AlertNotifications 2017.01 en

F I R E E Y E T E C H N I C A L D O C U M E N T A T I O N
ALERT NOTIFICATIONS
CEF | LEEF | CSV | XML | JSON | TXT
RELEASE 2017.01
ALERT NOTIFICATIONS / 2017

FireEye and the FireEye logo are registered trademarks of FireEye, Inc. in the United
States and other countries. All other trademarks are the property of their respective
owners.
FireEye assumes no responsibility for any inaccuracies in this document. FireEye
reserves the right to change, modify, transfer, or otherwise revise this publication
without notice.
Copyright © 2017 FireEye, Inc. All rights reserved.

Alert Notifications CEF | LEEF | CSV | XML | JSON | TXT
Release 2017.01
Revision 1
FireEye Contact Information:

Website: www.fireeye.com
Support Email: [email protected]
Support Website: csportal.fireeye.com
Phone:
United States: 1.877.FIREEYE (1.877.347.3393)
United Kingdom: 44.203.106.4828
Other: 1.408.321.6300
Contents
Contents
Supported Products 7
Overview 9
Alerts 10
Domain Match 10
Infection Match 10
Local Callback 10
Local Infection 10
Malware Callback (Generic) 11
Malware Callback (DTI.Callback) 11
Malware Object (with AV-Suite Detection) 11
Malware Object (with Zero-Day Callback) 11
Riskware Callback 12
Riskware Object 12
Web Infection 12
Web Infection (malware.binary.url) 13
Concise, Extended, and Normal Format Outputs 13
Source and Destination Addresses 13
Abbreviations Used in This Manual 13
References 14
CEF Notifications 15
Sample CEF Notifications per Event Type 18
domain-match (CM Series) 18
domain-match (NX Series) 18
infection-match (CM Series) 18
infection-match (NX Series) 19
© 2017 FireEye 3
Contents
malware-callback (CM Series) 19

malware-callback (NX Series) 19
malware-object (CM Series) 20
malware-object (NX Series) 20
malware-object (EX Series) 20
malware-object (AX Series) 21
malware-object (FX Series) 21
web-infection (NX Series) 21
ips-event (CM Series) 21
ips-event (NX Series) 22
riskware-callback (IPv4) 22
riskware-callback (IPv6) 22
riskware-object (IPv4) 23
riskware-object (IPv6) 23
AT Alert (ETP Cloud) 23
ACE Alert (ETP Cloud) 24
CEF Extension Field Key=Value Pair Definitions 25
CEF Standard Fields and Values for ETP Cloud 57
LEEF Notifications 61
Sample LEEF Notifications per Event Type 63
Event: domain-match 63
Event: infection-match (NX Series) 63
Event: malware-callback 64
Event: web-infection 64
Event: malware-object (NX Series) 64
Event: malware-object (EX Series) 65
Event: ips-event 65
Event: riskware-callback 65
Event: riskware-object 66
LEEF Extension Field Key=Value Pair Definitions 67
4 © 2017 FireEye
Contents
CSV Notifications 81
Sample CSV Notifications per Event Type 84
Event: ips-event 86
CSV Extension Field Key=Value Pair Definitions 87
XML Notifications 114

XML Notifications Schema 115
XML Notification Examples per Infection Type 122
Event: ips-event 127
XML Path (XPath) Element and Attribute Definitions 131
XML Schema for OS Changes—Windows 216
XML Schema for OS Changes—Macintosh 291
JSON Notifications 318

JSON Notification Examples per Infection Type 319
Event: malware-callback (CM Series) 319
Event: malware-callback (NX Series) 320
Event: malware-object (CM Series) 321
© 2017 FireEye 5
Contents

Event: web-infection (NX Series) 325
Event: infection-match (CM Series) 326
Event: domain-match (CM Series) 329
Event: domain-match (NX Series) 330
Event: ips-event 331
Event: indicator-presence 334
Event: indicator-executed 336
Event: exploit-blocked 338
Event: exploit-detected 340
JSON Definitions 346
JSON Definitions for HX Series 425
Technical Support 434

Documentation 434
6 © 2017 FireEye
Release 2017.01
Supported Products
The 2017.01 release of the Alert Notifications supports the following releases and earlier of
the FireEye products:
l AX Series: Version 7.7
l CM Series: Version 7.9
l EX Series: Version 7.9
l FX Series: Version 7.7
l HX Series: Version 3.5
l NX Series: Version 7.9
© 2017 FireEye 7
Alert Notifications CEF | LEEF | CSV | XML | JSON | TXT Supported Products
8 © 2017 FireEye
Alert Notifications CEF | LEEF | CSV | XML | JSON | TXT
Overview
The FireEye appliance Multi-Vector Execution (MVX) Engine detects stealthy web, file, or
email-based malware that uses malicious techniques to exploit client browsers, operating
systems, emails and applications. FireEye’s detection of a malicious event generates alert
details that can be sent from the appliance to an email, HTTP, SNMP, or rsyslog server or
Security Information and Event Management (SIEM) platform in multiple formats,
including CEF. This guide provides information about alert and event collection in the
following formats:
l Common Event Format (CEF)

l Log Event Enhanced Format (LEEF)
l Comma Separated Values (CSV)
l Extensible Markup Language (XML)
l JavaScript Object Notation (JSON)
This guide focuses on the formats that can be consumed by programs. FireEye
also provides human-readable ASCII TEXT notifications that are not discussed
in detail in this guide.
The FireEye appliance Web UI Settings>Notifications menu provides the options for
configuring alert notifications for each supported format to be sent to email, HTTP, SNMP,
rsyslog or SIEM servers. The servers, in turn, must be configured to receive the
notifications in the respective format(s).
When configuring a FireEye appliance to send alert notifications in CEF format, for
example, an administrator must confirm that the rsyslog trap-sink server supports CEF.
The CEF output is accessible for parsing only on the rsyslog server and cannot be viewed
from the FireEye appliance CLI or Web UI.
© 2017 FireEye 9
Alert Notifications CEF | LEEF | CSV | XML | JSON | TXT Overview
Alerts
Whenever the FireEye appliances detect malware, an alert is generated. This section gives
more details about the alert types and provides recommendations of what to do.
Domain Match
Domain-match alerts show when an endpoint has requested Domain Name System (DNS)
to resolve a known malicious hostname. This alert means that the DNS was resolved. It
does not indicate that any malicious payloads have been downloaded or that exploitative
content has been accessed. Domain matches are not blocked because they are just name
resolutions. There is no target IP address in this type of match. The alert has the exact time
that the NX series appliance picked up the DNS traffic.
By itself, this type of alert is for informational purposes only. If a high volume of domain
matches is occurring, the endpoint might be compromised and needs to be cleaned.
Infection Match
This alert indicates that the endpoint attempted to browse to a URL that is known to be
exploitative. If no other alerts from the endpoint are present, it is unlikely that the endpoint
is infected. If the NX Series appliance is in blocking mode, infection matches are blocked
It is possible that other channels are being used in such a way that they are undetectable or
that the endpoint is compromised but using a different point on the network for its traffic.
Check if anything suspicious happened around this time. If you have the FireEye IPS
license and known exploit details are available, check if the vulnerable software versions
are being used. Check local security logs and security information and event management
(SIEM) logs. You can also use the HX Series appliance for triage investigation.
Local Callback
Local-callback alerts refer to malicious URLs that were fetched during dynamic virtual
analysis by binaries or Web traffic. If the NX Series appliance is in blocking mode, local
callbacks are blocked.
The likelihood that the endpoint is infected is high. The endpoint should be investigated
immediately and potentially removed from the network during this process.
Local Infection
Local-infection alerts happen after a malicious binary or exploitative server traffic is
detected. If the NX Series appliance is in blocking mode, local infections are blocked. The
exact URL location that the threat was accessed from is detected or blocked in the future,
depending on your settings.
10 © 2017 FireEye
Release 2017.01 Alerts
are being used. Check local security logs and SIEM logs. You can also use the HX Series
appliance for triage investigation.
Malware Callback (Generic)

Malware-callback alerts indicate that the endpoint is sending confirmed callback traffic to
a command-and-control server. The alerts only occur if an endpoint is infected with
malware. If the NX Series appliance is in blocking mode, malware callbacks are blocked.
The endpoint should be investigated immediately and removed from the network during
the process. Check local security logs and SIEM logs. You can also use the HX Series
Malware Callback (DTI.Callback)

This alert indicates that the endpoint generated suspicious traffic and the MVX engine
returned a positive match. Zero-day callbacks are only enabled on Dynamic Threat
Intelligence (DTI) two-way licenses because data must be sent to DTI to validate this threat.
The endpoint is likely compromised because standard browsing traffic will not trigger this
type of dynamic alert. The endpoint should be investigated immediately and removed
from the network during the process. Check local security logs and SIEM logs. You can
also use the HX Series appliance for triage investigation.
Malware Object (with AV-Suite Detection)

Malware-object alerts indicate that the endpoint downloaded a known malicious binary. In
this case, the AV-Suite also had a match on this malware and was able to give the
malware a more specific name. Malware objects are not blocked; however, subsequent
requests to the same URL will be blocked.
The endpoint should be investigated for the presence of a malicious file. If the end user
knowingly downloaded the file but did not execute it, the endpoint might be clean. It is
possible that the file was dropped and executed without the userʼs knowledge.
If the end user ran the binary, it is likely that the endpoint is compromised, unless the
binary only works on certain software versions. In this case, the endpoint should be
removed from the network for additional analysis. Check local security logs and SIEM
logs. You can also use the HX Series appliance for triage investigation.
Malware Object (with Zero-Day Callback)

This alert indicates that the endpoint downloaded an unknown malicious binary, and the
MVX engine detected a zero-day callback.
The endpoint should be investigated for the presence of a malicious file. If the end user
© 2017 FireEye 11
Riskware Callback
Riskware-callback alerts indicate that the endpoint is sending confirmed callback traffic to
a command-and-control server. This alert occurs if a riskware object was downloaded and
launched on an endpoint.
The endpoint should be investigated immediately and removed from the network during
the process. Check local security logs and SIEM logs. You can also use the HX Series
Riskware Object
Riskware-object alerts indicate that the endpoint downloaded known riskware.
The endpoint should be investigated for the presence of riskware. If the end user
Web Infection
Web-infection alerts indicate that the endpoint accessed a Web page that was determined
by the MVX engine to exploit the endpoint. Subsequent Web infections are blocked,
depending on your configuration.
are being used. Check local security logs and SIEM logs. You can also use the HX Series
Starting in the 7.9 release, there are now three flags to differentiate among the types of
URLS:
l URL (not suspicious)

l Referer.URL
l Suspicious.URL
12 © 2017 FireEye
Release 2017.01 Concise, Extended, and Normal Format Outputs
Web Infection (malware.binary.url)

A malware.binary.url alert is the default signature for any multiflow attack that does not
have a specific signature.
Concise, Extended, and Normal Format Outputs

Alert notifications in all formats (XML, JSON, CEF, LEEF, and so on) are configurable in
“concise,” “extended,” or “normal” outputs. These output options offer different levels of
detailed information about a particular alert.
Notifications formatted with the “normal” output are the same as “concise” but also
include OS Changes, callback details, and malware details if available. Extended outputs
are the same as “normal” but also include data theft and static analysis information, if
available.
If you are sending alert notifications in XML or JSON to a rsyslog server using the
extended output option, the size of the alert notification is likely to exceed the 4K
UDP limit. To avoid this limit, use TCP as the transportation layer instead of
UDP.
Source and Destination Addresses

For AX Series, CM Series, FX Series, and NX Series appliances, FireEye alert notification
messages include the source and destination addresses of traffic observed on the
appliance.
Except for IPS, the source address represents the victim, and the destination address
represents the attacker. The same host address convention is used throughout the Web UI
and CLI of the FireEye appliances.
For the NX and CM Series appliances, you can change the notification source and
destination values using the fenotify preferences normalize-ips-event enable
command. For more information, see the CLI Reference.
Abbreviations Used in This Manual

The following abbreviations are used for event types:
Abbreviation Event Type
BA binary-analysis
DM domain-match
IE ips-event
© 2017 FireEye 13
Abbreviation Event Type
IM infection-match
MC malware-callback
MO malware-object
MW malware-analysis-done
RC riskware-callback
RO riskware-object
WI web-infection
The following product abbreviations are used in CEF, LEEF, and CSV alert notifications:
Abbreviation Product
CMS CM Series
eMPS EX Series
fMPS FX Series
MAS AX Series
MPS NX Series
The following product abbreviations are used in XML and JSON alert notifications:
Abbreviation Product
CMS CM Series
Email MPS EX Series
File MPS FX Series
MAS AX Series
Web MPS NX Series
References
[1] ArcSight. The ArcSight platform:
https://www.protect724.hpe.com/login.jspa?referer=%2Fcommunity%2Farcsight
[2] ArcSight. Common event format: https://www.protect724.hpe.com/docs/DOC-1072
[3] syslogd, the enhanced syslogd for Linux and UNIX: http://www.rsyslog.com
14 © 2017 FireEye
CEF Notifications
This section covers the following topics:
l Sample CEF Notifications per Event Type on page 18

l CEF Extension Field Key=Value Pair Definitions on page 25
l CEF Standard Fields and Values for ETP Cloud on page 57
Common Event Format (CEF) [2] is an ArcSight [1] supported format for rsyslog [3]. ArcSight provides an open standard for log
management and interoperability of security related information from different devices, network appliances and applications. The open log
format (that is, CEF) is adopted by FireEye for sending FireEye malware event notifications to an ArcSight channel. This format contains the
most relevant event information, making it available for event consumers to parse and use the data interoperably. To integrate the events,
the syslog message format is used as a transport mechanism. This mechanism is structured to include a common prefix applied to each
message, and contains the date and hostname as shown:
Jan 18 11:07:53 host <message>
where message=<header>|<extension>
The message in CEF format includes a header and an extension as a set of key=value pairs. For additional information, refer to the ArcSight
Common Event Format white paper [2] for a detailed description of the ArcSight CEF format.
The FireEye CEF message header is defined as follows:
CEF:0|<vendor>|<product name>|<version>|<cef event type>|<event-name>|<severity>|<extension>
where
© 2017 FireEye 15
CEF Notifications
CEF Field Description

