOccurs="0" name="desc" type="xs:string"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="systemshutdown">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="processinfo" minOccurs="0"/>
<xs:element name="action" type="xs:string"/>
<xs:element name="actiondescription" type="xs:string"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="src_thread" use="optional" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
<xs:attribute name="repeat" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="SSDT">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="processinfo" minOccurs="0"/>
<xs:element name="GPA" minOccurs="0" type="xs:string"/>
<xs:element name="function" minOccurs="0" type="xs:string"/>
<xs:element name="newvalue" minOccurs="0" type="xs:string"/>
<xs:element name="target" minOccurs="0" type="xs:string"/>
<xs:element name="mode" minOccurs="0" type="xs:string"/>
<xs:element name="value" minOccurs="0" type="xs:string"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute type="xs:integer" name="timestamp" use="optional"/>
<xs:attribute name="dtype" use="optional" type="xs:string"/>
<xs:attribute name="src_thread" use="optional" type="xs:string"/>
<xs:attribute name="repeat" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="started" type="xs:string"/>
<xs:element name="values">
<xs:complexType>
<xs:sequence>
<xs:element ref="value" maxOccurs="unbounded" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="value">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="result" use="optional" type="xs:string"/>
<xs:attribute name="action" use="optional" type="xs:string"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="bytesreceived" type="xs:string"/>
<xs:element name="totalmemory" type="xs:string"/>
<xs:element name="filesize" type="xs:string"/>
<xs:element name="md5sum" type="xs:string"/>
<xs:element name="sha1sum" type="xs:string"/>
<xs:element name="pid" type="xs:integer"/>
<xs:element name="tid" type="xs:string"/>
<xs:element name="current_tid" type="xs:string"/>
<xs:element name="hidden_tid" type="xs:string"/>
<xs:element name="uac">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="value" minOccurs="0"/>
<xs:element minOccurs="0" name="status" type="xs:string"/>
<xs:element minOccurs="0" name="accountenabled" type="xs:string"/>
<xs:element minOccurs="0" name="accountcreated" type="xs:string"/>
<xs:element minOccurs="0" name="accountname" type="xs:string"/>
<xs:element minOccurs="0" name="passwordchange" type="xs:string"/>
<xs:element minOccurs="0" name="group" type="xs:string"/>
</xs:all>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
<xs:attribute name="repeat" use="optional" type="xs:integer"/>
<xs:attribute name="windowless" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="text-fields">
<xs:complexType>
<xs:sequence>
<xs:element ref="text-field" maxOccurs="unbounded" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="text-field">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="id" use="required" type="xs:integer"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="new-dialog-popup">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="processinfo" minOccurs="0"/>
<xs:element name="hwnd" type="xs:string" minOccurs="0"/>
<xs:element name="title" type="xs:string" minOccurs="0"/>
<xs:element name="window-class" type="xs:string" minOccurs="0"/>
<xs:element name="size-width" type="xs:integer" minOccurs="0"/>
<xs:element name="size-height" type="xs:integer" minOccurs="0"/>
<xs:element name="position-x" type="xs:integer" minOccurs="0"/>
<xs:element name="position-y" type="xs:integer" minOccurs="0"/>
<xs:element name="visible" type="xs:string" minOccurs="0"/>
<xs:element name="topmost" type="xs:string" minOccurs="0"/>
<xs:element ref="text-fields" minOccurs="0"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="context2">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="memory" minOccurs="0"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="context">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="memory" minOccurs="0"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="apc_routine">
<xs:complexType mixed="true">
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="memory" minOccurs="0"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="apc_routine_context2">
<xs:complexType mixed="true">
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="memory" minOccurs="0"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="apc_routine_context">
<xs:complexType mixed="true">
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="memory" minOccurs="0"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="javacall">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="processinfo" minOccurs="0"/>
<xs:element name="class" type="xs:string" minOccurs="0"/>
<xs:element name="parentClass" type="xs:string" minOccurs="0"/>
<xs:element name="method" type="xs:string" minOccurs="0"/>
<xs:element name="parentMethod" type="xs:string" minOccurs="0"/>
<xs:element name="this" type="xs:string" minOccurs="0"/>
<xs:element ref="params" minOccurs="0"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="context" use="optional" type="xs:string"/>
<xs:attribute name="repeat" use="optional" type="xs:integer"/>
<xs:element name="alive">
<xs:complexType/>
</xs:element>
<xs:element name="BootSectorModified">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element name="md5sum_original" type="xs:string" minOccurs="0"/>
<xs:element name="md5sum_orginal" type="xs:string" minOccurs="0"/>
<xs:element name="md5sum_current" type="xs:string" minOccurs="0"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="src_thread" use="optional" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
<xs:attribute name="repeat" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="api_patch">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="source" minOccurs="0"/>
<xs:element ref="processinfo" minOccurs="0"/>
<xs:element minOccurs="0" ref="target"/>
<xs:element ref="dllname" minOccurs="0"/>
<xs:element ref="apiname" minOccurs="0"/>
<xs:element ref="address" minOccurs="0"/>
<xs:element ref="caller_addr" minOccurs="0"/>
<xs:element name="size" type="xs:string" minOccurs="0"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="src_thread" use="optional" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
<xs:attribute name="repeat" use="optional" type="xs:integer"/>
<xs:attribute name="target" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="ROP">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="processinfo"/>
<xs:element ref="apiname"/>
<xs:element ref="address" minOccurs="0"/>
<xs:element ref="params" minOccurs="0"/>
<xs:element name="valid_call_instruction" type="xs:string" minOccurs="0"/>
<xs:element name="ModuleName" type="xs:string" minOccurs="0"/>
<xs:element name="ModuleBase" type="xs:string" minOccurs="0"/>
<xs:element name="CallerOffset" type="xs:string" minOccurs="0"/>
<xs:element name="PreviousBytes" type="xs:string" minOccurs="0"/>
<xs:element name="ForwardBytes" type="xs:string" minOccurs="0"/>
<xs:element ref="StackAddress" minOccurs="0"/>
<xs:element ref="StackLimit" minOccurs="0"/>
<xs:element ref="StackBase" minOccurs="0"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="type" use="optional" type="xs:string"/>
<xs:attribute name="dtype" use="optional" type="xs:string"/>
<xs:attribute name="mode" use="optional" type="xs:string"/>
<xs:attribute name="src_thread" use="optional" type="xs:string"/>
<xs:attribute name="sequenceId" use="optional" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
<xs:attribute name="repeat" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="SuppressionData">
<xs:complexType>
<xs:all>
<xs:element name="SPStackBase" minOccurs="0" type="xs:string"/>
<xs:element name="SPStackEnd" minOccurs="0" type="xs:string"/>
<xs:element name="ExceptionRegionBase" minOccurs="0" type="xs:string"/>
<xs:element name="ExceptionRegionEnd" minOccurs="0" type="xs:string"/>
<xs:element name="ExceptionList" minOccurs="0" type="xs:string"/>
<xs:element name="ExceptionListMemType" minOccurs="0" type="xs:string"/>
<xs:element name="ExceptionListMemProtect" minOccurs="0" type="xs:string"/>
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="stackpivot">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="processinfo" minOccurs="0"/>
<xs:element ref="apiname" minOccurs="0"/>
<xs:element name="CallerAddress" minOccurs="0" type="xs:string"/>
<xs:element name="CallerModule" minOccurs="0" type="xs:string"/>
<xs:element ref="StackAddress" minOccurs="0"/>
<xs:element ref="StackBottom" minOccurs="0"/>
<xs:element ref="StackTop" minOccurs="0"/>
<xs:element ref="params" minOccurs="0"/>
<xs:element name="SuppressMode" minOccurs="0" type="xs:string"/>
<xs:element ref="SuppressionData" minOccurs="0"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="suppressed" use="optional" type="xs:string"/>
<xs:attribute name="src_thread" use="optional" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
<xs:attribute name="dtype" use="optional" type="xs:string"/>
<xs:attribute name="repeat" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="application">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="app-name" use="required" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="Ransom">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="pattern"/>
<xs:element ref="value" minOccurs="0"/>
<xs:element ref="md5sum" minOccurs="0"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="timestamp" use="optional" type="xs:string"/>
<xs:attribute name="repeat" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="Infector">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="pattern"/>
<xs:element ref="value" minOccurs="0"/>
<xs:element ref="md5sum" minOccurs="0"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="timestamp" use="optional" type="xs:string"/>
<xs:attribute name="repeat" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="Stealer">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="value"/>
<xs:element name="newPath" type="xs:string"/>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="high_cpu">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element minOccurs="0" name="total_cpu" type="xs:string"/>
<xs:element ref="processinfo" minOccurs="0"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="src_thread" use="optional" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:string"/>
<xs:attribute name="repeat" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="Quit">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="processinfo" minOccurs="0"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="name" use="optional" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="invert_timing">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="processinfo" minOccurs="0"/>
<xs:element ref="dllname"/>
<xs:element ref="apiname"/>
</xs:complexType>
</xs:element>
<xs:element name="Privileges">
<xs:complexType>
<xs:sequence>
<xs:element name="Privilege" maxOccurs="unbounded" minOccurs="0" type="xs:string"/>
</xs:sequence>
<xs:attribute name="present" use="optional" type="xs:string"/>
</xs:complexType>
</xs:element>
<xs:element name="SuperPrivileges">
<xs:complexType>
<xs:all>
<xs:element name="Value" minOccurs="0" type="xs:string"/>
<xs:element ref="Privileges" minOccurs="0"/>
</xs:all>
<xs:attribute name="present" use="optional" type="xs:string"/>
</xs:complexType>
</xs:element>
<xs:element name="ProcessToken">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="processinfo" minOccurs="0"/>
<xs:element name="LogonSession" minOccurs="0" type="xs:string"/>
<xs:element name="User" minOccurs="0" type="xs:string"/>
<xs:element ref="SuperPrivileges" minOccurs="0"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="mode" use="optional" type="xs:string"/>
<xs:attribute name="type" use="optional" type="xs:string"/>
<xs:attribute name="dtype" use="optional" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="config-update">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element name="status" minOccurs="0" type="xs:string"/>
<xs:element name="update-requested" minOccurs="0" type="xs:string"/>
<xs:element name="files" minOccurs="0" type="xs:string"/>
<xs:element name="version" minOccurs="0" type="xs:string"/>
<xs:element name="error" minOccurs="0" type="xs:string"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="timestamp" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="raw-data">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="chunk" use="optional" type="xs:integer"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="critical-error">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:sequence>
<xs:element name="error-id" minOccurs="0" type="xs:integer"/>
<xs:element name="error-string" minOccurs="0" type="xs:string"/>
<xs:element ref="raw-data" minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:sequence>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="CmdInfo">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:sequence>
<xs:element name="error-id" minOccurs="0" type="xs:integer"/>
<xs:element name="error-string" minOccurs="0" type="xs:string"/>