CEF:0 The CEF header consists of a set of appliance attributes delimited by pipes ( | ) which starts with
CEF:<VERSION>, where the current CEF version is always 0.
<vendor> FireEye is the appliance vendor.
<product Product name must represent a valid FireEye product name. For example, valid product names are ‘MPS’ (for
name>
the NX Series), ‘eMPS’ (for the EX Series), ‘fMPS’ (for the FX Series), ‘MAS’ (for the AX Series), and ‘CMS’ (for
the CM Series).
<version> Version represents the FireEye software release on the appliance used to detect the malware and send the alert
notification.
<cef event cef event type is an abbreviated, short form of the event name, which corresponds to the output in the next field
type>
<event-name>. CEF event types for which there is no signature (rare) are designated as MC (malware-callback),
WI (web-infection), BA (binary-analysis), IM (infection-match), MW (mw-analysis-done), DM (domain-match),
MO (malware-object), IE (ips-event), riskware-callback (RC), or riskware-object (RO).
16 © 2017 FireEye
CEF Notifications
CEF Field Description

<event-name> For event name, FireEye uses the signature name as the event name in CEF message headers; if there are
multiple signature names in a single detected malicious event, then the first match is used in this field. If there
is no signature name (a very rare case), then the following event types may be used as the event name:
l malware-callback
l web-infection
l binary-analysis (relevant only for Releases 5.x and 6.0)
l infection-match
l mw-analysis-done (relevant only for Releases 5.x and 6.0)
l domain-match
l malware-object (replaces binary-infection in Release 6.1 and later)
l ips-event
l riskware-object
l riskware-callback
<severity> The possible severity of an event ranges between 0 - 10, where 10 is the highest malware
severity.
<extension> Extensions include all the alert detection details, labeled in categories; for example: rt= , fileHash=, src=, cn1=,
cn2=, cn3=, cn1Label=, cn2Label=, cn3Label=, cs1=, cs2=, cs3=, cs4=, cs5=, cs6=, cs1Label=, cs2Label=, cs3Label=,
cs4Label=, cs5Label=, cs6Label=, request=, shost=, proto=, smac=, externalID=, dvchost=, spt=, dpt=, dst=, dvc=,
dmac=, suser=, msg=, filePath=, duser=, dproc=, eventURL=, sID=, sName=, sType=
The definitions for these extension field labels are provided in CEF Extension Field Key=Value Pair
Definitions on page 25. Not all products reference the same CEF field labels in their alert notifications.
© 2017 FireEye 17
CEF Notifications
Sample CEF Notifications per Event Type

Sample CEF notifications are shown for various event types. The definitions for each of the <extension> field keys are provided in
CEF Extension Field Key=Value Pair Definitions on page 25.
The product names in CEF notifications are ‘MPS’ (for the NX Series), ‘eMPS’ (for the EX Series) ‘fMPS’ (for the FX Series),
‘MAS’ (for the AX Series), and ‘CMS’ (for the CM Series).
domain-match (CM Series)

CEF Notification Message:
Jul 12 18:00:52 xxx.xxx.xxx.xxx fenotify-50.alert: CEF:0|FireEye|CMS|7.9.0.474115|DM|domain-match|1|rt=Jul 13
2016 00:54:16 UTC src=xxx.xxx.xxx.xxx cn3Label=cncPort cn3=53 cn2Label=sid cn2=80481791 shost=ip-95-223-164-
201.hsi16.unitymediagroup.de proto=udp spt=1025 cs5Label=cncHost cs5=refullania.com dvchost=qa-607-5
dvc=xxx.xxx.xxx.xxx smac=00:0c:29:9e:e9:da cn1Label=vlan cn1=0 externalId=50 cs4Label=link
cs4=https://center1.eng.fireeye.com/event_stream/events_for_bot?ev_id\=50 act=notified dmac=00:50:56:f7:db:db
cs1Label=sname cs1=Trojan.Generic.DNS
domain-match (NX Series)

Nov 22 03:12:37 jingalala.mrl.fireeye.com fenotify-980.warning: CEF:0|FireEye|MPS|7.9.2.581998|DM|domain-
match|1|rt=Nov 22 2016 11:19:42 UTC src=xxx.xxx.xxx.xxx cn3Label=cncPort cn3=53 cn2Label=sid cn2=80461038
proto=udp spt=1072 cs5Label=cncHost cs5=fget-career.com dvchost=Jingalala dvc=xxx.xxx.xxx.xxx
smac=d6:96:0a:84:24:15 cn1Label=vlan cn1=0 externalId=980 cs4Label=link
cs4=https://Jingalala.mrl.fireeye.com/event_stream/events_for_bot?ev_id\=980 act=notified
dmac=00:50:56:e5:3f:c5 cs1Label=sname cs1=Trojan.Ramnit.SNK.DNS devicePayloadId=8073fb31-c7a8-4c48-bef6-
65de72a1cbbf
infection-match (CM Series)

Jul 12 18:00:34 xxx.xxx.xxx.xxx fenotify-11.alert: CEF:0|FireEye|CMS|7.9.0.474115|IM|infection-
match|1|requestClientApplication=Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) cn2Label=sid
cn2=84000130 cs5Label=cncHost cs5=xxx.xxx.xxx.xxx spt=1106 smac=00:0c:29:9e:e9:da cn1Label=vlan cn1=0
cs4Label=link cs4=https://center1.eng.fireeye.com/event_stream/events_for_bot?ev_id\=11 rt=Jul 13 2016 00:54:15
18 © 2017 FireEye
CEF Notifications
UTC shost=ip-95-223-164-201.hsi16.unitymediagroup.de proto=tcp dst=xxx.xxx.xxx.xxx externalId=11

dmac=00:50:56:f7:db:db dvchost=qa-607-5 cs6Label=channel cs6=GET /in.cgi?2 HTTP/1.1::~~Accept: */*::~~Accept-
Language: en-us::~~User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)::~~Accept-
Encoding: gzip, deflate::~~Host: w0.five-mountain.org::~~Connection: Keep-Alive::~~::~~ src=95.223.164.201
cn3Label=cncPort cn3=80 dpt=80 dvc=xxx.xxx.xxx.xxx requestMethod=GET act=notified cs1Label=sname
cs1=Exploit.Kit.TDS
infection-match (NX Series)

Nov 22 03:12:37 jingalala.mrl.fireeye.com fenotify-979.warning: CEF:0|FireEye|MPS|7.9.2.581998|IM|infection-
match|1|rt=Nov 22 2016 11:19:37 UTC src=xxx.xxx.xxx.xxx cn3Label=cncPort cn3=80 cn2Label=sid cn2=84400000
requestMethod=GET proto=tcp spt=1057 dst=xxx.xxx.xxx.xxx cs5Label=cncHost cs5=xxx.xxx.xxx.xxx dvchost=Jingalala
dvc=xxx.xxx.xxx.xxx smac=d6:96:0a:84:24:15 cn1Label=vlan cn1=0 dpt=80 externalId=979 cs4Label=link
cs4=https://Jingalala.mrl.fireeye.com/event_stream/events_for_bot?ev_id\=979 act=notified cs6Label=channel
cs6=GET http://yang77.com/a/lizhiyulu/20151017/281.html HTTP/1.1::~~Host: yang77.com::~~HTTP/1.0 200
OK::~~Server: kangle/3.4.8::~~Date: Mon, 02 Nov 2015 23:30:45 GMT::~~Last-Modified: Tue, 20 Oct 2015 08:35:15
GMT::~~Content-Type: text/html::~~Content-Encoding: gzip::~~X-Cache: MISS from localhost::~~X-Cache-Lookup:
MISS from localhost:80::~~Via: 1.0 localhost (squid/3.1.20)::~~Connection: close::~~::~~ dmac=00:50:56:e5:3f:c5
cs1Label=sname cs1=Trojan.Ramnit devicePayloadId=3d035aad-34d9-4aa3-862c-bc3afd49e159
malware-callback (CM Series)

Jul 12 17:59:37 xxx.xxx.xxx.xxx fenotify-1.alert: CEF:0|FireEye|CMS|7.9.0.474115|MC|malware-
callback|7|requestClientApplication=Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_16 cn2Label=sid cn2=86100470
cs5Label=cncHost cs5=xxx.xxx.xxx.xxx spt=1114 smac=00:00:50:40:00:44 cn1Label=vlan cn1=0 cs4Label=link
cs4=https://center1.eng.fireeye.com/event_stream/events_for_bot?ev_id\=1 rt=Jul 13 2016 00:52:14 UTC proto=tcp
dst=xxx.xxx.xxx.xxx externalId=1 dmac=00:00:00:50:40:55 dvchost=qa-607-5 cs6Label=channel cs6=GET /jb/jar.class
HTTP/1.1::~~User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_16::~~Host: 3635736986::~~Accept: text/html,
image/gif, image/jpeg, *; q\=.2, */*; q\=.2::~~Connection: keep-alive::~~::~~ src=xxx.xxx.xxx.xxx
cn3Label=cncPort cn3=80 dpt=80 request=hxxp://3635736986/jb/jar.class dvc=xxx.xxx.xxx.xxx requestMethod=GET
act=notified cs1Label=sname cs1=Trojan.MalJava
malware-callback (NX Series)

Nov 22 03:18:00 jingalala.mrl.fireeye.com fenotify-984.warning: CEF:0|FireEye|MPS|7.9.2.581998|MC|malware-
callback|7|requestClientApplication=Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0;
SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3; .NET4.0C; .NET4.0E) cn2Label=sid
© 2017 FireEye 19
CEF Notifications
cn2=89052188 cs5Label=cncHost cs5=xxx.xxx.xxx.xxx spt=49397 smac=00:0c:29:77:81:f7 cn1Label=vlan cn1=0

cs4Label=link cs4=https://Jingalala.mrl.fireeye.com/event_stream/events_for_bot?ev_id\=984 rt=Nov 22 2016
11:25:07 UTC proto=tcp dst=xxx.xxx.xxx.xxx externalId=984 dmac=00:50:56:ff:51:56 dvchost=Jingalala
cs6Label=channel cs6=POST / HTTP/1.1::~~User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64;
Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3; .NET4.0C;
.NET4.0E)::~~Host: xxx.xxx.xxx.xxx::~~Content-Length: 65278::~~Cache-Control: no-cache::~~::~~
src=xxx.xxx.xxx.xxx cn3Label=cncPort cn3=80 dpt=80 request=hxxp://xxx.xxx.xxx.xxx/ dvc=xxx.xxx.xxx.xxx
requestMethod=POST act=notified cs1Label=sname cs1=Trojan.Generic devicePayloadId=12bb338c-1482-48e2-b7b6-
05afdcdfbece
malware-object (CM Series)

Feb 24 17:25:12 10.5.6.98 fenotify-622.alert: CEF:0|FireEye|CMS|7.9.2.589127|MO|malware-object|4|rt=Feb 24 2017
12:23:30 UTC cn2Label=sid cn2=222 fileHash=8acfdc29a1ab8ec34fcb20a1b499e20e filePath=BestMDSample
cs3Label=osinfo cs3=Microsoft WindowsXP 32-bit 5.1 sp3 16.0901 act=blocked dvchost=Froyo dvc=10.5.6.60
[email protected] cn1Label=vlan cn1=0 externalId=622 cs4Label=link
cs4=https://Fruity.mrl.fireeye.com/emps/eanalysis?e_id\=1221&type\=attch [email protected]
[email protected] cs2Label=anomaly cs2=98816 cs1Label=sname
cs1=Malware.Binary.exe devicePayloadId=3753bd33-74cd-4d6b-9d98-aa3f489b0b36 fileType=exe sproc=Windows Explorer
malware-object (NX Series)

Nov 22 03:19:06 jingalala.mrl.fireeye.com fenotify-912.warning: CEF:0|FireEye|MPS|7.9.2.581998|MO|malware-
object|4|rt=Nov 22 2016 11:26:21 UTC src=xxx.xxx.xxx.xxx dst=xxx.xxx.xxx.xxx
fileHash=17575d806f5ad6eb1cfa951948f618c0
filePath=kdypotlwyv.myvnc.com/rmvk30g/?3a8d6d2c6851cce65c0e5a5f075f005501570d560d50505308540b500653505105
cs3Label=osinfo cs3=Microsoft Windows7 64-bit 6.1 sp1 16.0901 proto=tcp dvchost=Jingalala dvc=xxx.xxx.xxx.xxx
smac=00:0c:29:77:81:f7 cn1Label=vlan cn1=0 externalId=912 cs4Label=link
cs4=https://Jingalala.mrl.fireeye.com/event_stream/events_for_bot?ma_id\=912 act=notified
dmac=00:50:56:ff:51:56 cs2Label=anomaly cs2=98816 cs1Label=sname cs1=Mal/ExpJava-AF devicePayloadId=c8e7d766-
7526-4f92-99c4-03b121c8f319 fileType=jar sproc=Java JDK JRE 7.13
malware-object (EX Series)

Nov 17 02:31:35 10.5.6.175 fenotify-1142.info: CEF:0|FireEye|eMPS|7.9.0.582070|MO|malware-object|4|rt=Nov 17
2016 10:37:55 UTC fileHash=fdaa02bc8a1ddff650f18b389bfe1b98 filePath=shootout.swf act=notified dvchost=earth-
175 cs4Label=link cs4=https://earth-175.mrl.fireeye.com/emps/eanalysis?e_id\=24&type\=attch
20 © 2017 FireEye
CEF Notifications
[email protected] cn1Label=vlan cn1=0 externalId=1142 dvc=xxx.xxx.xxx.xxx [email protected]

[email protected] cs1Label=sname cs1=retroactiveshootout.swf start=Nov 17
2016 10:30:38 UTC cat=retro-detection
malware-object (AX Series)

CEF:0|FireEye|MAS|7.1.0.235448|MO|malware-object|5|rt=Jul 28 2014 23:08:54 Z cn3Label=cncPort cn3=443
fileHash=60743bf7f4554b0e4b11701bedf7bd3a proto=tcp request=http://www.xxx.com cs3Label=osinfo cs3=Microsoft
Windows7 32-bit 6.1 sp1 14.0528 cs5Label=cncHost cs5=www.xxx.com dvchost=axhwmas cs4Label=link
cs4=https://xxx.xxx.xxx.xxx/malware_analysis/analyses?maid\=2 cn1Label=vlan cn1=0 externalId=2
dvc=xxx.xxx.xxx.xxx cs6Label=channel cs6=\\026\\003\\001 cs2Label=anomaly cs2=misc-anomaly\n
malware-object (FX Series)

CEF:0|FireEye|fMPS|7.5.0.248116|MO|malware-object|4|rt=Aug 04 2014 21:50:10 UTC
fileHash=3cad91710fe2bbf7a180d2629bb21dfd filePath=/analysis/doubleb/cjk新闻/pdf_3174452 cs3Label=osinfo
cs3=Microsoft Windows7 32-bit 6.1 sp1 14.0528;Microsoft WindowsXP 32-bit 5.1 sp3 14.0528 dvchost=axhfmps
cs4Label=link cs4=https://xxx.xxx.xxx.xxxx/fmps/fanalysis?ma_id\=200 cn1Label=vlan cn1=0 externalId=200
dvc=xxx.xxx.xxx.xxxx cs2Label=anomaly cs2=misc-anomaly cs1Label=sname cs1=Malware.Binary.pdf\n
web-infection (NX Series)

Nov 22 03:18:13 jingalala.mrl.fireeye.com fenotify-22.warning: CEF:0|FireEye|MPS|7.9.2.581998|WI|web-
infection|4|rt=Nov 22 2016 11:25:20 UTC src=xxx.xxx.xxx.xxx cn3Label=cncPort cn3=80 dpt=80
dproc=InternetExplorer 8.0 cs5Label=cncHost cs5=google.com dvchost=Jingalala cs3Label=osinfo cs3=Microsoft
WindowsXP 32-bit 5.1 sp3 16.0901 proto=tcp spt=1057 dvc=xxx.xxx.xxx.xxx smac=d6:96:0a:84:24:15 cn1Label=vlan
cn1=0 externalId=22 cs4Label=link cs4=https://Jingalala.mrl.fireeye.com/event_stream/events_for_bot?inc_id\=22
act=notified filePath=yang77.com/a/lizhiyulu/20151017/281.html cs2Label=anomaly cs2=98304 cs1Label=sname
cs1=Exploit.Browser devicePayloadId=3d20297f-31a6-4fbf-ab7c-42a637199f4a
ips-event (CM Series)

Jul 12 19:04:38 xxx.xxx.xxx.xxx fenotify-2.alert: CEF:0|FireEye|CMS|7.9.0.474115|IE|ips-event|7|externalId=2
rt=Jul 13 2016 00:54:15 UTC proto=tcp src=xxx.xxx.xxx.xxx spt=80 smac=00:50:56:f7:db:db dst=xxx.xxx.xxx.xxx
dpt=1111 dmac=00:0c:29:9e:e9:da cnt=1 msg=Suspicious Java Jar Instantiation act=notified
dvchost=center1.eng.fireeye.com dvc=xxx.xxx.xxx.xxx cn2=85305189 cn2Label=sid cfp1=9 cfp1Label=signature
© 2017 FireEye 21
CEF Notifications
revision cs4=https://center1.eng.fireeye.com/notification_url/ips_events?ev_id\=2 cs4Label=link

flexString2=client flexString2Label=attack mode flexString3=ATTACK flexString3Label=MVX Correlation Status
cn1=0 cn1Label=vlan
ips-event (NX Series)

01-31-2017 09:29:05 Local4.Warning 10.128.33.142 fenotify-4.warning:
CEF:0|FireEye|MPS|7.9.2.601533|IE|ips-event|5|externalId=4 rt=Jan 31 2017 03:57:48 UTC proto=tcp
src=xxx.xxx.xxx.xxx spt=80 smac=02:1a:c5:02:00:00 dst=xxx.xxx.xxx.xxx dpt=15352 dmac=02:1a:c5:01:00:00 cnt=1
msg=Malicious Obfuscated Javascript Code act=notified dvchost=nx-7400-142.eng.fireeye.com dvc=xxx.xxx.xxx.xxx
cn2=85307021 cn2Label=sid cfp1=8 cfp1Label=signature revision cs4=https://nx-7400-
142.eng.fireeye.com/notification_url/ips_events?ev_id\=4 cs4Label=link flexString2=client
flexString2Label=attack mode flexString3=N/A flexString3Label=MVX Correlation Status cn1=0 cn1Label=vlan
riskware-callback (IPv4)
Nov 22 03:41:03 jingalala.mrl.fireeye.com fenotify-10.warning: CEF:0|FireEye|MPS|7.9.2.581998|RC|riskware-
callback|1|rt=Nov 22 2016 11:47:26 UTC start=Nov 22 2016 11:47:26 UTC end=Nov 22 2016 11:47:26 UTC
src=xxx.xxx.xxx.xxx dst=xxx.xxx.xxx.xxx
request=http://fortd.serverdld.eu/36175/cdn/winpalace/WinPalace20130622034203.msi cs1Label=sname
cs1=Adware.Hastingsin act=notified dvc=xxx.xxx.xxx.xxx dvchost=Jingalala.mrl.fireeye.com smac=00:20:18:11:01:66
dmac=00:01:6c:a9:2f:27 spt=49215 dpt=80 cn1Label=vlan cn1=0 externalId=1005 msg=risk ware detected:10 proto=tcp
cs4Label=link cs4=https://Jingalala.mrl.fireeye.com/notification_url/riskware?ev_id\=10&inf_id\=1005&inf_
type\=Riskware%20Callback cs6Label=channel cs6=GET /36175/cdn/winpalace/WinPalace20130622034203.msi
HTTP/1.1::~~Connection: Keep-Alive::~~Accept: */*::~~User-Agent: Windows Installer::~~Host:
fortd.serverdld.eu::~~::~~
riskware-callback (IPv6)
Jan 30 22:57:19 jingalala.mrl.fireeye.com fenotify-5.alert: CEF:0|FireEye|MPS|7.9.2.602260|RC|riskware-
callback|1|rt=Jan 31 2017 07:05:20 UTC start=Jan 31 2017 07:05:20 UTC end=Jan 31 2017 07:05:20 UTC
c6a2=2011::1:6e1c:e3c3 c6a2Label=Victim IP c6a3=2011::1:22b4:b249 c6a3Label=Attacker IP
request=http://stats.statsmyapp.com/apps.gif?action\=uninstall&browser\=ie&browserver\=10&ver\=1_34_2_
13&bic\=&app\=52258&appver\=0&verifier\=&srcid\=0&subid\=0&zdata\=0&xpiver\=0&crxver\=0&default\=ie&chver\=25&f
fver\=13&iever\=10&installtime\=1444697300&curtime\=1444697300&lifetime\=0&procstarttime\=1444697299&rnd\=14446
97315 cs1Label=sname cs1=Adware.Crossrider act=notified dvc=xxx.xxx.xxx.xxx dvchost=Jingalala.mrl.fireeye.com
smac=00:20:18:11:01:65 dmac=00:01:6c:a9:2f:27 spt=49198 dpt=80 cn1Label=vlan cn1=0 externalId=100 msg=risk ware
detected:5 proto=tcp cs4Label=link cs4=https://Jingalala.mrl.fireeye.com/notification_url/riskware?ev_
id\=5&inf_id\=100&inf_type\=Riskware%20Callback cs6Label=channel cs6=GET
/apps.gif?action\=uninstall&browser\=ie&browserver\=10&ver\=1_34_2_
22 © 2017 FireEye
CEF Notifications
97315 HTTP/1.1::~~Host: stats.statsmyapp.com::~~Connection: Keep-Alive::~~Cache-Control: no-cache::~~::~
riskware-object (IPv4)
Nov 22 03:38:41 jingalala.mrl.fireeye.com fenotify-9.warning: CEF:0|FireEye|MPS|7.9.2.581998|RO|riskware-
object|1|rt=Nov 22 2016 11:45:06 UTC start=Nov 22 2016 11:43:36 UTC end=Nov 22 2016 11:45:06 UTC
src=xxx.xxx.xxx.xxx dst=xxx.xxx.xxx.xxx request=xxx.xxx.xxx.xxx/5ed4437e0027415a829b9951941cdda0 cs1Label=sname
cs1=Win.Adware.Multiplug-55768 act=notified dvc=xxx.xxx.xxx.xxx dvchost=Jingalala.mrl.fireeye.com
fileHash=5ed4437e0027415a829b9951941cdda0 smac=10:60:4b:a9:b4:0a dmac=10:60:4b:a9:86:3a spt=35682 dpt=80
cn1Label=vlan cn1=0 requestMethod=GET externalId=916 msg=risk ware detected:9 proto=tcp cs3Label=osinfo
cs3=Microsoft WindowsXP 32-bit 5.1 sp3 16.0901 cs4Label=link
cs4=https://Jingalala.mrl.fireeye.com/notification_url/riskware?ev_id\=9&inf_id\=916&inf_
type\=Riskware%20Object flexString4Label=proto-header flexString4=GET /5ed4437e0027415a829b9951941cdda0
HTTP/1.0::~~User-Agent: Wget/1.12 (linux-gnu)::~~Accept: */*::~~Host: xxx.xxx.xxx.xxx::~~Connection: Keep-
Alive::~~HTTP/1.1 200 OK::~~Date: Thu, 08 Oct 2015 21:05:15 GMT::~~Server: Apache/2.2.15 (CentOS)::~~Last-
Modified: Thu, 08 Oct 2015 21:04:41 GMT::~~ETag: "1940780-49c00-5219e363a8b4c"::~~Accept-Ranges:
bytes::~~Content-Length: 302080::~~Connection: close::~~Content-Type: text/plain; charset=UTF-8::~~
riskware-object (IPv6)
Jan 30 22:57:19 jingalala.mrl.fireeye.com fenotify-5.alert: CEF:0|FireEye|MPS|7.9.2.602260|RC|riskware-
callback|1|rt=Jan 31 2017 07:05:20 UTC start=Jan 31 2017 07:05:20 UTC end=Jan 31 2017 07:05:20 UTC
c6a2=2011::1:6e1c:e3c3 c6a2Label=Victim IP c6a3=2011::1:22b4:b249 c6a3Label=Attacker IP
request=http://stats.statsmyapp.com/apps.gif?action\=uninstall&browser\=ie&browserver\=10&ver\=1_34_2_
97315 cs1Label=sname cs1=Adware.Crossrider act=notified dvc=xxx.xxx.xxx.xxx dvchost=Jingalala.mrl.fireeye.com
smac=00:20:18:11:01:65 dmac=00:01:6c:a9:2f:27 spt=49198 dpt=80 cn1Label=vlan cn1=0 externalId=100 msg=risk ware
detected:5 proto=tcp cs4Label=link cs4=https://Jingalala.mrl.fireeye.com/notification_url/riskware?ev_
id\=5&inf_id\=100&inf_type\=Riskware%20Callback cs6Label=channel cs6=GET
/apps.gif?action\=uninstall&browser\=ie&browserver\=10&ver\=1_34_2_
97315 HTTP/1.1::~~Host: stats.statsmyapp.com::~~Connection: Keep-Alive::~~Cache-Control: no-cache::~~::~
AT Alert (ETP Cloud)
Every AT alert generates a separate CEF notification.
© 2017 FireEye 23
CEF Notifications
CEF:0|FireEye|ETP|3.0|etp|malicious email|10|rt=Nov 07 2016 23:27:17 UTC [email protected]