<xs:element ref="raw-data" minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:sequence>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="internal-error">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="value" minOccurs="0"/>
<xs:element name="data" minOccurs="0" type="xs:string"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="timestamp" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="SendMessage">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="processinfo" minOccurs="0"/>
<xs:element name="MessageType" minOccurs="0" type="xs:string"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="type" use="optional" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="NullPageMapping">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="processinfo" minOccurs="0"/>
<xs:element name="BaseAddress" type="xs:string" minOccurs="0" />
<xs:element name="Size" type="xs:string" minOccurs="0" />
<xs:element name="AllocType" type="xs:string" minOccurs="0" />
<xs:element name="Protect" type="xs:string" minOccurs="0" />
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="mode" use="optional" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:string"/>
<xs:attribute name="dtype" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="kexploit">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="processinfo" minOccurs="0"/>
<xs:element name="Api" type="xs:string" minOccurs="0" />
<xs:element name="Caller" type="xs:string" minOccurs="0" />
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="type" use="optional" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="SystemTime">
<xs:complexType>
<xs:all>
<xs:element name="Value" minOccurs="0" type="xs:string"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="KExploit">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="processinfo" minOccurs="0"/>
<xs:element name="Api" type="xs:string" minOccurs="0" />
<xs:element name="Caller" type="xs:string" minOccurs="0" />
<xs:element name="CallerMemType" type="xs:string" minOccurs="0" />
<xs:element ref="params" minOccurs="0"/>
<xs:element ref="callstack" minOccurs="0"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="type" use="optional" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="Method">
<xs:complexType>
<xs:all>
<xs:element minOccurs="0" name="Name" type="xs:string"/>
<xs:element minOccurs="0" name="Ptr" type="xs:string"/>
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="Vector">
<xs:complexType>
<xs:all>
<xs:element name="VectorSize" minOccurs="0" type="xs:string"/>
<xs:element name="PageBoundary" type="xs:string" minOccurs="0" />
<xs:element name="SizeFrequency" minOccurs="0" type="xs:string"/>
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="List">
<xs:complexType>
<xs:sequence>
<xs:element ref="Method" maxOccurs="unbounded" minOccurs="0"/>
<xs:element ref="Vector" maxOccurs="unbounded" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Flash">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="processinfo" minOccurs="0"/>
<xs:element name="Dll" type="xs:string" minOccurs="0" />
<xs:element ref="List" minOccurs="0" />
<xs:element name="VectorSize" type="xs:string" minOccurs="0" />
<xs:element name="PageBoundary" type="xs:string" minOccurs="0" />
<xs:element name="SizeFrequency" type="xs:integer" minOccurs="0" />
<xs:element name="TotalVectors" type="xs:integer" minOccurs="0" />
<xs:element name="SumVectorLengths" type="xs:string" minOccurs="0" />
<xs:element name="Method" type="xs:string" minOccurs="0" />
<xs:element name="Length" type="xs:string" minOccurs="0" />
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="type" use="optional" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="names">
<xs:complexType>
<xs:sequence>
<xs:element name="name" maxOccurs="unbounded" minOccurs="0" type="xs:string"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="DllCharacteristics">
<xs:complexType>
<xs:all>
<xs:element minOccurs="0" ref="value"/>
</xs:complexType>
</xs:element>
<xs:element name="msrinfo">
<xs:complexType>
<xs:all>
<xs:element name="type" type="xs:string" minOccurs="0" />
<xs:element name="address" type="xs:string" minOccurs="0" />
<xs:element name="content" type="xs:string" minOccurs="0" />
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="MSR">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="processinfo" minOccurs="0"/>
<xs:element name="ip" type="xs:string" minOccurs="0" />
<xs:element ref="msrinfo" minOccurs="0"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="type" use="optional" type="xs:string"/>
<xs:attribute name="dtype" use="optional" type="xs:string"/>
<xs:attribute name="mode" use="optional" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="action_fopen">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element name="ext" type="xs:string" minOccurs="0" />
<xs:element name="name" type="xs:string" minOccurs="0" />
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="mode" use="optional" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="shellcode">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="processinfo" minOccurs="0"/>
<xs:element name="ip" type="xs:string" minOccurs="0" />
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="type" use="optional" type="xs:string"/>
<xs:attribute name="dtype" use="optional" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="stackexec">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="processinfo" minOccurs="0"/>
<xs:element ref="StackBase" minOccurs="0"/>
<xs:element ref="StackLimit" minOccurs="0"/>
<xs:element name="StackPointer" type="xs:string" minOccurs="0" />
<xs:element name="InstructionPointer" type="xs:string" minOccurs="0" />
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="type" use="optional" type="xs:string"/>
<xs:attribute name="dtype" use="optional" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="Destructor">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="pattern" minOccurs="0"/>
<xs:element minOccurs="0" name="value" type="xs:string"/>
<xs:element minOccurs="0" name="md5sum" type="xs:string"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="timestamp" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="ExfilDetect">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="processinfo" minOccurs="0"/>
<xs:element minOccurs="0" name="Address" type="xs:string"/>
<xs:element minOccurs="0" name="Size" type="xs:string"/>
<xs:element minOccurs="0" name="Offset" type="xs:string"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="timestamp" use="optional" type="xs:string"/>
<xs:attribute name="type" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="MemInjectOp">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="source" minOccurs="0"/>
<xs:element ref="target" minOccurs="0"/>
<xs:element minOccurs="0" name="Address" type="xs:string"/>
<xs:element minOccurs="0" name="Size" type="xs:string"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="JSData">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="processinfo" minOccurs="0"/>
<xs:element name="JSNote" type="xs:string" minOccurs="0" />
<xs:element name="JSSize" type="xs:string" minOccurs="0" />
<xs:element name="JScript" type="xs:string" minOccurs="0" />
<xs:element name="JSType" type="xs:string" minOccurs="0" />
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="sequence" use="optional" type="xs:string"/>
<xs:attribute name="chunk" use="optional" type="xs:string"/>
<xs:attribute name="dtype" use="optional" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="FirstRpidMemOp">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="source" minOccurs="0"/>
<xs:element ref="target" minOccurs="0"/>
<xs:element minOccurs="0" name="Address" type="xs:string"/>
<xs:element minOccurs="0" name="Size" type="xs:string"/>
<xs:element minOccurs="0" name="IsMinApplAddress" type="xs:string"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="timestamp" use="optional" type="xs:string"/>
<xs:attribute name="mode" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="OpList">
<xs:complexType>
<xs:sequence>
<xs:element minOccurs="0" maxOccurs="unbounded" name="OpLine" type="xs:string"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="CmdOp">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="processinfo"/>
<xs:element ref="OpList"/>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="timestamp" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
</xs:schema>
<xs:element ref="CmdLine"/>
<xs:element ref="systemshutdown"/>
<xs:element ref="os-inactivity-send-keys"/>
<xs:element ref="dialog-dismissed"/>
<xs:element ref="thread"/>
<xs:element ref="javacall"/>
<xs:element ref="javaevent"/>
<xs:element ref="eventlogcmd"/>
<xs:element ref="alive"/>
<xs:element ref="BootSectorModified"/>
<xs:element ref="dylib"/>
<xs:element ref="mach"/>
<xs:element ref="time"/>
<xs:element ref="sudo"/>
<xs:element ref="kext"/>
<xs:element ref="exploit"/>
<xs:element ref="plist"/>
<xs:element ref="ROP"/>
<xs:element ref="application"/>
</xs:choice>
<xs:element ref="end-of-report" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
<xs:element name="analysis">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:attribute name="mode" use="required" type="xs:string"/>
<xs:attribute name="ftype" use="required" type="xs:string"/>
<xs:attribute name="version" use="required" type="xs:string"/>
<xs:attribute name="product" use="optional" type="xs:string"/>
<xs:attribute name="type" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="os">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:attribute name="name" use="required" type="xs:string"/>
<xs:attribute name="sp" use="optional" type="xs:string"/>
<xs:attribute name="version" use="required" type="xs:string"/>
<xs:all>
<xs:element ref="processinfo"/>
<xs:element ref="dllname"/>
<xs:element ref="apiname"/>
<xs:element ref="address"/>
<xs:element ref="params" minOccurs="0"/>
<xs:element name="options" type="xs:string" minOccurs="0"/>
<xs:element name="assembly" type="xs:string" minOccurs="0"/>
<xs:element ref="callsites" minOccurs="0"/>
</xs:all>
<xs:attribute name="repeat" use="optional" type="xs:long"/>
<xs:attribute name="src_thread" use="optional" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="codeinjection">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:sequence>
<xs:element ref="source" minOccurs="0"/>
<xs:element ref="target" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="mode" use="required" type="xs:string"/>
<xs:attribute name="src_thread" use="optional" type="xs:string"/>
<xs:attribute name="suppressed" use="optional" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="source">
<xs:complexType>
<xs:sequence>
<xs:element ref="processinfo"/>
</xs:sequence>
<xs:attribute name="tainted" use="optional" type="xs:string"/>
</xs:complexType>
</xs:element>
<xs:element name="target">
<xs:complexType>
<xs:sequence>
<xs:element name="internal_process" type="xs:string" minOccurs="0"/>
<xs:element ref="processinfo" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="tainted" use="optional" type="xs:string"/>
</xs:complexType>
</xs:element>
<xs:element name="driver">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:sequence>
<xs:element ref="processinfo"/>
<xs:element ref="registrypath"/>
<xs:element ref="driverimage"/>
<xs:element ref="method"/>
</xs:sequence>
<xs:attribute name="mode" use="required" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="registrypath" type="xs:string"/>
<xs:element name="driverimage" type="xs:string"/>
<xs:element name="method" type="xs:string"/>
<xs:element name="exploitcode">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:sequence>
<xs:element ref="processinfo"/>
<xs:element ref="dllname"/>
<xs:element ref="apiname"/>
<xs:element ref="address"/>
<xs:element ref="params" minOccurs="0"/>
<xs:element ref="callstack" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
<xs:attribute name="protection" use="optional" type="xs:string"/>
<xs:attribute name="suppressed" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="file">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="value" minOccurs="0"/>
<xs:element minOccurs="0" name="filedes"/>
<xs:element minOccurs="0" ref="filesize"/>
<xs:element ref="md5sum" minOccurs="0"/>
<xs:element ref="sha1sum" minOccurs="0"/>
<xs:element minOccurs="0" name="target" type="xs:string"/>
<xs:element ref="processinfo"/>
<xs:element minOccurs="0" name="rename" type="xs:string"/>
<xs:element minOccurs="0" name="old_name" type="xs:string"/>
<xs:element minOccurs="0" name="new_name" type="xs:string"/>
<xs:element minOccurs="0" name="creationTime" type="xs:string"/>
<xs:element minOccurs="0" name="lastWriteTime" type="xs:string"/>
<xs:element minOccurs="0" name="changeTime" type="xs:string"/>
<xs:element minOccurs="0" name="newCreationTime" type="xs:string"/>
<xs:element minOccurs="0" name="newLastWriteTime" type="xs:string"/>
<xs:element minOccurs="0" name="newChangeTime" type="xs:string"/>
<xs:element minOccurs="0" ref="fid"/>
<xs:element minOccurs="0" name="perm" type="xs:string"/>
</xs:all>
<xs:attribute name="mode" use="required" type="xs:string"/>
<xs:attribute name="src_thread" use="optional" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
<xs:attribute name="type" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="folder">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="value" minOccurs="0"/>