[email protected] fname=test.zip fileHash=ca9424e92816332d8bb60a45e4ec29e9
destinationDnsDomain=xyz.pqr.com externalId=9999999 cs1Label=sname cs1=Malware.archive cs3Label=Subject cs3=Arc
Sight Test CEF cs4Label=Link cs4=https://etp.fireeyecloud.com/alert/9999999/ cs5Label=Client cs5=AAAA
ACE Alert (ETP Cloud)
Every ACE alert generates a separate CEF notification.
CEF:0|FireEye|ETP|3.0|etp|ace alert|10|rt=Nov 07 2016 23:27:17 UTC [email protected] [email protected]

fname=test.zip fileHash=5b61d32c94ca81d4f28241ca29aca9b9 destinationDnsDomain=xyz.pqr.com externalId=9999999
cs1Label=sname cs1=Malware.archive cs3Label=Subject cs3=Arc Sight Test CEF cs4Label=Link
cs4=https://etp.fireeyecloud.com/alert/9999999/ cs5Label=Client cs5=AAAA cs6Label=ATI Name Type Level
cs6=Exploit.DTI.CVE-2008-2992\|Exploit\|Medium flexString1Label=ATI Threat Attribution flexString1=While many
well-known exploit kits used to weaponize the CVE-2008-2992 exploit, the popularity of this exploit has
drastically dropped overtime due to Adobe Reader’s sandbox mechanism. No APT actors have been found to actively
leverage this exploit in current cyber operations. Metasploit, however, still has a module targeting CVE-2008-
2992 vulnerability. As this exploit is old, the latest versions of Adobe application are already patched
against this attack. It is strongly advised to update Adobe Acrobat and Reader to versions 8.1.2 and above as
soon as possible.
24 © 2017 FireEye
CEF Notifications
CEF Extension Field Key=Value Pair Definitions

FireEye uses the following parameters in its CEF extension field key=value pairs:
CEF:0|<vendor>|<product name>|<version>|<cef event type>|<event-name>|<severity>|<extension>
The following table provides definitions for each extension field key in a CEF message.
The event types “binary-analysis” (BA) and “malware-analysis-done” (MW) are relevant only for FireEye Releases 5.X/6.0.
The other event types are relevant for all releases and/or Release 6.1.0 and 6.2.0 and they are defined as follows:
MC (malware-callback), WI (web-infection), IM (infection-match), DM (domain-match), MO (malware-object), and IE (ips-

event).
The Z character at the end of a time stamp indicates that the time displayed is in the UTC time zone. Starting in the 7.0.0
release, the time is displayed in UTC by default. To change the displayed time to your local time, use the following CLI
command: fenotify default timezone localtime
© 2017 FireEye 25
CEF Notifications
Ext.
Event Data
Field Description Products Release
Type Type
Key
rt receipt time NX BA Time 6.0

AX WI Stamp 6.1
rt represents the malware event time as detected by a FireEye
FX MC mmddyyyy 6.2
appliance MVX.
EX IM HH:mm:ss 6.3
For example: CM DM 6.4
(not applicable for release 6.0; same for releases 6.1 and later) MO 7.x
MW
rt=Oct 17 2012 23:13:20 UTC
IE
RC
RO
fileHash= fileHash NX BA String 6.0

AX WI 6.1
fileHash represents the checksum of the malware object from a 255
FX MC 6.2
FireEye appliance MVX. characters
EX IM 6.3
MW
filehash=3174990d783f4
IE
a1bd5e99db60176b920
RC
RO
26 © 2017 FireEye
CEF Notifications
Ext.
Event Data
Type Type
Key
src= Source Address NX BA IPv4 6.0

AX WI Address 6.1
src represents the IP address of the infected host.
FX MC 6.2
16 bytes
For example: EX IM 6.3
(same for all releases) CM DM 6.4
MO 7.x
src=192.168.85.141
MW
IE
RC
RO
request= requestURL NX BA String 6.0

AX WI 6.1
request represents the URL that needs to be investigated. 1023
FX MC 6.2
characters
MO 7.x
request=http://jrecsimpdegsa.ontheweb.nu
MW
/b/9/065a0b5a3b65c1c6d5f5f8c883a903
IE
7237a6a6a28803d4e7a6876a26e2d00343
RC
RO
© 2017 FireEye 27
CEF Notifications
Ext.
Event Data
Type Type
Key
requestMethod requestMethod NX BA String 7.7 and

AX WI later
requestMethod represents how a URL is accessed. For example, 1023
FX MC
'OPTIONS', 'POST', 'GET', 'HEAD', 'PUT', 'TRACE', 'CONNECT', characters
EX IM
or 'DELETE'.
CM DM
For example: MO
(same for all releases) MW
IE
requestMethod=GET
RC
RO
requestClient- requestClientApplication NX BA String 7.7 and

Application AX WI later
requestClientApplication represents the user-agent for the 1023
FX MC
request. characters
EX IM
For example: CM DM
(same for all releases) MO
MW
requestClientApplication=Updates downloader
IE
RC
RO
28 © 2017 FireEye
CEF Notifications
Ext.
Event Data
Type Type
Key
requestContext requestContext NX BA String 7.7 and

AX WI later
requestContext represents the description of where the request 1023
FX MC
comes from. characters
EX IM
CM DM
MO
MW
IE
RC
RO
shost= source host NX BA String 6.0

AX WI 6.1
shost represents the hostname of the infected machine as 1023
FX MC 6.2
detected by a FireEye appliance MVX. characters
EX IM 6.3
(same for all releases) MO 7.x
MW
shost=IM-testing.fe-notify-examples.com
IE
RC
RO
© 2017 FireEye 29
CEF Notifications
Ext.
Event Data
Type Type
Key
proto= Transport Protocol NX BA String 6.0

AX WI 6.1
proto represents the transport protocol detected by a FireEye 31
FX MC 6.2
appliance MVX. characters
EX IM 6.3
MW
proto=udp
IE
RC
RO
dvchost= device hostname NX BA String 6.0

AX WI 6.1
dvchost represents the hostname or the fully qualified domain
FX MC 100 6.2
name of the device, if available.
EX IM characters 6.3
MW
dvchost=dave
IE
RC
RO
30 © 2017 FireEye
CEF Notifications
Ext.
Event Data
Type Type
Key
spt= source port NX BA Integer 6.0

AX WI 6.1
spt represents the infected host’s source port as detected by a
FX MC Valid Port 6.1
FireEye appliance MVX.
EX IM Numbers 6.2
For example: CM DM 0~65535 6.3
(same for all releases) MO 6.4
MW 7.x
spt=1116
IE
RC
RO
dvc device Address NX BA IPv4 6.0

AX WI address 6.1
dvc represents the device address of the FireEye appliance
FX MC 6.2
MVX.
EX IM 16 bytes 6.3
MW
dvc=xxx.xxx.xxx.xxx
IE
RC
RO
© 2017 FireEye 31
CEF Notifications
Ext.
Event Data
Type Type
Key
suser SMTPSender EX MO String 6.x

CM IE 7.x
suser represents the user name of the sender of the malicious 1023
email detected by a FireEye appliance. characters
For example:
(not applicable for release 6.0; same for releases 6.1 and later)
[email protected]
[email protected]
filePath= filePath local to the BA String 6.0

detecting WI 6.1
filePath represents the local path (if the file is local) or the URL 1023
appliance: MC 6.2
(if the file is remote) of the malware object. characters
NX IM 6.3
For example: AX DM 6.4
(same for all releases) FX MO 7.x
EX MW
filePath=test-infection.exe
IE
or RC
filePath=xxx.xxx.xxx.xxx/qa-test-data/14R1-test-data/ RO
mas-test-data/14R2-test-data/cve-samples/2014-1761.rtf
32 © 2017 FireEye
CEF Notifications
Ext.
Event Data
Type Type
Key
msg= SMTPID EX MO String 6.x

CM IE 7.x
msg represents the email message ID of the infected email. For 1023
IPS, msg represents the rule name. characters
For example:
msg=20121017232425.6706
[email protected]
smac= sourceMacAddress NX BA MAC 6.0

AX WI Address 6.1
smac represents the source MAC address of the infected host.
FX MC 6.2
MO 7.x
smac=00:0c:29:76:bb:28
MW
IE
RC
RO
© 2017 FireEye 33
CEF Notifications
Ext.
Event Data
Type Type
Key
act= deviceAction NX WI String 7.5 and

AX MC later
When act=blocked, the alert has been blocked. When 63
FX IM
act=notified, the alert is not blocked. characters
EX DM
CM MO
IE
RC
RO
dmac= destinationMacAddress NX BA MAC 6.0

AX WI Address 6.1
dmac represents the MAC address. FX MC 6.2
EX IM 6.3
For example:
CM DM 6.4
dmac=00:50:56:e8:ba:21 MW
IE
RC
RO
34 © 2017 FireEye
CEF Notifications
Ext.
Event Data
Type Type
Key
externalId= externalId NX BA Integer 6.0

AX WI 6.1
externalId represents the FireEye internal alert ID (which is FX MC 6.2
external for ArcSight). EX IM 6.3
CM DM 6.4
For example:
MO 7.x
(not applicable for release 6.0; same for releases 6.1 and later) MW
externalId=218799 IE
RC
RO
duser= destinationUserName EX MO String 6.x

CM IE 7.x
1023
duser represents the recipient of the malicious email detected by
characters
a FireEye appliance.
For example:
[email protected]
© 2017 FireEye 35
CEF Notifications
Ext.
Event Data
Type Type
Key
dproc= destinationProcessName NX BA String 6.0

AX WI 6.1
1023
dproc represents the name of the target application running on FX MC 6.2
characters
the MVX during malware detection. EX IM 6.3
CM DM 6.4
For example:
MO 7.x
dproc=Firefox 4.0.0 IE
dst= destinationIPAddress NX BA IPv4 6.0

AX WI Address 6.1
dst represents the IP address of the destination when any
FX MC 6.2
communication to an external host is observed. 16 bytes
EX IM 6.3
MW
dst=128.12.38.6 IE
RC
RO
36 © 2017 FireEye
CEF Notifications
Ext.
Event Data
Type Type
Key
dpt= destinationPort NX BA Integer 6.0

AX WI 6.1
dpt represents the port of the destination when any
FX MC 6.2
communication to an external host is observed.
EX IM 6.3
MW
dpt=20
IE
RC
RO
cn1= deviceCustom Number1 NX BA Numeric 6.0

AX WI 6.1
Integer
cn1 represents the VLAN ID of the infected host. FX MC 6.2
Long
EX IM 6.3
For example:
CM DM 6.4
cn1=0 MW
IE
RC
RO
© 2017 FireEye 37
CEF Notifications
Ext.
Event Data
Type Type
Key
cn1Label= deviceCustom Number1 Label NX BA String 6.0

AX WI 6.1
1023
cn1Label is the corresponding label field for cn1. FX MC 6.2
characters
EX IM 6.3
For example:
CM DM 6.4
cn1Label=vlan MW
IE
RC
RO

AX WI Integer 6.1
cn2 represents the signature ID. When there is duplicate FX MC Long 6.2
malware, cn2 is the alert ID of the original malware. EX IM 6.3
CM DM 6.4
For example:
MO 7.x
cn2=83145120 IE
RC
RO
38 © 2017 FireEye
CEF Notifications
Ext.
Event Data
Type Type
Key

AX WI 6.1
1023
characters
EX IM 6.3
For example:
CM DM 6.4
cn2Label=sid MW
IE
RC
RO

AX WI Integer 6.1
cn3 represents the CnC listening server port.
FX MC Long 6.2
(not applicable for release 6.0; same for releases 6.1 and later) CM DM 6.4
MO 7.x
cn3=53
MW
IE
RC
RO
© 2017 FireEye 39
CEF Notifications
Ext.
Event Data
Type Type
Key

AX WI 6.1
1023
characters
EX IM 6.3
For example:
CM DM 6.4
cn3Label=cncport MW
IE
RC
RO
cs1= deviceCustom string1 NX BA String 6.0

AX WI 6.1
cs1 represents the malware signature name. 1023
FX MC 6.2
characters
MO 7.x
cs1=Trojan.PWS.OnlineGames
MW
IE
RC
RO
40 © 2017 FireEye
CEF Notifications
Ext.
Event Data
Type Type
Key
cs1Label= deviceCustom string1 Label NX BA String 6.0

AX WI 6.1
1023
cs1Label is the corresponding label field for cs1. FX MC 6.2
characters
EX IM 6.3
For example:
CM DM 6.4
cs1Label=sname MW
IE
RC
RO

AX WI 6.1
cs2 represents attributes of OS changes made by the malware, 1023
FX MC 6.2
data theft, or miscellaneous anomaly. characters
EX IM 6.3
MW
cs2=misc-anomaly, datatheft-anomaly
IE
RC
RO
© 2017 FireEye 41
CEF Notifications
Ext.
Event Data
Type Type
Key

AX WI 6.1
cs2Label is the corresponding label field for cs2. 1023
FX MC 6.2
characters
MO 7.x
cs2Label=anomaly
MW
IE
RC
RO

AX WI 6.1
cs3 represents MVX OS information (name and version). 1023
FX MC 6.2
characters
MO 7.x
cs3=Microsoft WindowsXP Professional 5.1 sp2;
MW
Microsoft Windows7 Professional 6.1 base;
IE
Microsoft WindowsXP Professional 5.1 base;
RC
Microsoft WindowsXP Professional 5.1 sp3
RO
42 © 2017 FireEye
CEF Notifications
Ext.
Event Data
Type Type
Key

AX WI 6.1
FX MC 6.2
characters
MO 7.x
cs3=Label=osinfo
MW
IE
RC
RO

AX WI 6.1
cs4 represents the alert URL. 1023
FX MC 6.2
characters
MO 7.x
cs4=https://xxx.xxx.xxx.xxx/event_stream
MW
/events_for_bot?ma_id\=51056&lms_iden
IE
\=00:25:90:54:7E:6E cs1Label=sname
RC
cs1=Trojan.Generic
RO
© 2017 FireEye 43
CEF Notifications
Ext.
Event Data
Type Type
Key

AX WI 6.1
FX MC 6.2
characters
MO 7.x
cs4Label=link
MW
IE
RC
RO

AX WI 6.1
cs5 represents the hostname of the CnC server; if the appliance 1023
FX MC 6.2
is unable to resolve the CnC serverʼs hostname, this field will characters
EX IM 6.3
contain the IP address of the CnC server.
CM DM 6.4
For example: MO 7.x
IE
cs5=91.188.60.10
RC
RO
44 © 2017 FireEye
CEF Notifications
Ext.
Event Data
Type Type
Key

AX WI 6.1
1023
cs5Label is the corresponding label field for cs5. FX MC 6.2
characters
EX IM 6.3
For example:
CM DM 6.4
cs5Label=cnchost MW
IE
RC
RO

AX WI 6.1
cs6 represents the CNC channel. Each line feedback is replaced 1023
FX MC 6.2
with "::~~". characters
EX IM 6.3
MW
cs6=GET /message.php?subid\=148&version
IE
\=_nn2&id\=XG0FZ7W00ZHZZHKZB0WY HTTP
RC
/1.1::~~Host: smartcontrol.info::~~User-Agent:
RO
firefox.exe;Windows NT 5.1::~~::~~
© 2017 FireEye 45
CEF Notifications
Ext.
Event Data
Type Type
Key

AX WI 6.1
FX MC 6.2
characters
MO 7.x
cs6Label=channel
MW
IE
RC
RO
c6a1 deviceCustomIPv6Address1 NX BA IPv6 7.7 and

AX WI address later
c6a1 represents the IPv6 address of the FireEye device.
FX MC
For example: EX IM
c6a1=fe80::225:90ff:fe86:73d0 CM DM
MO
MW
IE
RC
RO
46 © 2017 FireEye
CEF Notifications
Ext.
Event Data
Type Type
Key
c6a1Label deviceCustomIPv6Address1Label NX BA String 7.7 and

AX WI later
c6a1Label is the corresponding label field for c6a1.
FX MC
For example: EX IM
c6a1Label=Device Address CM DM
MO
MW
IE
RC
RO

AX WI address later
c6a2 represents one of the IPv6 address fields.
FX MC
For example: EX IM
c6a2=2011::1:4fdd:f5e2 CM DM
MO
MW
IE
RC
RO
© 2017 FireEye 47
CEF Notifications
Ext.
Event Data
Type Type
Key

AX WI later
FX MC
For example: EX IM
c6a2Label=Victim IP CM DM
MO
MW
IE
RC
RO

AX WI address later
c6a3 represents one of the IPv6 address fields.
FX MC
For example: EX IM
c6a3=2011::1:7b2d:ffe7 CM DM
MO
MW
IE
RC
RO
48 © 2017 FireEye
CEF Notifications
Ext.
Event Data
Type Type
Key

AX WI later
FX MC
For example: EX IM
c6a3Label=Attacker IP CM DM
MO
MW
IE
RC
RO
flexString1= String Number1 NX IE String 7.x

CM
flexString1 represents the CVE ID.
For example:
flexString1=CVE-2012-0150
flexString1Label= String Number1 Label NX IE String 7.x

CM
flexString1Label is the corresponding label field for flexString1.
For example:
flexString1Label=cve-id
© 2017 FireEye 49
CEF Notifications
Ext.
Event Data
Type Type
Key

CM
flexString2 represents the attack mode. The valid
values are
For example:
client,
flexString2=client server, and
N/A.

CM
For example:
flexString2Label=attack mode

CM
flexString3 represents the confirmation of the attack. The valid
values are
For example:
ATTACK,
flexString3=ATTACK NOT-
ATTACK,
and N/A.

CM
For example:
flexString3Label=MVX Correlation Status
50 © 2017 FireEye
CEF Notifications
Ext.
Event Data
Type Type
Key
flexString4 String Number4 NX RC String 7.x

CM RO
flexString4 represents the protocol header. Each line feedback is
replaced with "::~~".
For example:
flexString4=GET /ba4ca624c2e5d01cfcf537891ec5c
HTTP/1.0::~~User-Agent: Wget/1.12 (linux-gnu)::~~Accept:
*/*::~~Host: 16.16.16.11::~~Connection: Keep-Alive::~~HTTP/1.1
200 OK::~~Date: Wed, 30 Sep 2015 16:02:39 GMT::~~Server:
Apache/2.2.15 (CentOS)::~~Last-Modified: Tue, 29 Sep 2015
22:56:32 GMT::~~ETag: "1940779-ba988-
520eab99e6191"::~~Accept-Ranges: bytes::~~Content-Length:
764296::~~Connection: close::~~Content-Type: text/plain;
charset=UTF-8::~~
flexString4Label String Number4 Label NX RC String 7.x

CM RO
For example:
flexString4Label=proto-header
cnt Match Count NX IE Integer 7.x

CM
cnt represents how many times an event was observed.
For example:
cnt=1
© 2017 FireEye 51
CEF Notifications
Ext.
Event Data
Type Type
Key
cfp1 Signature Revision NX IE Integer 7.x

CM
cfp1 represents the revision of the signature.
For example:
cfp1=10
cfp1Label Signature Revision Label NX IE String 7.x

CM
cfp1Label is the corresponding label field for cfp1.
For example:
cfp1Label=signature revision
eventURL= eventURL NX BA String 5.x

AX WI 6.0
eventURL represents the alert URL. 1023
FX MC 6.1
characters
(not applicable for releases 6.2 and later) CM DM 6.3
MO 6.4
eventURL=https://xxx.xxx.xxx.xxx/
MW 7.x
event_stream/events_for_bot?ma_id\
IE
=51056&lms_iden\=00:25:90:54:7E:6E
52 © 2017 FireEye
CEF Notifications
Ext.
Event Data
Type Type
Key
sType= sType NX BA Possible 5.x

AX WI values: 6.0
sType represents the FireEye-assigned signature type.
FX MC 6.1
'unknown',
'generated-
content',
MO 6.4
sType=Blacklist 'fireeye-
MW
content',
IE
'bot-
command',
'fqc',
'known-
md5sum',
duplicate-
md5sum',
'av-match',
'vm-bot-
command',
blacklist',
'yara',
'avs',
'archive',
'encoding',
'timestamp'
© 2017 FireEye 53
CEF Notifications
Ext.
Event Data
Type Type
Key
sName= sName NX BA String 5.x

AX WI 6.0
1023
sName represents the FireEye-assigned signature name. FX MC 6.1
characters
EX IM 6.2
For example:
CM DM 6.3
(not applicable for releases 6.2 and later) MO 6.4
sName=Trojan.Generic MW 7.x
IE
sID= sId NX BA Integer 5.x

AX WI 6.0
sId represents the FireEye internal alert ID. FX MC 6.1
EX IM 6.2
For example:
CM DM 6.3
(not applicable for releases 6.2 and later) MO 6.4
sID=234643322 MW 7.x
IE
54 © 2017 FireEye
CEF Notifications
Ext.
Event Data
Type Type
Key
fileType fileType represents the file type of the detected malware. NX MO File 7.x
AX MC extension,
For example:
FX such as:
fileType=jar EX
l exe
CM
l pdf
l ppt
l doc
l docx
l and
so
on...
devicePayloadId devicePayloadId represents the unique identifier for the payload NX MC String 7.x
associated with the event. AX MO
128
FX WI
For example: characters
EX DM
devicePayloadId=12bb338c-1482-48e2-b7b6-05afdcdfbece CM IM
sproc sproc represents the source process name. NX MO String 7.x

AX MC
For example: 1023
FX
characters
sproc=Java JDK JRE 7.13 EX
CM
© 2017 FireEye 55
CEF Notifications
Ext.
Event Data
Type Type
Key
cat cat represents the device event category. EX MO String 7.x

The originating device assigns the category. 1023
characters
For example:
cat=retro-detection
start Date when the event was originally analyzed by the appliance. EX MO Date in the 7.x
following
For example:
format:
start=Nov 17 2016 10:30:38 UTC MMM dd
yyyy
HH:mm:ss
UTC
56 © 2017 FireEye
CEF Notifications
CEF Standard Fields and Values for ETP Cloud

If the field value is not present, that field is not part of the CEF notification.
The following table describes the CEF fields and values used for ETP Cloud notifications.
Field Value Type Mandatory Variable Length Notes
CEF CEF String Yes No — —
Version 0 Int Yes No — —
Device Vendor FireEye String Yes No — —
Device Product ETP String Yes No — —
Device Version 3.0 String Yes No — This string

might increment
in subsequent
releases.
Device Event Class ID etp String Yes No — —
Name malicious email/ace String Yes Yes — —
Severity Value is between 1 and 10. Number Yes No — —
© 2017 FireEye 57
CEF Notifications
rt Date in the following Date Yes Yes — Timestamp at

format: which the alert
was generated
MMM dd yyyy HH:mm:ss
in UTC.
UTC
suser Sender email address String Yes Yes 1023 —

characters
duser Destination email address String Yes Yes 1023 —

characters
request Malicious URL String No Yes 1023 —

characters
fname Malware file name String No Yes 1023 —

characters
fileHash Hash value of the file/URL String Yes Yes 255 The format is
characters MD5.
destinationDnsDomain Destination email address String Yes Yes 255 —

domain characters
externalId Database alert ID String Yes Yes 255 —

characters
cs1Label sname String Yes No 1023 —

characters
58 © 2017 FireEye
CEF Notifications
cs1 FireEye malware name String Yes Yes 400 —

characters
cs3Label Subject String Yes No 1023 —

characters
cs3 Message subject String Yes Yes 4000 —

characters
cs4Label Link String Yes No 1023 —

characters
cs4 URL to the alert page on the String Yes Yes 4000 —
ETP portal characters
cs5Label Client String Yes No 1023 —

characters
cs5 Customer ID String Yes Yes 4000 —

characters
cs6Label FireEye Advanced Threat String No No 1023 —

Intelligence name, type, and characters
level
cs6 Data extracted from the String No Yes 4000 —

FireEye Advanced Threat characters
Intelligence service
flexString1Label FireEye Advanced Threat String No No 128 —

Intelligence threat characters
attribution
© 2017 FireEye 59
CEF Notifications
flexString1 Data extracted from the String No Yes 1023 —

FireEye Advanced Threat characters
Intelligence service
60 © 2017 FireEye
LEEF Notifications
This section includes the following topics:
l Sample LEEF Notifications per Event Type on page 63

l LEEF Extension Field Key=Value Pair Definitions on page 67
Like CEF, the alert notification in LEEF format includes a header and an extension as a set of key=value pairs.
The FireEye LEEF message header is defined as follows. The header fields are separated using the pipe ('|') character, and the body fields
are separated using the caret ('^') character.
LEEF:1.0|<vendor>|<product name>|<version>|<LEEF eventID>|<extension>
where
LEEF Field Description

LEEF:1.0 The LEEF header consists of a set of appliance attributes delimited by pipes ( | ) which starts with
LEEF:<VERSION>, where the current LEEF version is always 1.0.
<product name> Product name must represent a valid FireEye product name. For example, valid product names are ‘MPS’ (for the
NX Series), ‘eMPS’ (for the EX Series) ‘fMPS’ (for the FX Series), ‘MAS’ (for the AX Series), and ‘CMS’ (for the CM
Series).
<version> Version represents the version of the FireEye appliance software used to detect the malware and send the alert
notification; for example: 6.2.0.74484
© 2017 FireEye 61
LEEF Notifications
LEEF Field Description

<LEEF eventID> Event ID types:
l malware-callback
l web-infection
l infection-match
l domain-match
l ips-event
l riskware-callback
l riskware-object
<extension> Extensions include all the alert detection details, labeled in categories; for example: fileHash=, src=, request=, proto=,
dvchost=, srcPort=, dvc=, filePath=, sname=, dstmac=, vlan=, cncHost=, externalID=, devTime=, sID=, cncPort=, link=,
srcMAC=, dst=, dstPort=, cncChannel=, osinfo=, targetApp=, anomaly=
The definitions for these extension field labels are provided in LEEF Extension Field Key=Value Pair
Definitions on page 67. Not all products reference the same LEEF field labels in their alert notifications.
62 © 2017 FireEye
LEEF Notifications
Sample LEEF Notifications per Event Type

Sample LEEF notifications are shown for various event types. The definitions for each of the <extension> field keys are provided in
LEEF Extension Field Key=Value Pair Definitions on page 67.
The product names in CEF notifications are ‘MPS’ (for the NX Series), ‘eMPS’ (for the EX Series) ‘fMPS’ (for the FX Series),
Event: domain-match
LEEF Notification Message:
Jul 19 00:30:11 xxx.xxx.xxx.xxx fenotify-1999.warning: LEEF:1.0|FireEye|MPS|7.9.0.476843|domain-match|
sev=1^sname=Trojan.Win32.Dogrobot.gen.E^shost=119-168-188-108.rev.home.ne.jp^srcMAC=92:73:75:00:00:35
^proto=udp^srcPort=1025^vlan=0^dstMAC=00:19:d1:fd:a2:52^dvc=xxx.xxx.xxx.xxx^action=notified^dvchost=tikka
^cncHost=the.microgood.net^externalId=1999^devTime=Jul 19 2016 07:37:13 UTC
^sid=89017273^cncPort=53^link=https://tikka.mrl.fireeye.com/event_stream/events_for_bot?ev_id\=1999
^filePath=the.microgood.net^src=xxx.xxx.xxx.xxx^
Event: infection-match (NX Series)