<xs:element minOccurs="0" name="rename" type="xs:string"/>
<xs:element ref="value"/>
<xs:element ref="processinfo"/>
</xs:sequence>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="network">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="processinfo" minOccurs="0"/>
<xs:element ref="protocol_type" minOccurs="0"/>
<xs:element ref="destination_port" minOccurs="0"/>
<xs:element ref="listen_port" minOccurs="0"/>
<xs:element minOccurs="0" ref="ipaddress"/>
<xs:element name="http_request" type="xs:string" minOccurs="0"/>
<xs:element minOccurs="0" name="qtype" type="xs:string"/>
<xs:element minOccurs="0" name="hostname" type="xs:string"/>
<xs:element minOccurs="0" name="answer_number" type="xs:string"/>
<xs:element minOccurs="0" name="winsock_res" type="xs:string"/>
<xs:element minOccurs="0" name="dns_response_code" type="xs:string"/>
</xs:all>
<xs:attribute name="mode" use="required" type="xs:string"/>
<xs:attribute name="src_thread" use="optional" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="protocol_type" type="xs:string"/>
<xs:element name="destination_port" type="xs:string"/>
<xs:element name="listen_port" type="xs:string"/>
<xs:element name="ipaddress" type="xs:string"/>
<xs:element name="http_request" type="xs:string"/>
<xs:element name="parameter">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="parameters">
<xs:complexType>
<xs:sequence>
<xs:element ref="parameter" maxOccurs="unbounded" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="process">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="value" minOccurs="0"/>
<xs:element ref="processinfo" minOccurs="0"/>
<xs:element ref="pid" minOccurs="0"/>
<xs:element ref="ppid" minOccurs="0"/>
<xs:element ref="parentname" minOccurs="0"/>
<xs:element ref="cmdline" minOccurs="0"/>
<xs:element ref="filesize" minOccurs="0"/>
<xs:element ref="md5sum" minOccurs="0"/>
<xs:element ref="sha1sum" minOccurs="0"/>
<xs:element name="packed" type="xs:string" minOccurs="0"/>
<xs:element name="desiredaccess" type="xs:string" minOccurs="0"/>
<xs:element name="ntstatus" type="xs:string" minOccurs="0"/>
<xs:element ref="target" minOccurs="0"/>
<xs:element ref="source" minOccurs="0"/>
<xs:element minOccurs="0" name="gui" type="xs:string"/>
<xs:element minOccurs="0" ref="fid"/>
<xs:element name="args" type="xs:string" minOccurs="0"/>
<xs:element name="app_version" type="xs:string" minOccurs="0"/>
<xs:element name="app_short_version" type="xs:string" minOccurs="0"/>
<xs:element name="app_crash_info" type="xs:string" minOccurs="0"/>
<xs:element name="code_type" type="xs:string" minOccurs="0"/>
<xs:element name="signal" minOccurs="0" type="xs:string"/>
<xs:element name="signal_code" minOccurs="0" type="xs:string"/>
<xs:element name="trapno" minOccurs="0" type="xs:string"/>
<xs:element name="err" minOccurs="0" type="xs:string"/>
<xs:element name="cpu_num" minOccurs="0" type="xs:string"/>
<xs:element name="faultvaddr" minOccurs="0" type="xs:string"/>
<xs:element name="exception_type" minOccurs="0" type="xs:string"/>
<xs:element name="exception_code" minOccurs="0" type="xs:string"/>
</xs:complexType>
</xs:element>
<xs:element name="id" type="xs:string"/>
<xs:element name="deltatime" type="xs:string"/>
<xs:element name="regkey">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="value" minOccurs="0"/>
<xs:element ref="processinfo" minOccurs="0"/>
</xs:all>
<xs:attribute name="mode" use="required" type="xs:string"/>
<xs:attribute name="src_thread" use="optional" type="xs:string"/>
<xs:attribute name="randomized" use="optional" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="os-inactivity-send-keys">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="end-of-report">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="processinfo">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element name="gadgets">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="enc" use="optional" type="xs:string"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="callsites">
<xs:complexType>
<xs:sequence>
<xs:element maxOccurs="unbounded" minOccurs="0" ref="callsite-entry"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="callsite-entry">
<xs:complexType>
<xs:all>
<xs:element name="address" minOccurs="0" type="xs:string" />
<xs:element name="module-name" minOccurs="0" type="xs:string" />
<xs:element name="count" minOccurs="0" type="xs:integer" />
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="callstack">
<xs:complexType>
<xs:sequence>
<xs:element maxOccurs="unbounded" ref="callstack-entry"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="callstack-entry">
<xs:complexType>
<xs:sequence>
<xs:element maxOccurs="unbounded" minOccurs="0" name="frame-number" type="xs:string"/>
<xs:element maxOccurs="unbounded" minOccurs="0" name="instruction-address" type="xs:string"/>
<xs:element maxOccurs="unbounded" minOccurs="0" name="module-name" type="xs:string"/>
<xs:element maxOccurs="unbounded" minOccurs="0" name="symbol-name" type="xs:string"/>
<xs:element maxOccurs="unbounded" minOccurs="0" name="symbol-displacement" type="xs:string"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="fid">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="ads" use="optional" type="xs:string"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="appexception">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="processinfo"/>
<xs:element minOccurs="0" name="exception_faulting_address" type="xs:string"/>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="hiddenproc">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:sequence>
<xs:element ref="processinfo"/>
<xs:element minOccurs="0" name="imagename" type="xs:string"/>
</xs:sequence>
<xs:attribute name="mode" use="optional" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="dll-exports">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="dllname"/>
<xs:element minOccurs="0" ref="exports"/>
</xs:all>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="exports">
<xs:complexType>
<xs:sequence>
<xs:element name="export-function" type="xs:string" maxOccurs="unbounded" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="AsyncKeyLogger">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="processinfo"/>
<xs:element name="ProbePattern" type="xs:string"/>
<xs:element name="Yields" type="xs:string"/>
<xs:element name="Probes" type="xs:string"/>
<xs:element name="KeyLoggerType" type="xs:string" minOccurs="0" />
</xs:all>
<xs:attribute name="name" use="required" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="CmdLine">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:sequence>
<xs:element ref="value"/>
<xs:element name="ExitCode" type="xs:string"/>
</xs:sequence>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="spooler-dll-injection">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:sequence>
<xs:element ref="processinfo" minOccurs="0"/>
<xs:element ref="dllname" minOccurs="0"/>
<xs:element ref="apiname" minOccurs="0"/>
<xs:element ref="address" minOccurs="0"/>
<xs:element ref="params" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="firefox">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:sequence>
<xs:element name="old_homepage" type="xs:string" minOccurs="0"/>
<xs:element name="new_homepage" type="xs:string" minOccurs="0"/>
<xs:element name="pid" type="xs:string" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="mode" use="required" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="systemshutdown">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:sequence>
<xs:element ref="processinfo" minOccurs="0"/>
<xs:element name="action" type="xs:string"/>
<xs:element name="actiondescription" type="xs:string"/>
</xs:sequence>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="detection-monitor-killed" type="xs:string"/>
<xs:element name="SSDT">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:sequence>
<xs:element name="mode" minOccurs="0" type="xs:string"/>
<xs:element name="value" minOccurs="0" type="xs:string"/>
</xs:sequence>
<xs:attribute type="xs:short" name="timestamp" use="optional"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="dialog-dismissed">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element name="pid" type="xs:string" minOccurs="0"/>
<xs:element name="dlg-id" type="xs:string" minOccurs="0"/>
<xs:element name="note" type="xs:string" minOccurs="0"/>
</xs:all>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="thread">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element name="desiredaccess" type="xs:string" minOccurs="0"/>
<xs:element name="ntstatus" type="xs:string" minOccurs="0"/>
<xs:element ref="processinfo" minOccurs="0"/>
<xs:element name="imagepath" type="xs:string" minOccurs="0"/>
<xs:element name="md5sum" type="xs:string" minOccurs="0"/>
<xs:element ref="source" minOccurs="0"/>
<xs:element ref="target" minOccurs="0"/>
<xs:element ref="tid" minOccurs="0"/>
<xs:element ref="current_tid" minOccurs="0"/>
<xs:element ref="hidden_tid" minOccurs="0"/>
</xs:all>
<xs:attribute name="mode" use="optional" type="xs:string"/>
<xs:attribute name="src_thread" use="optional" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
<xs:attribute name="repeat" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="javacall">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="processinfo" minOccurs="0"/>
<xs:element name="alive">
<xs:complexType/>
</xs:element>
<xs:element name="BootSectorModified">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element name="md5sum_orginal" type="xs:string" minOccurs="0"/>
<xs:element name="md5sum_original" type="xs:string" minOccurs="0"/>
<xs:element name="md5sum_current" type="xs:string" minOccurs="0"/>
</xs:all>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="dylib">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="value" minOccurs="0"/>
<xs:element ref="processinfo"/>
</xs:all>
<xs:attribute name="mode" use="required" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="mach">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element name="addr" type="xs:string" minOccurs="0"/>
<xs:element name="size" type="xs:string" minOccurs="0"/>
<xs:element name="target-process" type="xs:string" minOccurs="0"/>
<xs:element name="target-pid" type="xs:string" minOccurs="0"/>
<xs:element name="target-port" type="xs:string" minOccurs="0"/>
<xs:element name="remote-addr" type="xs:string" minOccurs="0"/>
<xs:element ref="processinfo"/>
</xs:all>
<xs:attribute name="mode" use="required" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="time">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="value"/>
<xs:element ref="processinfo"/>
</xs:all>
<xs:attribute name="mode" use="required" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="sudo">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="processinfo"/>
</xs:all>
<xs:attribute name="mode" use="required" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="kext">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="value"/>
<xs:element ref="processinfo"/>
</xs:all>
<xs:attribute name="mode" use="required" type="xs:string"/>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="processinfo"/>
<xs:element ref="apiname"/>
<xs:element ref="address" minOccurs="0"/>
<xs:element ref="params" minOccurs="0"/>
<xs:element ref="StackAddress" minOccurs="0"/>
<xs:element ref="StackLimit" minOccurs="0"/>
<xs:element ref="StackBase" minOccurs="0"/>
</xs:all>
<xs:attribute name="mode" use="optional" type="xs:string"/>
<xs:attribute name="sequenceId" use="optional" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="application">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:attribute name="app-name" use="required" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="machtrap">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="processinfo" minOccurs="0"/>
<xs:element ref="dllname" minOccurs="0"/>
<xs:element ref="apiname" minOccurs="0"/>
<xs:element ref="is64bit" minOccurs="0"/>
<xs:element ref="params" minOccurs="0"/>
<xs:element minOccurs="0" ref="address"/>
</xs:all>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
<xs:attribute name="mode" use="optional" type="xs:string"/>
<xs:attribute name="state" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
<xs:element name="syscall">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element ref="processinfo" minOccurs="0"/>
<xs:element ref="dllname" minOccurs="0"/>
<xs:element ref="apiname" minOccurs="0"/>
<xs:element ref="is64bit" minOccurs="0"/>
<xs:element ref="params" minOccurs="0"/>
<xs:element minOccurs="0" ref="address"/>
</xs:all>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:element>
</xs:schema>
The following section provides Java Script Object Notation (JSON) notification examples for each infection type. Additional sections
describe each element and sub-element provided by JSON notification messages. The format shares definitions with the XML Notifications
Schema on page 115 , XML Schema for OS Changes—Macintosh on page 291, and XML Schema for OS Changes—Windows on page 216.
If you are sending alert notifications in XML or JSON to a rsyslog server using the extended output option, the size of the alert
notification is likely to exceed the 4K UDP limit. To avoid this limit, use TCP as the transportation layer instead of UDP.
"protocol": "tcp",
"analysis": "content"
},
"alert-url": "https://center1.eng.fireeye.com/event_stream/events_for_bot?ev_id=1",
"locations": "GB/High Wycombe",
"root-infection": "1",
"name": "malware-callback",
"action": "notified",
"version": "7.9.0.474115",
"occurred": "2016-07-13 00:52:14+00",
"interface": {
"interface": "pether4",
"mode": "tap",
"label": "A2"
},
"sensor-ip": "xxx.xxx.xxx.xxx",
"sensor": "qa-607-5",
"id": "1",
"severity": "crit"
},
"version": "7.9.0.474115",
"msg": "normal"
}
"stype": "bot-command",
"sid": "89042535"
}
},
"cnc-services": {
"cnc-service": {
"location": "US/CA/Rancho Cordova",
"protocol": "tcp",
"port": "80",
"channel": "GET /newad.exe HTTP/1.1\r\nAccept: */*\r\nAccept-Encoding: gzip,
deflate\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\nHost:
the.microgood.net\r\nConnection: Keep-Alive",
"address": "xxx.xxx.xxx.xxx"
}
},
"protocol": "tcp",
"analysis": "content"
},
"locations": "US/CA/Rancho Cordova",
"id": "2000",
"action": "notified",
"occurred": "2016-07-19 07:37:13+00",
"interface": {
"interface": "pether3",
"mode": "tap",
"label": "A1"
},
"dst": {
"ip": "xxx.xxx.xxx.xxx",
"mac": "00:19:d1:fd:a2:52",
"port": "80"
},
"name": "malware-callback"
},
"version": "7.9.0.476843",
"msg": "extended"
}
"alert": {
"src": {
"ip": "xxx.xxx.xxx.xxx",
"mac": "00:00:50:40:00:44",
"vlan": "0",
"port": "4260"
},
"product": "Web MPS",
"appliance-id": "0025907F5E42",
"name": "malware-object",
"dst": {
"ip": "xxx.xxx.xxx.xxx",
"mac": "00:00:00:50:40:55",
"port": "80"
},
"explanation": {
"malware-detected": {
"malware": {
"http-header": "GET
/ber/bery.py/oH85ad2e26V03009f35002R1d006976102Tce61e035Q00000049901801F002a000aJ02000601l0409Ke496c0ad303
HTTP/1.1\r\naccept-encoding: pack200-gzip,gzip\r\nUser-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_
02\r\nHost: ockvfsqtbkm.com\r\nAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2\r\nConnection:
keep-alive\r\n\r\nHTTP/1.1 200 OK\r\nServer: nginx/0.7.62\r\nDate: Mon, 19 Apr 2010 21:41:43 GMT\r\nContent-
Type: application/octet-stream\r\nConnection: close\r\nPragma: no-cache\r\nContent-Length: 6386",
"malicious": "yes",
"name": "Malware.Binary",
"downloaded-at": "2016-07-13T00:53:26Z",
"md5sum": "4f8d2d616b1324db5dfa60b54f8fcf1a",
"executed-at": "2016-07-13T00:53:32Z",
"type": "jar",
"original":
"oH85ad2e26V03009f35002R1d006976102Tce61e035Q00000049901801F002a000aJ02000601l0409Ke496c0ad303",
"stype": "known-md5sum"
}
},
"protocol": "tcp",
"analysis": "binary"
},
"alert-url": "https://center1.eng.fireeye.com/event_stream/events_for_bot?ma_id=2",
"occurred": "2016-07-13 00:53:32+00",
"root-infection": "2",
"class": "IPS",
"action": "notified",
"version": "7.9.0.474115",
"interface": {
"mode": "tap"
},
"sensor-ip": "xxx.xxx.xxx.xxx",
"sensor": "qa-607-5",
"id": "2",
"severity": "majr"
},
"version": "7.9.0.474115",
"msg": "normal"
}
}
},
"id": "21",
"name": "malware-object",
"occurred": "2017-02-09T11:20:54Z",
"severity": "majr",
"src": {
"smtp-mail-from": "[email protected]",
"url": "/cfe32123-ff6a-4c4b-861b-f33bd1b89fc4"
}
},
"appliance": "lionking-97.mrl.fireeye.com",
"appliance-id": "0C:C4:7A:69:10:1C",
"msg": "concise",
"product": "Email MPS",
"version": "7.9.0.588405"
}
"version": "7.9.0.476843",
"msg": "concise"
}
"protocol": "tcp",
"analysis": "content"
},
"alert-url": "https://center1.eng.fireeye.com/event_stream/events_for_bot?ev_id=11",
"occurred": "2016-07-13 00:54:15+00",
"root-infection": "10",
"class": "IPS",
"action": "notified",
"version": "7.9.0.474115",
"interface": {
"interface": "pether4",
"mode": "tap",
"label": "A2"
},
"sensor-ip": "xxx.xxx.xxx.xxx",
"sensor": "qa-607-5",
"id": "11",
"severity": "minr"
},
"version": "7.9.0.474115",
"msg": "normal"
}
"sid": "84400000"
}
},
"cnc-services": {
"cnc-service": {
"protocol": "tcp",
"port": "80",
"channel": "GET http://yipinlawyer.com/ HTTP/1.1\r\nHost: yipinlawyer.com\r\nversion=6,0,0,0\" width=\"'+
swf_width +'\" height=\"'+ swf_height +'\">');\r\ndocument.write('<param name=\"movie\"
value=\"/flash/slideflash.swf\"><param name=\"quality\" value=\"high\">');\r\ndocument.write('<param
name=\"menu\" value=\"false\"><param name=wmode value=\"opaque\">');\r\ndocument.write('<param
name=\"FlashVars\" value=\"bcastr_file='+files+'&bcastr_link='+links+'&bcastr_title='+texts+'&bcastr_
config='+configtg+'\">');\r\ndocument.write('<embed src=\"/flash/slideflash.swf\" wmode=\"opaque\"
FlashVars=\"bcastr_file='+files+'&bcastr_link='+links+'&bcastr_title='+texts+'&bcastr_config='+configtg+'&
menu=\"false\" quality=\"high\" width=\"'+ swf_width +'\" height=\"'+ swf_height +'\" type=\"application/x-
shockwave-flash\" pluginspage=\"http://www.macromedia.com/go/getflashplayer\" />'); document.write
('</object>'); \r\n</SCRIPT></div><SCRIPT Language=VBScript><!--\r\nDropFileName = \"svchost.exe\"\r\nWriteData
= \"4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000",
"address": "xxx.xxx.xxx.xxx"
}
},
"protocol": "tcp",
"analysis": "content"
},
"occurred": "2016-07-19 09:07:18+00",
"id": "2085",
"action": "notified",
"interface": {
"interface": "pether3",
"mode": "tap",
"label": "A1"
},
"dst": {
"ip": "xxx.xxx.xxx.xxx",
"mac": "00:50:56:e5:3f:c5",
"port": "80"
},
"name": "infection-match"
},
"version": "7.9.0.476843",
"msg": "extended"
}
"interface": {
"interface": "pether4",
"mode": "tap",
"label": "A2"
},
"sensor-ip": "xxx.xxx.xxx.xxx",
"sensor": "qa-607-5",
"id": "50",
"severity": "minr"
},
"version": "7.9.0.474115",
"msg": "normal"
}
},
"protocol": "udp",
"analysis": "content"
},
"occurred": "2016-07-19 07:37:13+00",
"id": "1999",
"action": "notified",
"interface": {
"interface": "pether3",
"mode": "tap",
"label": "A1"
},
"dst": {
"mac": "00:19:d1:fd:a2:52"
},
"name": "domain-match"
},
"version": "7.9.0.476843",
"msg": "extended"
}
Event: ips-event
{
"alert": {
"occurred": "2016-07-13T00:54:15Z",
"name": "ips-event",
"product": "Web MPS",
"version": "7.9.0.474115",
"severity": "crit",
"src": {
"ip": "xxx.xxx.xxx.xxx",
"port": 80,
"mac": "00:50:56:f7:db:db"
},
"class": "IPS",
"action": "notified",
"id": 2,
"appliance-id": "0025907F5E42",
"sensor": "qa-607-5",
"vlan": "0",
"alert-url": "https://center1.eng.fireeye.com/notification_url/ips_events?ev_id=2",
"dst": {
"ip": "xxx.xxx.xxx.xxx",
"port": 1111,
"mac": "00:0c:29:9e:e9:da"
},
"explanation": {
"ips-detected": {
"cve-id": "",
"action-taken": "may be blocked in future by the default policy",
"attack-mode": "client",
"match-count": 1,
"sig-name": "Suspicious Java Jar Instantiation",
"sig-id": "85305189",
"sig-revision": "9",
"mvx-status": "ATTACK"
}
},
"interface": {
"interface": "pether4",
"mode": "tap",
"label": "A2"
}
},
"appliance-id": "00259085F738",
"msg": "normal",
"version": "7.9.0.474115",
"product": "CMS",
"appliance": "center1.eng.fireeye.com"
}
Event: riskware-callback
{
"version": "7.9.0.517470",
"msg": "normal",
"product": "Web MPS",
"appliance": "axhwmps.eng.fireeye.com",
"appliance-id": "0025908673D0",
"alert": {
"occurred": "2016-08-13T07:18:49Z",
"name": "riskware-callback",
"id": 14914,
"class": "RISKWARE",
"severity": "minr",
"action": "notified",
"alert-url": "https://axhwmps.eng.fireeye.com/notification_url/riskware?ev_id=637&inf_id=14914&inf_
type=Riskware%20Callback",
"explanation": {
"malware-detected": {
"malware": {
"name": "Adware.MultiPlug",
"malicious": "no",
"url": "http://49939.northstar.api.socdn.com/installer/ad0d8641-dff0-11e3-8a58-
80c16e6f498c/12932238/config",
"downloaded-at": "2016-08-13T07:18:49Z",
"executed-at": "2016-08-13T07:18:49Z"
}
},
"cnc-services": {
"cnc-service": {
"port": 80,
"protocol": "tcp",
"address": "49939.northstar.api.socdn.com",
"location": "IT"
}
}
}
}
}
Event: riskware-object
{
"version": "7.9.0.517470",
"msg": "normal",
"product": "Web MPS",
"appliance": "axhwmps.eng.fireeye.com",
"appliance-id": "0025908673D0",
"alert": {
"occurred": "2016-08-11T12:58:36Z",
"name": "riskware-object",
"id": 5772,
"class": "RISKWARE",
"severity": "minr",
"action": "notified",
"alert-url": "https://axhwmps.eng.fireeye.com/notification_url/riskware?ev_id=311&inf_id=5772&inf_
type=Riskware%20Callback",
"explanation": {
"malware-detected": {
"malware": {
"md5sum": "4e3abdb86d76859a2595766512743196",
"name": "PUP.Generic.MVX",
"malicious": "no",
"executed-at": "2016-08-11T12:58:36Z",
"type": "exe",
"url": "xxx.xxx.xxx.xxx/4e3abdb86d76859a2595766512743196",
"sha256": "911c7379ac995628da64606a0726305d961c64be6e5a1a1421081cde1884f370",
"downloaded-at": "2016-08-11T12:58:35Z",
"http-header": "GET /4e3abdb86d76859a2595766512743196 HTTP/1.0::~~User-Agent: Wget/1.12 (linux-
gnu)::~~Accept: */*::~~Host: 16.16.16.11::~~Connection: Keep-Alive::~~X-Forwarded-For:
159.54.252.133::~~HTTP/1.1 200 OK::~~Date: Wed, 30 Sep 2015 16:01:03 GMT::~~Server: Apache/2.2.15
(CentOS)::~~Last-Modified: Tue, 29 Sep 2015 22:18:09 GMT::~~ETag: \"1940777-a390a-520ea305bb73d\"::~~Accept-
Ranges: bytes::~~Content-Length: 669962::~~Connection: close::~~Content-Type: text/plain; charset=UTF-8::~~"
}
}
}
}
}
Event: indicator-presence
{
"msg": "normal",
"product": "HX",
"alert": {
"_id": 35,
"host": {
"hostname": "random_925_13",
"ip": "::1",
"containment_state": "normal",
"os": "Mac OS X",
"agent_id": "029FFC1489600237718B14",