Jul 19 02:00:42 xxx.xxx.xxx.xxx fenotify-2085.warning: LEEF:1.0|FireEye|MPS|7.9.0.476843|infection-match|
sev=1^srcMAC=d6:96:0a:84:24:15^request=hxxp://yipinlawyer.com/^srcPort=1057^
shost=67-218-73-59.dyn.actaccess.net^proto=tcp^dst=xxx.xxx.xxx.xxx^cncHost=xxx.xxx.xxx.xxx^
externalId=2085^sid=84400000^cncChannel=GET http://yipinlawyer.com/ HTTP/1.1::~~Host:
yipinlawyer.com::~~version\=6,0,0,0" width\="'+ swf_width +'" height\="'+ swf_height +'">');::~~document.write
('<param name\="movie" value\="/flash/slideflash.swf"><param name\="quality"
value\="high">');::~~document.write('<param name\="menu" value\="false"><param name\=wmode
value\="opaque">');::~~document.write('<param name\="FlashVars" value\="bcastr_file\='+files+'&bcastr_
link\='+links+'&bcastr_title\='+texts+'&bcastr_config\='+configtg+'">');::~~document.write('<embed
src\="/flash/slideflash.swf" wmode\="opaque" FlashVars\="bcastr_file\='+files+'&bcastr_link\='+links+'&bcastr_
title\='+texts+'&bcastr_config\='+configtg+'& menu\="false" quality\="high" width\="'+ swf_width +'"
height\="'+ swf_height +'" type\="application/x-shockwave-flash"
pluginspage\="http://www.macromedia.com/go/getflashplayer" />'); document.write('</object>');
::~~</SCRIPT></div><SCRIPT Language\=VBScript>re
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified">
<xs:include schemaLocation="CommonOSCDataSet.xsd"/>
<xs:complexType name="OSCChangeSet">
<xs:sequence>
<xs:element ref="analysis" minOccurs="0"/>
<xs:element ref="os" minOccurs="0"/>
<xs:element ref="os_monitor" minOccurs="0"/>
<xs:element ref="event_logger" minOccurs="0"/>
<xs:element ref="apicall"/>
<xs:element ref="codeinjection"/>
<xs:element ref="driver"/>
<xs:element ref="exploitcode"/>
<xs:element ref="file"/>
<xs:element ref="folder"/>
<xs:element ref="heapspraying"/>
<xs:element ref="mutex"/>
<xs:element ref="network"/>
<xs:element ref="process"/>
<xs:element ref="process-packed"/>
<xs:element ref="processstats"/>
<xs:element ref="regkey"/>
<xs:element ref="uac"/>
<xs:element ref="keyloggerdetected"/>
<xs:element ref="HardwareAccessDetection"/>
<xs:element name="filetype" type="xs:string" minOccurs="0"/>
<xs:element ref="dll-loaded"/>
<xs:element ref="appexception"/>
<xs:element ref="debugcontrol"/>
<xs:element ref="hiddenproc"/>
<xs:element ref="dll-exports"/>
<xs:element ref="guestos-not-pingable"/>
<xs:element ref="SSDT"/>
<xs:element ref="spooler-dll-injection"/>
<xs:element ref="detection-monitor-killed"/>
<xs:element ref="started"/>
<xs:element ref="firefox"/>
<xs:element ref="AsyncKeyLogger"/>
<xs:element ref="CmdLine"/>
© 2017 FireEye 216

XML Notifications
<xs:element ref="systemshutdown"/>
<xs:element ref="os-inactivity-send-keys"/>
<xs:element ref="dialog-dismissed"/>
<xs:element ref="dialog-detected"/>
<xs:element ref="new-dialog-popup"/>
<xs:element ref="api_patch"/>
<xs:element ref="thread"/>
<xs:element ref="stackpivot"/>
<xs:element ref="popup-dialog"/>
<xs:element ref="javacall"/>
<xs:element ref="javaevent"/>
<xs:element ref="eventlogcmd"/>
<xs:element ref="alive"/>
<xs:element ref="BootSectorModified"/>
<xs:element ref="application"/>
<xs:element ref="Ransom"/>
<xs:element ref="Infector"/>
<xs:element ref="Stealer"/>
<xs:element ref="appexception_data"/>
<xs:element ref="ProtectionChange"/>
<xs:element ref="EmbeddedObject"/>
<xs:element ref="custom-patch"/>
<xs:element ref="log"/>
<xs:element ref="Meterpreter"/>
<xs:element ref="browser-plugin-start"/>
<xs:element ref="high_cpu"/>
<xs:element ref="Quit"/>
<xs:element ref="invert_timing"/>
<xs:element ref="bugcheck"/>
<xs:element ref="FEChannel"/>
<xs:element ref="ProcessToken"/>
<xs:element ref="config-update"/>
<xs:element ref="internal-error"/>
<xs:element ref="SendMessage"/>
<xs:element ref="NullPageMapping"/>
<xs:element ref="kexploit"/>
<xs:element ref="KExploit"/>
<xs:element ref="Flash"/>
<xs:element ref="SMEP"/>
<xs:element ref="MSR"/>
<xs:element ref="action_fopen"/>
<xs:element ref="shellcode"/>
<xs:element ref="stackexec"/>
<xs:element ref="JSData"/>
<xs:element ref="FirstRpidMemOp"/>
217 © 2017 FireEye

XML Notifications
<xs:element ref="MemBruteForce"/>
<xs:element ref="CmdOp"/>
<xs:element ref="MemInjectOp"/>
<xs:element ref="ExfilDetect"/>
<xs:element ref="Destructor"/>
</xs:choice>
<xs:element ref="ROP"/>
<xs:element ref="end-of-report" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
<xs:element name="analysis">
<xs:complexType>
<xs:complexContent>
<xs:extension base="FeELEvent">
<xs:all>
<xs:element name="rebootdependent" minOccurs="0" type="xs:string"/>
<xs:element name="spanalysis" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="mode" use="required" type="xs:string"/>
<xs:attribute name="ftype" use="required" type="xs:string"/>
<xs:attribute name="product" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="os">
<xs:complexType>
<xs:complexContent>
<xs:all>
</xs:all>
<xs:attribute name="name" use="required" type="xs:string"/>
<xs:attribute name="sp" use="optional" type="xs:string"/>
<xs:attribute name="arch" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexType>
</xs:element>
© 2017 FireEye 218

XML Notifications
<xs:element name="os_monitor">
<xs:complexType>
<xs:complexContent>
<xs:all>
</xs:all>
<xs:attribute name="build" type="xs:integer"/>
<xs:attribute name="date" type="xs:string"/>
<xs:attribute name="time" type="xs:string"/>
<xs:attribute name="version" use="optional" type="xs:string"/>
<xs:attribute name="dtype" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="event_logger">
<xs:complexType>
<xs:complexContent>
<xs:all>
</xs:all>
<xs:attribute name="build" use="required" type="xs:string"/>
<xs:attribute name="date" use="required" type="xs:string"/>
<xs:attribute name="time" use="required" type="xs:string"/>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="keyloggerdetected">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element ref="processinfo"/>
<xs:element name="idhook" type="xs:string" minOccurs="0"/>
<xs:element name="hookprocaddr" type="xs:string" minOccurs="0"/>
<xs:element name="moduleaddr" type="xs:string" minOccurs="0"/>
<xs:element name="threadid" type="xs:long" minOccurs="0"/>
<xs:element name="module-name" type="xs:string" minOccurs="0"/>
219 © 2017 FireEye

XML Notifications
<xs:element ref="md5sum" minOccurs="0"/>

<xs:element ref="sha1sum" minOccurs="0"/>
<xs:element name="symbol-name" type="xs:string" minOccurs="0"/>
<xs:element name="symbol-displacement" type="xs:string" minOccurs="0"/>
</xs:all>
<xs:attribute name="src_thread" use="optional" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:integer"/>
<xs:attribute name="repeat" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="HardwareAccessDetection">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element minOccurs="0" ref="processinfo"/>
<xs:element minOccurs="0" name="function" type="xs:string"/>
<xs:element minOccurs="0" name="device" type="xs:string"/>
<xs:element minOccurs="0" name="handle" type="xs:string"/>
<xs:element minOccurs="0" name="size" type="xs:string"/>
<xs:element minOccurs="0" ref="address"/>
</xs:all>
<xs:attribute name="repeat" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="api_trace">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="apilib" minOccurs="0" type="xs:string"/>
<xs:element name="apiname" minOccurs="0" type="xs:string"/>
© 2017 FireEye 220

XML Notifications
<xs:element name="ip" minOccurs="0" type="xs:string"/>

</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="foreign_file_load">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="file" type="xs:string" minOccurs="0"/>
<xs:element ref="into" minOccurs="0"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="low_level_sleep">
<xs:complexType>
<xs:complexContent>
<xs:all>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="dll-loaded">
<xs:complexType>
<xs:complexContent>
<xs:all>
221 © 2017 FireEye

XML Notifications
<xs:element ref="processinfo" minOccurs="0"/>

<xs:element name="dllpath" type="xs:string" minOccurs="0"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="apicall">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element ref="dllname"/>
<xs:element ref="apiname"/>
<xs:element ref="address"/>
<xs:element ref="params" minOccurs="0"/>
<xs:element name="options" type="xs:string" minOccurs="0"/>
<xs:element name="assembly" type="xs:string" minOccurs="0"/>
<xs:element ref="callsites" minOccurs="0"/>
</xs:all>
<xs:attribute name="repeat" use="optional" type="xs:long"/>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="from">
<xs:complexType>
<xs:sequence>
© 2017 FireEye 222

XML Notifications
</xs:sequence>
<xs:attribute name="tainted" use="optional" type="xs:string"/>
</xs:complexType>
</xs:element>
<xs:element name="into">
<xs:complexType>
<xs:sequence>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="vbr_change">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="partition" minOccurs="0" type="xs:integer"/>
<xs:element name="md5_original" minOccurs="0" type="xs:string"/>
<xs:element name="md5_current" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="dtype" use="required" type="xs:string"/>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="prop">
<xs:complexType>
<xs:simpleContent>
<xs:attribute name="pname" use="optional" type="xs:string"/>
<xs:attribute name="chunk" use="optional" type="xs:integer"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="doc_summary">
<xs:complexType>
<xs:complexContent>
223 © 2017 FireEye

XML Notifications
<xs:sequence>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="prop"/>
</xs:sequence>
<xs:attribute name="Application" use="optional" type="xs:string"/>
<xs:attribute name="mode" use="optional" type="xs:string"/>
<xs:attribute name="count" use="optional" type="xs:integer"/>
<xs:attribute name="close-handler" use="optional" type="xs:integer"/>
<xs:attribute name="open-handler" use="optional" type="xs:integer"/>
<xs:attribute name="macro-protected" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="xaw_bin">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="InstructionPointer" minOccurs="0" type="xs:string"/>
<xs:element name="WritingModule" minOccurs="0" type="xs:string"/>
<xs:element name="WrittenModule" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute name="type" use="required" type="xs:string"/>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="kci">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="InstructionPointer" minOccurs="0" type="xs:string"/>
© 2017 FireEye 224

XML Notifications

</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="mbr_change">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="md5_original" minOccurs="0" type="xs:string"/>
<xs:element name="md5_current" minOccurs="0" type="xs:string"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="code_injection">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element ref="from" minOccurs="0"/>
<xs:element name="ip" minOccurs="0" type="xs:string"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="dll_load">
<xs:complexType>
<xs:complexContent>
225 © 2017 FireEye

XML Notifications
<xs:all>
<xs:element name="dll" minOccurs="0" type="xs:string"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="codeinjection">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element ref="source" minOccurs="0"/>
<xs:element ref="target" minOccurs="0"/>
<xs:element ref="memory" minOccurs="0"/>
<xs:element ref="droppedfile" minOccurs="0"/>
</xs:all>
<xs:attribute name="suppressed" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="source">
<xs:complexType>
<xs:sequence>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="target">
<xs:complexType>
© 2017 FireEye 226

XML Notifications
<xs:sequence>
<xs:element name="internal_process" type="xs:string" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="driver">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element minOccurs="0" name="ntstatus" type="xs:string"/>
<xs:element ref="registrypath"/>
<xs:element ref="driverimage"/>
<xs:element name="method" type="xs:string"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="registrypath" type="xs:string"/>
<xs:element name="driverimage" type="xs:string"/>
<xs:element name="Attr">
<xs:complexType>
<xs:all>
<xs:element name="Value" minOccurs="0" type="xs:string"/>
<xs:element name="OldValue" minOccurs="0" type="xs:string"/>
<xs:element name="NewValue" minOccurs="0" type="xs:string"/>
</xs:all>
</xs:complexType>
</xs:element>
227 © 2017 FireEye