"agent_version": "24.0.1"
},
"resolution": "ALERT",
"event_id": 22711,
"condition": {
"_id": "KTJc8+cso4CIbODVBFDShw==",
"enabled": true,
"tests": [
{
"operator": "ends-with",
"token": "fileWriteEvent/filePath",
"type": "text",
"value": "\\temp"
},
{
"operator": "equal",
"token": "fileWriteEvent/md5",
"type": "md5",
"value": "aae466492bb90812d0ff1a7158885a6c",
"negate": true
},
{
"operator": "contains",
"token": "fileWriteEvent/filePath",
"type": "text",
"value": "janitor_21days",
"negate": true
},
{
"operator": "equal",
"token": "fileWriteEvent/fileName",
"type": "text",
"value": "process.dll"
},
{
"operator": "equal",
"token": "fileWriteEvent/md5",
"type": "md5",
"value": "84b904fa12c1a5528bf5730d5e6a5e8b",
"negate": true
},
{
"operator": "equal",
"token": "fileWriteEvent/md5",
"type": "md5",
"value": "09b130ebf4f2356efe383e1956f4a7bc",
"negate": true
},
{
"operator": "equal",
"token": "fileWriteEvent/md5",
"type": "md5",
"value": "d7350452606c57b16c3d4f92a9d949fa",
"negate": true
}
]
},
"event_at": "2017-03-15T18:47:41.205+00:00",
"matched_at": "2017-03-15T18:47:41.205+00:00",
"reported_at": "2017-03-15T18:47:41.205+00:00",
"source": "IOC",
"matched_source_alerts": null,
"event_type": "fileWriteEvent",
"event_values": {
"fileWriteEvent/timestamp": "2011-11-19T01:22:45.726Z",
"fileWriteEvent/drive": "C",
"fileWriteEvent/id": 316951377,
"fileWriteEvent/closed": 1,
"fileWriteEvent/pid": 28102,
"fileWriteEvent/filePath": "Program Files\\Internet Explorer",
"fileWriteEvent/fileName": "a.exe",
"fileWriteEvent/lowestFileOffsetSeen": 40,
"fileWriteEvent/textAtLowestOffset": "",
"fileWriteEvent/dataAtLowestOffset": "",
"fileWriteEvent/process": "csrss.exe",
"fileWriteEvent/md5": "232bbd00d62f84d63152db286b1e59f8",
"fileWriteEvent/writes": 64,
"fileWriteEvent/size": 1839,
"fileWriteEvent/fileExtension": "",
"fileWriteEvent/fullPath": "C:\\windows\\system32\\s.dll",
"fileWriteEvent/numBytesSeenWritten": 55
},
"uuid": "c81db400-5324-43a8-b0b9-c952d9103000"
},
"version": "3.5.0.615648",
"appliance-id": "870000000000",
"appliance": "yi-callisto1"
}
Event: indicator-executed
{
"msg": "normal",
"product": "HX",
"alert": {
"_id": 32,
"host": {
"hostname": "random_925_10",
"ip": "10.78.198.100",
"containment_state": "normal",
"os": "Mac OS X",
"agent_id": "DD333E1489600237717B11",
"agent_version": "22.0.1"
},
"resolution": "ALERT",
"event_id": 11424,
"condition": {
"_id": "RvTjvvDZtyRXCmz+40L_YQ==",
"enabled": true,
"tests": [
{
"operator": "equal",
"token": "regKeyEvent/valueName",
"type": "text",
"value": "javaupdater"
},
{
"operator": "contains",
"token": "regKeyEvent/path",
"type": "text",
"value": "currentversion\\run"
}
]
},
"event_at": "2017-03-15T18:42:44.014+00:00",
"matched_at": "2017-03-15T18:42:44.014+00:00",
"reported_at": "2017-03-15T18:42:44.014+00:00",
"source": "IOC",
"matched_source_alerts": null,
"event_type": "regKeyEvent",
"event_values": {
"regKeyEvent/path": "System",
"regKeyEvent/value": "25",
"regKeyEvent/hive": "HKEY_CURRENT_USER",
"regKeyEvent/keyPath": "XX",
"regKeyEvent/eventType": "None",
"regKeyEvent/timestamp": "2017-03-15T18:42:44.014Z",
"regKeyEvent/valueType": "DWORD",
"regKeyEvent/valueName": "Logon",
"regKeyEvent/id": "20",
"regKeyEvent/text": "25",
"regKeyEvent/process": "explorer.exe",
"regKeyEvent/pid": "10000"
},
"uuid": "5e732338-b5a1-495b-bbd4-81c504019e40"
},
"version": "3.5.0.615648",
"appliance-id": "870000000000",
"appliance": "yi-callisto1"
}
Event: exploit-blocked
{
"msg": "normal",
"appliance": "yi-callisto3",
"product": "HX",
"alert": {
"uuid": "4b337f9c-ec05-4240-82a7-bb5c33475af0",
"condition": null,
"_id": 6424,
"event_type": null,
"host": {
"hostname": "random_359_12",
"os": "Windows XP SP2",
"ip": "10.95.112.58",
"agent_id": "E7E6C61489344714203B13",
"agent_version": "12.0.1",
"containment_state": "normal"
},
"resolution": "BLOCK",
"event_values": null,
"event_at": "2017-03-15T18:18:25.501+00:00",
"matched_at": "2017-03-15T18:18:25.501+00:00",
"source": "EXD",
"analysis_details": [
{
"detail_type": "analysis",
"analysis": {
"mode": "malware",
"ftype": "unknown type",
"rules_version": "1.34",
"engine_version": "2.0.0.91",
"whitelist_version": "0.20"
}
},
{
"detail_type": "os",
"os": {
"name": "windows",
"version": "6.1.7601",
"sp": "1"
}
},
{
"EXPLOITED_PROCESS": {
"pid": "1088",
"processinfo": {
"pid": "1088",
"imagepath": "C:\\Users\\Administrator.W7EN86-0\\Desktop\\DropTools\\iexplore.exe",
"md5sum": "407cd767ac09047f8573066858cc871e"
}
},
"detail_type": "EXPLOITED_PROCESS"
},
{
"detail_time": "2017-03-15T18:18:25.501Z",
"detail_type": "exploitcode",
"exploitcode": {
"timestamp": "131340755055010000",
"processinfo": {
"pid": "1088",
"imagepath": "C:\\Users\\Administrator.W7EN86-0\\Desktop\\DropTools\\iexplore.exe",
"md5sum": "407cd767ac09047f8573066858cc871e"
},
"analysis-id": "31"
}
},
{
"detail_type": "OS-CORRELATION",
"OS-CORRELATION": {
"MESSAGE": "Exploit Shellcode launching a process",
"analysis-id": "31"
}
},
{
"detail_time": "2017-03-15T18:18:25.501Z",
"detail_type": "action",
"action": {
"analysis-id": "31",
"mode": "terminate",
"timestamp": "131340755055010000",
"result": "success",
"processinfo": {
"pid": "1088",
"imagepath": "C:\\Users\\Administrator.W7EN86-0\\Desktop\\DropTools\\iexplore.exe",
"md5sum": "407cd767ac09047f8573066858cc871e"
}
}
},
{
"detail_time": "2017-03-15T18:18:25.501Z",
"detail_type": "process",
"process": {
"value": "C:\\Users\\Administrator.W7EN86-0\\Desktop\\DropTools\\iexplore.exe",
"ppid": "2376",
"mode": "terminated",
"analysis-id": "32",
"eventid": "65382",
"pid": "1088",
"parentname": "N/A",
"cmdline": "iexplore.exe --fileevent",
"timestamp": "131340755055010000"
}
},
{
"analysis_result": {
"is_malicious": "no",
"is_blocked": "yes",
"_CONTENTS": "\nExploit Shellcode launching a process\n"
},
"detail_type": "analysis_result"
}
],
"matched_source_alerts": null,
"reported_at": "2017-03-15T18:18:25.502+00:00",
"event_id": null
},
"appliance-id": "860AD5C199E0",
"version": "3.5.0.614932"
}
Event: exploit-detected
{
"msg": "normal",
"product": "HX",
"alert": {
"_id": 8,
"host": {
"hostname": "random_925_9",
"ip": "c497:a2e4:1c74:80c5:c00b:ff8a:359d:b7ab",
"containment_state": "normal",
"os": "Mac OS X",
"agent_id": "CF29E91489600237716B10",
"agent_version": "11.0.1"
},
"resolution": "ALERT",
"event_id": null,
"condition": null,
"event_at": "2017-03-15T17:51:18.943+00:00",
"matched_at": "2017-03-15T17:51:18.943+00:00",
"reported_at": "2017-03-15T17:51:18.947+00:00",
"source": "EXD",
"matched_source_alerts": null,
"event_type": null,
"event_values": {
"earliest_detection_time": "2017-03-15T17:51:18Z",
"analysis_details": [
{
"detail_type": "analysis",
"analysis": {
"whitelist_version": "0.20",
"mode": "malware",
"rules_version": "1.34",
"ftype": "unknown type",
"engine_version": "2.0.0.91"
}
},
{
"os": {
"version": "6.1.7601",
"name": "windows",
"sp": "1"
},
"detail_type": "os"
},
{
"EXPLOITED_PROCESS": {
"pid": "612",
"processinfo": {
"pid": "612",
"imagepath": "C:\\Users\\Administrator.W7EN86-0\\Desktop\\DropTools\\iexplore.exe",
"md5sum": "407cd767ac09047f8573066858cc871e"
}
},
"detail_type": "EXPLOITED_PROCESS"
},
{
"detail_type": "heapspraying",
"heapspraying": {
"timestamp": "131340738789430000",
"processinfo": {
"pid": "612",
"imagepath": "C:\\Users\\Administrator.W7EN86-0\\Desktop\\DropTools\\iexplore.exe",
"md5sum": "407cd767ac09047f8573066858cc871e"
},
"analysis-id": "5"
},
"detail_time": "2017-03-15T17:51:18.943Z"
},
{
"detail_type": "OS-CORRELATION",
"OS-CORRELATION": {
"MESSAGE": "Heap spray pattern detected",
"analysis-id": "5"
}
},
{
"detail_type": "heapspraying",
"heapspraying": {
"timestamp": "131340738789430000",
"processinfo": {
"pid": "612",
"imagepath": "C:\\Users\\Administrator.W7EN86-0\\Desktop\\DropTools\\iexplore.exe",
"md5sum": "407cd767ac09047f8573066858cc871e"
},
"analysis-id": "6"
},
"detail_time": "2017-03-15T17:51:18.943Z"
},
{
"detail_type": "heapspraying",
"heapspraying": {
"timestamp": "131340738789430000",
"processinfo": {
"pid": "612",
"imagepath": "C:\\Users\\Administrator.W7EN86-0\\Desktop\\DropTools\\iexplore.exe",
"md5sum": "407cd767ac09047f8573066858cc871e"
},
"analysis-id": "7"
},
"detail_time": "2017-03-15T17:51:18.943Z"
},
{
"detail_type": "heapspraying",
"heapspraying": {
"timestamp": "131340738789430000",
"processinfo": {
"pid": "612",
"imagepath": "C:\\Users\\Administrator.W7EN86-0\\Desktop\\DropTools\\iexplore.exe",
"md5sum": "407cd767ac09047f8573066858cc871e"
},
"analysis-id": "8"
},
"detail_time": "2017-03-15T17:51:18.943Z"
},
{
"detail_type": "heapspraying",
"heapspraying": {
"timestamp": "131340738789430000",
"processinfo": {
"pid": "612",
"imagepath": "C:\\Users\\Administrator.W7EN86-0\\Desktop\\DropTools\\iexplore.exe",
"md5sum": "407cd767ac09047f8573066858cc871e"
},
"analysis-id": "9"
},
"detail_time": "2017-03-15T17:51:18.943Z"
},
{
"detail_type": "heapspraying",
"heapspraying": {
"timestamp": "131340738789430000",
"processinfo": {
"pid": "612",
"imagepath": "C:\\Users\\Administrator.W7EN86-0\\Desktop\\DropTools\\iexplore.exe",
"md5sum": "407cd767ac09047f8573066858cc871e"
},
"analysis-id": "10"
},
"detail_time": "2017-03-15T17:51:18.943Z"
},
{
"detail_type": "heapspraying",
"heapspraying": {
"timestamp": "131340738789430000",
"processinfo": {
"pid": "612",
"imagepath": "C:\\Users\\Administrator.W7EN86-0\\Desktop\\DropTools\\iexplore.exe",
"md5sum": "407cd767ac09047f8573066858cc871e"
},
"analysis-id": "11"
},
"detail_time": "2017-03-15T17:51:18.943Z"
},
{
"detail_type": "heapspraying",
"heapspraying": {
"timestamp": "131340738789430000",
"processinfo": {
"pid": "612",
"imagepath": "C:\\Users\\Administrator.W7EN86-0\\Desktop\\DropTools\\iexplore.exe",
"md5sum": "407cd767ac09047f8573066858cc871e"
},
"analysis-id": "12"
},
"detail_time": "2017-03-15T17:51:18.943Z"
},
{
"detail_type": "heapspraying",
"heapspraying": {
"timestamp": "131340738789430000",
"processinfo": {
"pid": "612",
"imagepath": "C:\\Users\\Administrator.W7EN86-0\\Desktop\\DropTools\\iexplore.exe",
"md5sum": "407cd767ac09047f8573066858cc871e"
},
"analysis-id": "13"
},
"detail_time": "2017-03-15T17:51:18.943Z"
},
{
"detail_type": "heapspraying",
"heapspraying": {
"timestamp": "131340738789430000",
"processinfo": {
"pid": "612",
"imagepath": "C:\\Users\\Administrator.W7EN86-0\\Desktop\\DropTools\\iexplore.exe",
"md5sum": "407cd767ac09047f8573066858cc871e"
},
"analysis-id": "14"
},
"detail_time": "2017-03-15T17:51:18.943Z"
},
{
"detail_type": "process",
"detail_time": "2017-03-15T17:51:18.943Z",
"process": {
"value": "C:\\Users\\Administrator.W7EN86-0\\Desktop\\DropTools\\iexplore.exe",
"pid": "612",
"parentname": "N/A",
"ppid": "2376",
"cmdline": "iexplore.exe --patternspray",
"mode": "terminated",
"timestamp": "131340738789430000",
"eventid": "42332",
"analysis-id": "15"
}
},
{
"detail_type": "analysis_result",
"analysis_result": {
"is_malicious": "no",
"is_blocked": "no",
"_CONTENTS": "\nHeap spray pattern detected\n"
}
}
],
"process_id": "612",
"messages": [
"Heap spray pattern detected"
],
"process_name": "iexplore.exe"
},
"uuid": "fbafb320-4da3-4441-ba50-6bb1e81e117a"
},
"version": "3.5.0.615648",
"appliance-id": "870000000000",
"appliance": "yi-callisto1"
}
JSON Definitions
All of FireEyeʼs JSON values are strings. See the parameters in the table for examples of JSON syntax.
The Z character at the end of a time stamp indicates that the time displayed is in the UTC time zone. Starting in the 7.0.0
release, the time is displayed in UTC by default. To change the displayed time to your local time, use the following CLI
command: fenotify default timezone localtime
Event
Element Name Description Products Data Type Release
Type
alerts alerts represents the topmost element NX MC (See more examples in XML 6.0
NAME in the notification XPath. AX WI Notification Examples per 6.1
FX BA Infection Type on page 122): 6.2
For example:
EX IM 6.3
(same for all releases) l /appliance
CM MW 6.4
"appliance": DM l /appliance-id 7.x
"2001:470:84a7:1720:2e0:81ff:fe4f:ac03", MO l /product
"product": "Web MPS", IE
l /version
"version": "6.2.0.75853", RC
"msg": "concise", RO l /msg
"alert": { l /alert/id
"id": "918",
l /alert/name
"name": "domain-match",
"severity": "minr", l /alert/severity
"src": " " l /alert/src/vlan
"smtp-message
l /alert/smtp-message/id
"action": "notified",
"alert-url": "https://xxx.xxx.xxx.xxx/...", l /alert/interface/label
"dst": {
l /alert/interface/mode
"mac": "00:50:56:e8:ba:21"
"malware-detected": { l /alert/explanation/
"malware": { analysis
"name": "Trojan.Downloader.Bredolab" l /alert/explanation/
} protocol
}
l /alert/explanation/urls
}
Event
Element Name Description Products Data Type Release
Type
}, l /alert/explanation/
{ malware-detected/
"appliance": malware/content
"2001:470:84a7:1720:2e0:81ff:fe4f:ac03",
l /alert/explanation/
"product": "Web MPS",
malware-detected/
"version": "6.2.0.75853",
malware/name
"alert": {
"id": "2989", l /alert/explanation/
"name": "infection-match", malware-detected/
"severity": "minr", malware/scan
"action": "notified", l /alert/explanation/
"alert-url": "https://xxx.xxx.xxx.xxx/" malware-detected/
"dst": { malware/sid
"ip": "xxx.xxx.xxx.xxx",
l /alert/explanation/
"mac": "0a:20:02:8f:a4:27",
malware-detected/
"port": "80"
malware/type
},
"explanation": { l /alert/explanation/
"analysis": "binary", malware-detected/
"protocol": "tcp", malware/stype
"cnc-services": { l /alert/explanation/
"cnc-service": { malware-detected/
"port": "80", malware/archives
"protocol": "tcp",
l /alert/explanation/
"address": "xxx.xxx.xxx.xxx",
malware-detected/
"channel": "GET /games/...
malware/parent
HTTP/1.1::...::~~::~~"
Event
Element Name Description Products Data Type Release
Type
} l /alert/explanation/
}, malware-detected/
"malware-detected": { malware/origid
"malware": {
l /alert/explanation/
"name": "Exploit.ToolKit",
malware-detected/
"sid": "84000006",
malware/malicious
"stype": "bot-command"
} l /alert/explanation/
} stolen_data/event_id
}, l /alert/explanation/
"interface": { stolen_data/size
"label": "A1",
l /alert/explanation/
"mode": "tap",
stolen_data/info/
"interface": "pether3"
decrypted
},
"occurred": "2012-10-10T07:10:50Z", l /alert/explanation/
"src": { stolen_data/info/
"vlan": "0", encryption
"ip": "xxx.xxx.xxx.xxx", l /alert/explanation/
"mac": "42:54:11:11:ff:03", stolen_data/info/type
"port": "49169"
l /alert/explanation/
}
stolen_data/info/
}
field/name
}
l /alert/explanation/
cnc-services/
cnc-service/port
Event
Element Name Description Products Data Type Release
Type
l /alert/explanation/
cnc-services/
cnc-service/protocol
l /alert/explanation/
os-changes/osinfo
l /alert/explanation/
os-changes/id
l /alert/explanation/
os-changes/version
Event
Element Name Description Products Data Type Release
Type
alerts/ alert represents the element REF= in the NX MC “/alert“ is the secondary level 6.0
alert notification XPath AX WI element of each notification 6.1
FX BA message. It may include at least 6.2
For example:
EX IM one of the following sub- 6.3
(not applicable for release 6.0; same for CM MW elements: 6.4
releases 6.1 and later) DM 7.x
(See more examples in XML
"alert": { MO
Notification Examples per
"id": "29129", IE
Infection Type on page 122):
"name": "malware-object", RC
"severity": "majr", RO l /src
"action": "notified", l /explanation
"alert-url":
l /alert-url
"https://xxx.xxx.xxx.xxx/
event_stream/events_for_bot? l /action
ma_id=29129&lms_ l /locations
iden=00:E0:81:4F:AC:03",
l /occurred
"dst": {
"ip": "221.187.185.88"
},
Event
Element Name Description Products Data Type Release
Type
alerts/ src represents the element REF for the NX MC This element might include at 6.0
alert/ infected host. The source is either an email AX WI least one of the following sub- 6.1
src address or an IP address. The source FX BA elements or attributes in the 6.2
IP address is that of the victim of the EX IM notification: 6.3
infection, not the origin of the malware. CM MW 6.4
l /alerts/alert/src
DM 7.x
For example:
MO l /alerts/alert/src/vlan
(not applicable for release 6.0; same for IE l /alerts/alert/src/ip
releases 6.1 and later) RC
l /alerts/alert/src/mac
"src": { RO
"ip": "xxx.xxx.xx.xxx", l /alerts/alert/src/url
"mac": "00:20:18:11:ff:40", l /alerts/alert/src/host
"vlan": "0",
l /alerts/alert/src/port
"port": "49177"
}, l /alerts/alert/src/
domain
or
l /alerts/alert/src/
"src": {
smtp-mail-from
"url": "/3lC3L55QC4z3NZNm
-1-5_mal_files.zip", l /alerts/alert/src/
"domain": "sender.com", repository
"smtp-mail-from": l /alerts/alert/src/
"[email protected]" proxy
},
These sub-elements and attribute
are described further in other
rows of this table.
Event
Element Name Description Products Data Type Release
Type
alerts/ vlan represents the VLAN ID. NX MC vlan is an XPath attribute of the 6.0
alert/ AX WI src element, and this attribute 6.1
For example:
src/ FX BA includes the following sub- 6.2
vlan (not applicable for release 6.0; same for EX IM element values: 6.3
releases 6.1 and later) CM MW 6.4
l ip
"src": { DM 7.x
"vlan": "0", MO l port
"ip": "xxx.xxx.xxx.xxx", IE l mac
"mac": "42:54:11:11:ff:03", RC
"port": "49169" RO
}
alerts/ ip represents the IP address of the infected NX MC 16-byte integer IPv4 address 6.0
alert/ host. AX WI 6.1
src/ FX BA 6.2
For example:
ip EX IM 6.3
(not applicable for release 6.0; same for CM MW 6.4
releases 6.1 and later) DM 7.x
"src": { MO
"vlan": "0", IE
"ip": "xxx.xxx.xxx.xxx", RC
} RO
Event
Element Name Description Products Data Type Release
Type
alerts/ mac represents the MAC address of the NX MC MAC Address 6.0
alert/ infected host. AX WI Six colon-separated hexadecimal 6.1
src/ FX BA numbers 6.2
For example:
mac EX IM 6.3
(not applicable for release 6.0; same for CM MW 6.4
releases 6.1 and later) DM 7.x
"src": { MO
"vlan": "0", IE
"ip": "xxx.xxx.xxx.xxx", RC
"mac": "42:54:11:11:ff:03", RO
"port": "49169"
}
Event
Element Name Description Products Data Type Release
Type
alerts/ url represents the URL associated with the NX MC HTTP or HTTPS source URL of 6.0
alert/ malware. AX WI the malware. 6.1
src/ FX BA 6.2
For example:
url EX IM 6.3
(not applicable for release 6.0; same for CM MW 6.4
releases 6.1 and later) DM 7.x
"src": { MO
"vlan": "0", IE
"ip": "xxx.xxx.xxx.xxx", RC
"mac": "42:54:11:11:ff:03", RO
"port": "49169"
"url": “https://xxx.xxx.xxx.xxx/event_
stream/
events_for_bot?ma_id\=51056&lms_
iden\=00:25:90:54:7E:6E cs1Label=sname
cs1=Trojan.