XML Notifications
<xs:element name="Element">
<xs:complexType>
<xs:sequence>
<xs:element ref="Attr" maxOccurs="unbounded" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="AttrList">
<xs:complexType>
<xs:sequence>
<xs:element ref="Attr" maxOccurs="unbounded" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="ElemList">
<xs:complexType>
<xs:sequence>
<xs:element ref="Element" maxOccurs="unbounded" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="wmicontent">
<xs:complexType>
<xs:all>
<xs:element name="lang" minOccurs="0" type="xs:string"/>
<xs:element name="query" minOccurs="0" type="xs:string"/>
<xs:element name="flags" minOccurs="0" type="xs:string"/>
<xs:element name="iwbemcontext" minOccurs="0" type="xs:string"/>
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="wmicontents">
<xs:complexType>
<xs:sequence>
<xs:element ref="wmicontent" maxOccurs="unbounded" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="NewHtmTag">
<xs:complexType>
<xs:complexContent>
© 2017 FireEye 228

XML Notifications
<xs:all>
<xs:element ref="AttrList" minOccurs="0" />
</xs:all>
<xs:attribute name="new_tag" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="triggers">
<xs:complexType>
<xs:sequence>
<xs:element name="trigger" minOccurs="0" maxOccurs="unbounded" type="xs:string"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="wmiquery">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element ref="wmicontents" minOccurs="0"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="ProcessTelemetryReport">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element ref="triggers" minOccurs="0"/>
229 © 2017 FireEye

XML Notifications
<xs:element ref="telemetry_data" minOccurs="0"/>

<xs:element ref="memory_data" minOccurs="0"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="MeterpreterHostLaunched">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="Name" minOccurs="0" type="xs:string"/>
<xs:element name="Baseaddress" minOccurs="0" type="xs:string"/>
<xs:element name="Size" minOccurs="0" type="xs:string"/>
<xs:element name="OEP" minOccurs="0" type="xs:string"/>
<xs:element name="assembly" minOccurs="0" type="xs:string"/>
<xs:element name="bytes" minOccurs="0" type="xs:string"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="ba-html">
<xs:complexType>
<xs:simpleContent>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="ba-data">
<xs:complexType>
<xs:simpleContent>
© 2017 FireEye 230

XML Notifications
<xs:attribute name="field" use="optional" type="xs:string"/>

</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="button">
<xs:complexType>
<xs:complexContent>
<xs:attribute name="class-name" use="optional" type="xs:string"/>
<xs:attribute name="title" use="optional" type="xs:string"/>
<xs:attribute name="place-holder" use="optional" type="xs:string"/>
<xs:attribute name="alt" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="buttons">
<xs:complexType>
<xs:complexContent>
<xs:sequence>
<xs:element ref="button" minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="text">
<xs:complexType>
<xs:complexContent>
<xs:attribute name="max-length" use="optional" type="xs:integer"/>
<xs:attribute name="match-type" use="optional" type="xs:string"/>
<xs:attribute name="matched-key" use="optional" type="xs:string"/>
<xs:attribute name="matched-field" use="optional" type="xs:string"/>
231 © 2017 FireEye

XML Notifications
<xs:attribute name="new-value" use="optional" type="xs:string"/>

</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="password-text-fields">
<xs:complexType>
<xs:complexContent>
<xs:sequence>
<xs:element ref="text" minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="ba-form-attributes">
<xs:complexType>
<xs:complexContent>
<xs:attribute name="form-action" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="submit-try">
<xs:complexType>
<xs:complexContent>
<xs:attribute name="form-submitted" use="optional" type="xs:string"/>
<xs:attribute name="post-request-observed" use="optional" type="xs:string"/>
<xs:attribute name="button-index" use="optional" type="xs:integer"/>
<xs:attribute name="status-bar-text" use="optional" type="xs:string"/>
<xs:attribute name="new-url-location" use="optional" type="xs:string"/>
</xs:extension>
© 2017 FireEye 232

XML Notifications
</xs:complexType>
</xs:element>
<xs:element name="submit-details">
<xs:complexType>
<xs:complexContent>
<xs:sequence>
<xs:element ref="submit-try" minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="input-fields">
<xs:complexType>
<xs:complexContent>
<xs:sequence>
<xs:element ref="text" minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="select">
<xs:complexType>
<xs:complexContent>
<xs:attribute name="select-index" use="optional" type="xs:integer"/>
<xs:attribute name="select-text" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexType>
</xs:element>
233 © 2017 FireEye

XML Notifications
<xs:element name="select-box">
<xs:complexType>
<xs:complexContent>
<xs:sequence>
<xs:element ref="select" minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="hyperlinks">
<xs:complexType>
<xs:complexContent>
<xs:sequence>
<xs:element name="link" type="xs:string" minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="ba-form-data">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element ref="submit-details" minOccurs="0" />
<xs:element ref="buttons" minOccurs="0" />
<xs:element ref="password-text-fields" minOccurs="0" />
<xs:element ref="input-fields" minOccurs="0" />
<xs:element ref="ba-form-attributes" minOccurs="0" />
<xs:element ref="hyperlinks" minOccurs="0" />
<xs:element ref="select-box" minOccurs="0" />
</xs:all>
<xs:attribute name="form-number" use="optional" type="xs:integer"/>
</xs:extension>
© 2017 FireEye 234

XML Notifications
</xs:complexType>
</xs:element>
<xs:element name="ba-post-data">
<xs:complexType>
<xs:complexContent>
<xs:sequence>
<xs:element ref="ba-data" minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="browser-automation">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="url" minOccurs="0" type="xs:string"/>
<xs:element name="statusbar-text-on-load" minOccurs="0" type="xs:string"/>
<xs:element name="total-number-of-elements" minOccurs="0" type="xs:integer"/>
<xs:element name="number-of-forms" minOccurs="0" type="xs:integer"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="browser-automation-html">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element ref="ba-html" minOccurs="0" />
</xs:all>
235 © 2017 FireEye

XML Notifications
<xs:attribute name="form-number" use="optional" type="xs:integer"/>

</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="HtmTag">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="HtmSize" type="xs:integer"/>
<xs:element ref="ElemList" minOccurs="0" />
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="exploitcode">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element ref="callstack" minOccurs="0"/>
</xs:all>
<xs:attribute name="protection" use="optional" type="xs:string"/>
</xs:extension>
© 2017 FireEye 236

XML Notifications
</xs:complexType>
</xs:element>
<xs:element name="file">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element ref="values" minOccurs="0"/>
<xs:element ref="value" minOccurs="0"/>
<xs:element minOccurs="0" name="filedes"/>
<xs:element minOccurs="0" ref="filesize"/>
<xs:element minOccurs="0" name="target" type="xs:string"/>
<xs:element minOccurs="0" name="old_name" type="xs:string"/>
<xs:element minOccurs="0" name="new_name" type="xs:string"/>
<xs:element minOccurs="0" name="creationTime" type="xs:string"/>
<xs:element minOccurs="0" name="lastWriteTime" type="xs:string"/>
<xs:element minOccurs="0" name="changeTime" type="xs:string"/>
<xs:element minOccurs="0" name="newCreationTime" type="xs:string"/>
<xs:element minOccurs="0" name="newLastWriteTime" type="xs:string"/>
<xs:element minOccurs="0" name="newChangeTime" type="xs:string"/>
<xs:element minOccurs="0" ref="fid"/>
<xs:element minOccurs="0" name="perm" type="xs:string"/>
<xs:element minOccurs="0" name="failure" type="xs:string"/>
<xs:element minOccurs="0" ref="EaName"/>
<xs:element minOccurs="0" name="EaValueLength" type="xs:string"/>
<xs:element minOccurs="0" name="EaValue" type="xs:string"/>
<xs:element minOccurs="0" name="CreateOptions" type="xs:string"/>
<xs:element minOccurs="0" ref="PE"/>
<xs:element minOccurs="0" name="content_after" type="xs:string"/>
<xs:element minOccurs="0" name="job_target" type="xs:string"/>
<xs:element minOccurs="0" name="job_parameter" type="xs:string"/>
<xs:element minOccurs="0" name="job_workingdir" type="xs:string"/>
<xs:element minOccurs="0" name="file_content" type="xs:string"/>
<xs:element minOccurs="0" name="old_target" type="xs:string"/>
<xs:element minOccurs="0" name="new_target" type="xs:string"/>
<xs:element name="source" minOccurs="0" type="xs:string"/>
<xs:element name="settime" minOccurs="0" type="xs:string"/>
237 © 2017 FireEye

XML Notifications
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="EaName">
<xs:complexType>
<xs:simpleContent>
<xs:attribute name="Index" use="required" type="xs:long"/>
<xs:attribute name="Count" use="required" type="xs:long"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="folder">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element minOccurs="0" ref="EaName"/>
<xs:element minOccurs="0" name="EaValueLength" type="xs:string"/>
<xs:element minOccurs="0" name="EaValue" type="xs:string"/>
<xs:element minOccurs="0" name="CreateOptions" type="xs:string"/>
</xs:all>
© 2017 FireEye 238

XML Notifications

</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="Entry">
<xs:complexType>
<xs:all>
<xs:element minOccurs="0" name="Byte" type="xs:string"/>
<xs:element minOccurs="0" name="Count" type="xs:integer"/>
<xs:element minOccurs="0" name="Percentage" type="xs:integer"/>
<xs:element minOccurs="0" name="FirstOffset" type="xs:string"/>
<xs:element minOccurs="0" name="IsNOP" type="xs:string"/>
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="BytesList">
<xs:complexType>
<xs:sequence>
<xs:element ref="Entry" maxOccurs="unbounded" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="Count" use="optional" type="xs:integer"/>
<xs:attribute name="Distinct" use="optional" type="xs:integer"/>
</xs:complexType>
</xs:element>
<xs:element name="heapspraying">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element ref="pattern" minOccurs="0"/>
<xs:element ref="blocksize" minOccurs="0"/>
<xs:element ref="address" minOccurs="0"/>
<xs:element ref="shellcodesize" minOccurs="0"/>
<xs:element ref="region" minOccurs="0"/>
<xs:element ref="regionsize" minOccurs="0"/>
<xs:element name="javascript" type="xs:string" minOccurs="0" />
<xs:element ref="bytesreceived" minOccurs="0"/>
239 © 2017 FireEye

XML Notifications
<xs:element ref="totalmemory" minOccurs="0"/>

<xs:element ref="lastbytesreceived" minOccurs="0"/>
<xs:element ref="lasttotalmemory" minOccurs="0"/>
<xs:element ref="incrementCount" minOccurs="0"/>
<xs:element name="BaseAddress" type="xs:string" minOccurs="0" />
<xs:element name="Size" type="xs:string" minOccurs="0" />
<xs:element name="CUnit" type="xs:string" minOccurs="0" />
<xs:element name="CCount" type="xs:integer" minOccurs="0" />
<xs:element name="RUnit" type="xs:string" minOccurs="0" />
<xs:element name="RCount" type="xs:integer" minOccurs="0" />
<xs:element name="ProcessedRCount" type="xs:integer" minOccurs="0" />
<xs:element name="TotalRCount" type="xs:integer" minOccurs="0" />
<xs:element name="Processed" type="xs:string" minOccurs="0" />
<xs:element name="RegionSize" type="xs:string" minOccurs="0" />
<xs:element name="RegionCount" type="xs:string" minOccurs="0" />
<xs:element name="TotalSize" type="xs:string" minOccurs="0" />
<xs:element name="DNA" type="xs:integer" minOccurs="0" />
<xs:element name="ChunkSize" type="xs:string" minOccurs="0" />
<xs:element name="ChunkCount" type="xs:integer" minOccurs="0" />
<xs:element name="HashSize" type="xs:string" minOccurs="0" />
<xs:element name="HashRegionCount" type="xs:string" minOccurs="0" />
<xs:element name="TotalRegionCount" type="xs:string" minOccurs="0" />
<xs:element name="Similarity" type="xs:string" minOccurs="0" />
<xs:element ref="BytesList" minOccurs="0" />
<xs:element name="HSPA_ALGO_OPTIONS" type="xs:string" minOccurs="0" />
<xs:element name="HSPA_SCANPASS_LIMIT" type="xs:string" minOccurs="0" />
<xs:element name="HSPA_SCAN_INTERVAL" type="xs:string" minOccurs="0" />
<xs:element name="SIZE_FREQUENCY_THRESHOLD" type="xs:string" minOccurs="0" />
<xs:element name="MIN_MULTIREG_REGION_SIZE" type="xs:string" minOccurs="0" />
<xs:element name="MIN_MULTIREG_ALLOC_SIZE" type="xs:string" minOccurs="0" />
<xs:element name="MIN_BIG_REGION_TO_REPORT" type="xs:string" minOccurs="0" />
<xs:element name="BIG_REGION_CHUNK_SIZE" type="xs:string" minOccurs="0" />
<xs:element name="MIN_BIG_REGION_SIMSIZE" type="xs:string" minOccurs="0" />
<xs:element name="HDR_BYTES_TO_IGNORE" type="xs:string" minOccurs="0" />
<xs:element name="BUF_DATAFREQ_SIZE_LIMIT" type="xs:string" minOccurs="0" />
<xs:element name="MAX_BYTES_INFO_TO_REPORT" type="xs:string" minOccurs="0" />
<xs:element name="TOTAL_BYTE_PERCENT_TO_REPORT" type="xs:string" minOccurs="0" />
<xs:element name="BUF_SCANSIZE_LIMIT" type="xs:string" minOccurs="0" />
<xs:element name="PERCENT_SIZE_TO_HASH" type="xs:string" minOccurs="0" />
<xs:element name="MIN_SIZE_TO_HASH" type="xs:string" minOccurs="0" />
<xs:element name="MAX_SIZE_TO_HASH" type="xs:string" minOccurs="0" />
<xs:element name="SIMILARITY_SCORE_THRESHOLD" type="xs:string" minOccurs="0" />
<xs:element name="PARALLEL_MULTIREG_PROCESSING" type="xs:string" minOccurs="0" />
<xs:element name="PARALLEL_THR_COUNT" type="xs:string" minOccurs="0" />
<xs:element name="Q_FINISH_WAIT" type="xs:string" minOccurs="0" />
© 2017 FireEye 240