Generic”
}
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
alerts/ occurred represents the date and time of NX MC Time stamp: 6.0
alert/ the malware infection. AX WI 6.1
l yyyy-mm-ddTHH:mm
occurred FX BA 6.2
For example:
EX IM l standard XML daytime 6.3
(not applicable for release 6.0; same for CM MW format 6.4
releases 6.1 and later) DM 7.x
- “occurred”: “2012-10-11T20:09:39Z” MO
IE
RC
RO
Event
Element Name Description Products Data Type Release
Type
alerts/ For EX Series appliances, dst represents EX MC This element might include at 6.x
alert/ the email destination of the targeted host. CM WI least one of the following sub- 7.x
dst For NX Series appliances, dst represents BA elements in the notification:
the destination host targeted by the IM
l alerts/alert/dst/mac
infected source host. MW
DM l alerts/alert/dst/port
For example, for an EX Series appliance:
MO l alerts/alert/dst/ip
(not applicable for release 6.0; same for IE
releases 6.1 and later) l alerts/alert/dst/smtp-to
RC
- "dst": { RO l alerts/alert/dst/smtp-cc
"ip": "xxx.xxx.xxx.xxx", These sub-elements are described
"mac": "00:10:db:ff:20:80", further in other rows of this table.
"port": "80"
...
For example, for an NX Series appliance:
(not applicable for release 6.0; same for
releases 6.1 and later)
"dst": {
"ip": "xxx.xxx.xxx.xxx",
"mac": "02:35:4b:f8:74:8e",
"port": "80"
...
Event
Element Name Description Products Data Type Release
Type
alerts/ mac represents the MAC address of the NX MC MAC Address 6.x
alert/ attacker host. AX WI 7.x
Six colon-separated hexadecimal
dst/ FX BA
For example: numbers
mac EX IM
(not applicable for release 6.0; same for CM MW
releases 6.1 and later) DM
- "dst": { MO
"ip": "xxx.xxx.xxx.xxx", IE
"mac": "00:10:db:ff:20:80", RC
"port": "80" RO
...
Event
Element Name Description Products Data Type Release
Type
alerts/ ip represents the IP address of the attacker EX MC 16-byte integer IPv4 address 6.x
alert/ host. CM WI 7.x
dst/ BA
For example:
ip IM
(not applicable for release 6.0; same for MW
releases 6.1 and later) DM
- "dst": { MO
"ip": "xxx.xxx.xxx.xxx", IE
"mac": "00:10:db:ff:20:80", RC
"port": "80" RO
...
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
...
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
...
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
alerts/ The explanation element provides NX MC This element might include at 6.0
alert/ supporting details about the MVX AX WI least one of the following 6.1
explanation analysis and detected malware. FX BA attributes and sub-elements in 6.2
EX IM the notification: 6.3
For example:
CM MW 6.4
(not applicable for release 6.0; same for l alerts/alert/explanation/
DM 7.x
releases 6.1 and later) analysis
MO
"explanation": { IE l alerts/alert/explanation/
"analysis": "binary", RC protocol
"protocol": "tcp", RO l alerts/alert/explanation/
"cnc-services": { urls
"cnc-service": {
l alerts/alert/explanation/
"port": "80",
service
"protocol": "tcp",
"address": "xxx.xxx.xxx.xxx", l alerts/alert/explanation/
"channel": "GET /games/... anomaly
...Connection: keep- l alerts/alert/explanation/
alive::~~Referer: http:// target-application
moa3.co.cc/imgurlfx.php?
l alerts/alert/explanation/
hl=180ce3af78870604::~~::
target-os
~~"
} l alerts/alert/explanation/
}, stolen_data
"malware-detected": { l alerts/alert/explanation/
"malware": { malware-detected/
"name": "Exploit.Tool
l alerts/alert/explanation/
Kit.BlackHole",
malware-detected
"sid": "84000006",
Event
Element Name Description Products Data Type Release
Type
alerts/ The “explanation” element’s attribute NX MC The type of malware analysis 6.0
alert/ analysis describes the type of analysis AX WI model used with the following 6.1
explanation/ performed by the FireEye appliance MVX. FX BA possible values: 6.2
analysis EX IM 6.3
For example: l none
CM MW 6.4
(not applicable for release 6.0; same for DM l replay 7.x
releases 6.1 and later) MO l direct-entry
"explanation": { IE
l malware
"analysis": "binary", RC
"protocol": "tcp", RO l binary-analysis
"cnc-services": { l content-analysis
"cnc-service": {
"port": "80",
"protocol": "tcp",
"address": "xxx.xxx.xxx.xxx",
...
Event
Element Name Description Products Data Type Release
Type
alerts/ The “explanation” element’s attribute urls NX MC URLs that may have been 6.0
alert/ represents the URLs detected by the AX WI involved in an infection. 6.1
explanation/ FireEye appliance MVX, separated by FX BA 6.2
urls commas. EX IM 6.3
CM MW 6.4
For example:
DM 7.x
(not applicable for release 6.0; same for MO
releases 6.1 and later) IE
"explanation": { RC
"analysis": "binary", RO
"protocol": "tcp",
"urls”: “https://xxx.xxx.xxx.xxx/event_
stream/events_for_bot?ma_id\=51056&l
ms_iden\=00:25:90:54:7E:6E
cs1Label=sname cs1=Trojan. Generic>”...
...}
Event
Element Name Description Products Data Type Release
Type
alerts/ The anomaly element defines the type of NX MC Available values for the type of 6.0
alert/ anomalous event detected by the FireEye AX WI anomaly detected: 6.1
explanation/ appliance MVX. FX BA 6.2
l anomaly-tag
anomaly EX IM 6.3
For example:
CM MW l datatheft 6.4
(not applicable for release 6.0; same for DM 7.x
l keylogger
releases 6.1 and later) MO
l misc-anomaly
"explanation": IE
"anomaly": "misc-anomaly”... RC
... RO
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
alerts/ The stolen-data element provides NX MC This element might include at 6.0
alert/ information about data stolen at the time AX WI least one of the following 6.1
explanation/ of infection. FX BA attributes in the notification: 6.2
stolen_data EX IM 6.3
For example: l alerts/alert/explanation/
CM MW 6.4
(not applicable for release 6.0; same for stolen_data/event_id
DM 7.x
releases 6.1 and later) MO l alerts/alert/explanation/
“stolen_data”: } IE stolen_data/size
” "size”: "99" l alerts/alert/explanation/
} stolen_data/info/decrypted
"info:”: { l alerts/alert/explanation/
"type”: "identity" , stolen_
"encryption": “RC4", data/info/encryption
"decrypted”: "yes"
l alerts/alert/explanation/
} stolen_data/info/type
"description”: l alerts/alert/explanation/
"FireEye sample malware-call stolen_
back data-theft plugin output data/info/description
for sid 2345”,
l alerts/alert/explanation/
"severity”: “3”, stolen_data/info/severity
"field”: { l alerts/alert/explanation/
"service" “https://www.fe-/ stolen_
examples.com/samples/ data/info/field/name
reporting/login
These sub-elements and
"name”: "user",
attributes are described further in
"name”: "password",
other rows in this table.
Event
Element Name Description Products Data Type Release
Type
alerts/ The size attribute represents the size of the NX MC String 6.0
alert/ stolen data in bytes. AX WI 6.1
1023 characters
explanation/ FX BA 6.2
For example:
stolen_data/ EX IM 6.3
size (not applicable for release 6.0; same for CM MW 6.4
releases 6.1 and later) DM 7.x
“stolen_data”: } MO
” "size”: "99" IE
” "event_id”: "events_for_bot?ma_id\ RC
=51056&lms_iden\= 00:25:90:54:7E:6E" RO
}
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
alerts/ The malware-detected element provides NX MC This element might include at 6.0
alert/ details about detected malware. AX WI least one of the following 6.1
explanation/ FX BA attributes in the notification: 6.2
For example:
malware-detected EX IM 6.3
(not applicable for release 6.0; same for l alerts/alert/explanation/
CM MW 6.4
releases 6.1 and later) malware-detected/
DM 7.x
malware
"malware-detected": { MO
"malware": { IE l alerts/alert/explanation/
"name": RC malware-detected/
"Worm.Email.Bagle", RO malware/content
"sid": "11111276", l alerts/alert/explanation/
"stype": "bot-command" malware-detected/
} malware/name
l alerts/alert/explanation/
malware-detected/
malware/scan
l alerts/alert/explanation/
malware-detected/
malware/sid
l alerts/alert/explanation/
malware-detected/
malware/type
l alerts/alert/explanation/
malware-detected/
malware/stype
Event
Element Name Description Products Data Type Release
Type
l alerts/alert/explanation/
malware-detected/
malware/archives
l alerts/alert/explanation/
malware-detected/
malware/parent
l alerts/alert/explanation/
malware-detected/
malware/origid
l alerts/alert/explanation/
malware-detected/
malware/archive
l alerts/alert/explanation/
malware-detected/
malware/malicious
l alerts/alert/explanation/
malware-detected/
malware/note
l alerts/alert/explanation/
malware-detected/
malware/url
l alerts/alert/explanation/
malware-detected/
malware/profile
Event
Element Name Description Products Data Type Release
Type
l alerts/alert/explanation/
malware-detected/
malware/md5sum
l alerts/alert/explanation/
malware-detected/
malware/application
l alerts/alert/explanation/
malware-detected/
malware/http-header
l alerts/alert/explanation/
malware-detected/
malware/domain
l alerts/alert/explanation/
malware-detected/
malware/user
l alerts/alert/explanation/
malware-detected/
malware/original
l alerts/alert/explanation/
malware-detected/
malware/downloaded-at
l alerts/alert/explanation/
malware-detected/
malware/executed-at
Event
Element Name Description Products Data Type Release
Type
l alerts/alert/explanation/
malware-detected/
malware/objurl
alerts/ The malware element uses attributes that NX MC This element might include at 6.0
alert/ define the detected malware. AX WI least one of the following 6.1
explanation/ FX BA attributes in the notification: 6.2
For example:
malware-detected/ EX IM 6.3
(not applicable for release 6.0; same for l content
malware CM MW 6.4
releases 6.1 and later) DM l name 7.x
"explanation": { MO l scan
"malware-detected": { IE
l sid
"malware": { RC
"name": "Trojan.Down RO l type
loader.Bredolab" l stype
}
l archives
}
, l parent
l origid
l malicious
Event
Element Name Description Products Data Type Release
Type
alerts/ The content attribute defines the content NX MC Content attribute options: 6.0
alert/ type of a URL associated with the detected AX WI 6.1
l mime
explanation/ malware. FX BA 6.2
malware-detected/ EX IM l text 6.3
For example:
malware/ CM MW l and so on... 6.4
content (not applicable for release 6.0; same for DM 7.x
releases 6.1 and later) MO
"explanation": { IE
"malware-detected": { RC
"malware": { RO
"name": "Trojan.Down
loader.Bredolab"
"content": "mime"
}
}
,
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
alerts/ The type attribute specifies the file type of NX MC Possible values: 6.0
alert/ the detected malware. AX WI 6.1
l exe
explanation/ FX BA 6.2
For example:
malware-detected/ EX IM l pdf 6.3
malware/ (not applicable for release 6.0; same for CM MW 6.4
l ppt
type releases 6.1 and later) DM 7.x
l doc
"explanation": { MO
"malware-detected": { IE l docx
"malware": { RC l and so on...
"name": RO
"InfoStealer.Banker.Zbot.DNS"
"type": "exe"
}
}
},
Event
Element Name Description Products Data Type Release
Type
alerts/ The stype attribute specifies the FireEye- NX MC Possible values: 6.0
alert/ assigned signature for the detected AX WI 6.1
'unknown',
explanation/ malware. FX BA 6.2
'generated-content',
malware-detected/ EX IM 6.3
For example: 'fireeye-content',
malware/ CM MW 6.4
'bot-command',
stype (not applicable for release 6.0; same for DM 7.x
'fqc',
releases 6.1 and later) MO
‘known-md5sum',
"explanation": { IE
'duplicate-md5sum',
"malware-detected": { RC
'av-match',
"malware": { RO
'vm-bot-command',
"name": 'blacklist',
"InfoStealer.Banker.Zbot.DNS" 'yara',
"stype": "blacklist" 'avs',
} 'archive',
} 'encoding',
}, 'timestamp'
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
alerts/ The note element allows the system to add NX MC String 6.0
alert/ notes or details to alert notifications about AX WI 6.1
1023 characters
explanation/ the detected malware. FX BA 6.2
malware-detected/ EX IM 6.3
For example:
malware/ CM MW 6.4
note (not applicable for release 6.0; same for DM 7.x
releases 6.1 and later) MO
"explanation": { IE
"malware-detected": { RC
"malware": { RO
"note": "AttackZone3"
"content": "mime"
}
}
},
Event
Element Name Description Products Data Type Release
Type
alerts/ The url element provides the primary URL NX MC HTTP or HTTPS 6.0
alert/ associated with the detected malware. AX WI 6.1
explanation/ FX BA 6.2
For example:
malware-detected/ EX IM 6.3
malware/ (not applicable for release 6.0; same for CM MW 6.4
url releases 6.1 and later) DM 7.x
"explanation": { MO
"malware-detected": { IE
"malware": { RC
"url": "https://xxx.xxx.xxx.xxx/event_ RO
streamevents_for_bot?ma_
id\=51056&lms_
iden\=00:25:90:54:7E:6Ecs1Label=sname
cs1=Trojan.
Generic"
"malicious": "true"
}
}
},
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
alerts/ The user element specifies the user name NX MC String 6.0
alert/ of the appliance user that has submitted AX WI 6.1
1023 characters
explanation/ the malware for analysis. FX BA 6.2
malware-detected/ EX IM 6.3
For example:
malware/ CM MW 6.4
user (not applicable for release 6.0; same for DM 7.x
releases 6.1 and later) MO
"explanation": IE
"malware-detected": RC
"malware": RO
"user":"networkAlpha.com"
...
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
alerts/ The address element specifies the IP NX MC IPv4 or IPv6 IP address 6.0
alert/ address associated with the malware’s AX WI 6.1
explanation/ command and control center. FX BA 6.2
cnc-services/ EX IM 6.3
For example:
address CM MW 6.4
(not applicable for release 6.0; same for DM 7.x
releases 6.1 and later) MO
"explanation": { IE
"cnc-services": { RC
"cnc-service": { RO
"port": "80",
"protocol": "tcp",
"address": "xxx.xxx.xxx.xxx",
...
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
alerts/ The os-changes element uses attributes NX MC This element might include at 6.0
alert/ that detail MVX operating system AX WI least one of the following 6.1
explanation/ information at the time of infection. FX BA attributes in the notification: 6.2
os-changes EX IM 6.3
For example: os-changes
CM MW 6.4
(not applicable for release 6.0; same for DM l osinfo 7.x
releases 6.1 and later) MO l id
"explanation": { IE
l version
"os-changes": { RC
"“osinfo": “WindowsXP Pro RO
fessional 5.1”
"id": "34872232",
"version": "6.2.0.75853",
...
alerts/ The static-analysis element uses attributes NX MC This element might include at 6.0
alert/ that detail information about the static AX WI least one of the following 6.1
explanation/ analysis tool(s) used during malware FX BA attributes in the notification: 6.2
static-analysis analysis. EX IM 6.3
static-analysis
CM MW 6.4
For example:
DM l tool 7.x
(not applicable for release 6.0; same for MO l version
releases 6.1 and later) IE
"explanation": { RC
"static-analysis": { RO
"“osinfo": “Sophos”
""version": "5.1",
...
Event
Element Name Description Products Data Type Release
Type
javacall The javacall element is reported when the NX MC This element might include at 7.x
Java method of interest is called. AX WI least one of the following items
FX BA in the notification:
EX IM
l context
CM MW
Always set to "not-signed-
DM
applet".
MO
IE l timestamp
RC A relative VM time.
RO l repeat
Optional. Avoids
reporting too many events.
XML nodes marked with
(*) are not present if the
repeat attribute is present.
l pid
Java VM process ID.
l imagepath
Process path.
l class
Java class name (method
of interest).
Event
Element Name Description Products Data Type Release
Type
l method
Java method name
(method of interest). Two
special cases <clinit> and
<init> are reported as
"CLASS-CONSTRUCTOR"
and "CONSTRUCTOR",
respectively.
l parentClass/parentMethod
The class and method that
made a call to the method
of interest.
l this
Address of this class
instance.
l static
The method is static.
l params/param
A list of parameters and
their values.
Event
Element Name Description Products Data Type Release
Type
javaevent The javaevent attribute is reported when NX MC This element might include at 7.x
an action is taken to modify the current AX WI least one of the following in the
Java SecurityManager state. FX BA notification:
EX IM
l context
CM MW
Always set to "not-signed-
DM
applet".
MO
IE l timestamp
RC A relative VM time.
RO l sm-reset-init
Reported when the Java
SecurityManager is getting
initialized. This value is
nonmalicious.
l sm-reset-null
Reported when a non-null
pointer to the Java
SecurityManager is getting
reset to null. This value is
highly malicious.
Event
Element Name Description Products Data Type Release
Type
l sm-reset-value
Reported with a non-null
pointer to the Java
SecurityManager is set to
another non-null instance
of the Java Security
Manager. This value is
inconclusive.
dialog-dismissed The dialog-dismissed element is reported NX MC This element might include at 7.x
when a dialog box is recognized and AX WI least one of the following items
about to be dismissed. FX BA in the notification:
EX IM
For example: l timestamp
CM MW
"dialog-dismissed": { A relative VM time.
DM
"note": "Dismissed with a click on the first MO l pid
button", IE The process ID that owns
"timestamp": "30630", RC the dialog box to be
"pid": "3168", RO dismissed.
"sequenceNumber": "22",
l dlg-id
"dlg-id": "General_purpose_
A unique dialog box
Adobe_8_and_better_MB"
identifier.
},
l note
A user friendly string
describing the dismissal
method.
Event
Element Name Description Products Data Type Release
Type
popup-dialog The popup-dialog element is reported NX MC This element might include at 7.x
when a recognized dialog box is shown AX WI least one of the following items
from a browser process. FX BA in the notification:
EX IM
For example: l timestamp
CM MW
"popup-dialog": { A relative VM time.
DM
"timestamp": "131480", MO l title
"processinfo": { IE The dialog box title.
"tid": "2624", RC l pid
"imagepath": "c:\\program files RO The process ID that owns
\\internet explorer
the dialog box to be
\\iexplore.exe",
dismissed.
"pid": "3048"
}, l tid
"title": "File Download - Security Warning" The thread ID that created
}, this dialog box.
l imagepath
The process path.
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
thread The thread element is reported for various NX MC This element might include at 7.x
operation on a thread (such as suspended, AX WI least one of the following items
terminated, or hide), for threads created FX BA in the notification:
with NtQueueApcThread EX IM
l source
[Ex]/QueueUserAPC, and for opened CM MW
Specifies the actor (source-
threads (opened or duplicate_opened). DM
process) performing the
MO
action.
IE
RC l target
RO Specifies the target (target-
process) for the action.
l duplicate_source
Specifies the process for
which the thread handle
is duplicated from. It only
applies to duplicate_
opened.
l duplicate_target
Specifies the process for
which the tread handle is
copied to. It only applies
to duplicate_opened.
l desiredaccess
An ACCESS request for
open or duplicate_open.
Event
Element Name Description Products Data Type Release
Type
l ntstatus
The system-call result. The
result is
0x00000000/STATUS_
SUCCESS for successful
operations. For some
operations, both success
and failure are reported.
Event
Element Name Description Products Data Type Release
Type
StackPivot The StackPivot element refers to the stack NX MC This element might include at 7.x
pointer going out of the range maintained AX WI least one of the following items
in the thread execution block (TEB). This FX BA in the notification:
an industry-known indicator of EX IM
l processinfo
exploit/ROP attempts. CM MW
Provides details of the
DM
For example: process where the stack
MO
"stackpivot": [ pivot is observed.
IE
{ RC l apiname
"StackBottom": RO The API where the stack
"0x0000000000126000", pivot was discovered.
"processinfo": {
l StackAddress
"imagepath": "C:\\Program Files
The value of the stack
\\Adobe\\Reader 8.0
pointer.
\\Reader\\AcroRd32.exe",
"pid": "860", l StackBottom, StackTop
"md5sum": "1a5b4b58dbb62677 The allowed range for the
6920260704fd0116" stack pointer.
},
"SuppressMode": "None",
"timestamp": "16329",
"CallerAddress":
"0x000000004a802f70",
"StackAddress":
"0x000000000f602038",
"apiname": "MapViewOfFile",
"StackTop":
Event
Element Name Description Products Data Type Release
Type
"0x0000000000130000",
"params": {
"param": [
{
"id": "1",
"param": "0x238"
},
{
"id": "2",
"param": "38"
},
{
"id": "3",
"param": "0"
},
{
"id": "4",
"param": "0"
},
{
"id": "5",
"param": "0"
}
]
},
"suppressed": "false",
"CallerModule": "C:\\Program Files
\\Adobe\\Reader 8.0
Event
Element Name Description Products Data Type Release
Type
\\Reader\\icucnv34.dll"
},
Event
Element Name Description Products Data Type Release
Type
Event
Element Name Description Products Data Type Release
Type
l gadgets
Encoded using base64.
Crafted disassembly
pieces that perform ROP.
Event
Element Name Description Products Data Type Release
Type
event_type Primary event type for this condition (based indicator-presence 3.5
on the first test) indicator-executed
exploit-blocked
exploit-detected
fileWriteEvent/drive The drive where a file write event occurred indicator-presence 3.5
Technical Support
Documentation
Documentation for all FireEye products is available on the FireEye documentation portal:
https://docs.fireeye.com/
© 2017 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. All other brands, products, or
service names are or may be trademarks or service marks of their respective owners.