XML Notifications
<xs:element name="MEM_PREFETCH" type="xs:string" minOccurs="0" />

<xs:element name="XP_HS_THRESHOLD" type="xs:string" minOccurs="0" />
<xs:element name="W7_HS_THRESHOLD" type="xs:string" minOccurs="0" />
<xs:element name="HS_DELTA" type="xs:string" minOccurs="0" />
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="pattern" type="xs:string"/>
<xs:element name="blocksize" type="xs:string"/>
<xs:element name="lastbytesreceived" type="xs:string"/>
<xs:element name="lasttotalmemory" type="xs:string"/>
<xs:element name="incrementCount" type="xs:string"/>
<xs:element name="mutex">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element ref="value"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="network">
<xs:complexType>
<xs:complexContent>
241 © 2017 FireEye

XML Notifications
<xs:sequence>
<xs:element minOccurs="0" ref="protocol_type"/>
<xs:element minOccurs="0" ref="destination_port"/>
<xs:element minOccurs="0" ref="listen_port"/>
<xs:element minOccurs="0" name="qtype" type="xs:string"/>
<xs:element minOccurs="0" name="winsock_res" type="xs:string"/>
<xs:element minOccurs="0" name="dns_response_code" type="xs:string"/>
<xs:element minOccurs="0" name="hostname" type="xs:string"/>
<xs:element minOccurs="0" name="answer_number" type="xs:string"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="ipaddress"/>
<xs:element name="http_request" type="xs:string" minOccurs="0"/>
</xs:sequence>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="protocol_type" type="xs:string"/>
<xs:element name="destination_port" type="xs:string"/>
<xs:element name="listen_port" type="xs:string"/>
<xs:element name="ipaddress" type="xs:string"/>
<xs:element name="http_request" type="xs:string"/>
<xs:element name="process_target">
<xs:complexType>
<xs:sequence>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="duplicate_source">
<xs:complexType>
<xs:all>
</xs:all>
</xs:complexType>
</xs:element>
© 2017 FireEye 242

XML Notifications
<xs:element name="duplicate_target">
<xs:complexType>
<xs:all>
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="memory_data">
<xs:complexType>
<xs:all>
<xs:element type="xs:string" name="PeakVirtualSize" minOccurs="0"/>
<xs:element type="xs:string" name="VirtualSize" minOccurs="0"/>
<xs:element type="xs:string" name="PageFaultCount" minOccurs="0"/>
<xs:element type="xs:string" name="PeakWorkingSetSize" minOccurs="0"/>
<xs:element type="xs:string" name="WorkingSetSize" minOccurs="0"/>
<xs:element type="xs:string" name="QuotaPeakPagedPoolUsage" minOccurs="0"/>
<xs:element type="xs:string" name="QuotaPagedPoolUsage" minOccurs="0"/>
<xs:element type="xs:string" name="QuotaPeakNonPagedPoolUsage" minOccurs="0"/>
<xs:element type="xs:string" name="QuotaNonPagedPoolUsage" minOccurs="0"/>
<xs:element type="xs:string" name="PagefileUsage" minOccurs="0"/>
<xs:element type="xs:string" name="PeakPagefileUsage" minOccurs="0"/>
<xs:element type="xs:string" name="PrivateUsage" minOccurs="0"/>
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="telemetry_data">
<xs:complexType>
<xs:all>
<xs:element type="xs:integer" name="child_process_count" minOccurs="0"/>
<xs:element type="xs:integer" name="local_thread_count" minOccurs="0"/>
<xs:element type="xs:integer" name="remote_thread_count" minOccurs="0"/>
<xs:element type="xs:integer" name="mutex_create_count" minOccurs="0"/>
<xs:element type="xs:integer" name="file_failed_count" minOccurs="0"/>
<xs:element type="xs:integer" name="file_open_count" minOccurs="0"/>
<xs:element type="xs:integer" name="file_create_count" minOccurs="0"/>
<xs:element type="xs:integer" name="file_modify_count" minOccurs="0"/>
<xs:element type="xs:integer" name="http_req_count" minOccurs="0"/>
</xs:all>
</xs:complexType>
</xs:element>
243 © 2017 FireEye

XML Notifications
<xs:element name="process">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element ref="pid" minOccurs="0"/>
<xs:element ref="ppid" minOccurs="0"/>
<xs:element ref="parentname" minOccurs="0"/>
<xs:element ref="cmdline" minOccurs="0"/>
<xs:element ref="filesize" minOccurs="0"/>
<xs:element name="packed" type="xs:string" minOccurs="0"/>
<xs:element name="desiredaccess" type="xs:string" minOccurs="0"/>
<xs:element name="ntstatus" type="xs:string" minOccurs="0"/>
<xs:element ref="duplicate_source" minOccurs="0"/>
<xs:element ref="duplicate_target" minOccurs="0"/>
<xs:element name="InheritHandle" type="xs:string" minOccurs="0"/>
<xs:element name="Options" type="xs:string" minOccurs="0"/>
<xs:element minOccurs="0" name="gui" type="xs:string"/>
<xs:element name="args" type="xs:string" minOccurs="0"/>
<xs:element name="app_version" type="xs:string" minOccurs="0"/>
<xs:element name="app_short_version" type="xs:string" minOccurs="0"/>
<xs:element name="app_crash_info" type="xs:string" minOccurs="0"/>
<xs:element name="code_type" type="xs:string" minOccurs="0"/>
<xs:element name="signal" minOccurs="0"/>
<xs:element name="signal_code" minOccurs="0"/>
<xs:element name="trapno" minOccurs="0"/>
<xs:element name="err" minOccurs="0"/>
<xs:element name="cpu_num" minOccurs="0"/>
<xs:element name="faultvaddr" minOccurs="0"/>
<xs:element name="exception_type" minOccurs="0"/>
<xs:element name="exception_code" minOccurs="0"/>
<xs:element name="register_dump" type="xs:string" minOccurs="0"/>
<xs:element name="crash_stack" type="xs:string" minOccurs="0"/>
<xs:element ref="telemetry_data" minOccurs="0"/>
<xs:element ref="memory_data" minOccurs="0"/>
</xs:all>
© 2017 FireEye 244

XML Notifications

<xs:attribute name="tType" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="ppid" type="xs:integer"/>
<xs:element name="parentname" type="xs:string"/>
<xs:element name="cmdline" type="xs:string"/>
<xs:element name="process-packed">
<xs:complexType>
<xs:complexContent>
<xs:sequence>
</xs:sequence>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="processstats">
<xs:complexType>
<xs:complexContent>
<xs:sequence>
<xs:element ref="bytesreceived"/>
<xs:element ref="totalmemory"/>
<xs:element ref="id"/>
<xs:element ref="deltatime"/>
</xs:sequence>
245 © 2017 FireEye

XML Notifications

</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="id" type="xs:string"/>
<xs:element name="deltatime" type="xs:string"/>
<xs:element name="regkey">
<xs:complexType>
<xs:complexContent>
<xs:all>
</xs:all>
<xs:attribute name="randomized" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="os-inactivity-send-keys">
<xs:complexType>
<xs:complexContent>
<xs:all>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="guestos-not-pingable">
<xs:complexType>
<xs:complexContent>
© 2017 FireEye 246

XML Notifications
<xs:all>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="detection-monitor-killed">
<xs:complexType>
<xs:complexContent>
<xs:all>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="end-of-report">
<xs:complexType>
<xs:complexContent>
<xs:all>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="processinfo">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element ref="tid" minOccurs="0"/>
<xs:element name="process_cpu" minOccurs="0" type="xs:string"/>
<xs:element ref="imagepath" minOccurs="0"/>
247 © 2017 FireEye

XML Notifications

<xs:element minOccurs="0" ref="md5sum"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="imagepath" type="xs:string"/>
<xs:element name="dllname" type="xs:string"/>
<xs:element name="apiname" type="xs:string"/>
<xs:element name="address" type="xs:string"/>
<xs:element name="caller_addr" type="xs:string"/>
<xs:element name="shellcodesize" type="xs:string"/>
<xs:element name="region" type="xs:string"/>
<xs:element name="regionsize" type="xs:string"/>
<xs:element name="StackAddress" type="xs:string"/>
<xs:element name="StackLimit" type="xs:string"/>
<xs:element name="StackBase" type="xs:string"/>
<xs:element name="StackBottom" type="xs:string"/>
<xs:element name="StackTop" type="xs:string"/>
<xs:element name="ExceptionList" type="xs:string"/>
<xs:element name="Self" type="xs:string"/>
<xs:element name="ClientId" type="xs:string"/>
<xs:element name="PEBAddress" type="xs:string"/>
<xs:element name="LastErrorValue" type="xs:string"/>
<xs:element name="LastStatusValue" type="xs:string"/>
<xs:element name="params">
<xs:complexType>
<xs:sequence>
<xs:element maxOccurs="unbounded" minOccurs="0" ref="param"/>
<xs:element minOccurs="0" ref="gadgets"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="param">
<xs:complexType>
<xs:simpleContent>
<xs:attribute name="id" use="required" type="xs:long"/>
</xs:extension>
© 2017 FireEye 248

XML Notifications
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="gadgets">
<xs:complexType>
<xs:simpleContent>
<xs:attribute name="enc" use="optional" type="xs:string"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="callsites">
<xs:complexType>
<xs:sequence>
<xs:element maxOccurs="unbounded" minOccurs="0" ref="callsite-entry"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="callsite-entry">
<xs:complexType>
<xs:all>
<xs:element name="address" minOccurs="0" type="xs:string" />
<xs:element name="module-name" minOccurs="0" type="xs:string" />
<xs:element name="count" minOccurs="0" type="xs:integer" />
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="callstack">
<xs:complexType>
<xs:sequence>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="callstack-entry"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="Frame"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="callstack-entry">
<xs:complexType>
<xs:sequence>
<xs:element maxOccurs="unbounded" minOccurs="0" name="frame-number" type="xs:string"/>
<xs:element maxOccurs="unbounded" minOccurs="0" name="instruction-address" type="xs:string"/>
249 © 2017 FireEye

XML Notifications
<xs:element maxOccurs="unbounded" minOccurs="0" name="module-name" type="xs:string"/>

<xs:element maxOccurs="unbounded" minOccurs="0" name="symbol-name" type="xs:string"/>
<xs:element maxOccurs="unbounded" minOccurs="0" name="symbol-displacement" type="xs:string"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="fid">
<xs:complexType>
<xs:simpleContent>
<xs:attribute name="ads" use="optional" type="xs:string"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="Frame">
<xs:complexType>
<xs:all>
<xs:element minOccurs="0" name="Child-SP" type="xs:string"/>
<xs:element minOccurs="0" name="EBP" type="xs:string"/>
<xs:element minOccurs="0" name="Ret" type="xs:string"/>
<xs:element minOccurs="0" name="Arg1" type="xs:string"/>
<xs:element minOccurs="0" name="Symbol" type="xs:string"/>
</xs:all>
<xs:attribute name="number" use="required" type="xs:string"/>
</xs:complexType>
</xs:element>
<xs:element name="Instructions">
<xs:complexType>
<xs:sequence>
<xs:element ref="Instruction" maxOccurs="unbounded" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Instruction">
<xs:complexType>
<xs:all>
<xs:element minOccurs="0" name="Address" type="xs:string"/>
<xs:element minOccurs="0" name="Opcode" type="xs:string"/>
© 2017 FireEye 250

XML Notifications
<xs:element minOccurs="0" name="Mnemonic" type="xs:string"/>

<xs:element minOccurs="0" name="Arguments" type="xs:string"/>
</xs:all>
<xs:attribute name="Number" use="optional" type="xs:string"/>
<xs:attribute name="EspOffset" use="optional" type="xs:string"/>
</xs:complexType>
</xs:element>
<xs:element name="EIPInfo">
<xs:complexType>
<xs:all>
<xs:element minOccurs="0" name="InstructionPtr" type="xs:string"/>
<xs:element minOccurs="0" name="InstructionModule" type="xs:string"/>
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="teb">
<xs:complexType>
<xs:choice minOccurs="0" maxOccurs="unbounded">
<xs:sequence>
<xs:element ref="ExceptionList" minOccurs="0"/>
<xs:element ref="StackBase" minOccurs="0"/>
<xs:element ref="StackLimit" minOccurs="0"/>
<xs:element minOccurs="0" ref="Self"/>
<xs:element minOccurs="0" ref="ClientId"/>
<xs:element minOccurs="0" ref="PEBAddress"/>
<xs:element minOccurs="0" ref="LastErrorValue"/>
<xs:element minOccurs="0" ref="LastStatusValue"/>
</xs:sequence>
</xs:choice>
</xs:complexType>
</xs:element>
<xs:element name="registers">
<xs:complexType>
<xs:choice minOccurs="0" maxOccurs="unbounded">
<xs:sequence>
<xs:choice>
<xs:sequence>
<xs:element name="rax" type="xs:string" minOccurs="0"/>
<xs:element name="rbx" type="xs:string" minOccurs="0"/>
<xs:element name="rcx" type="xs:string" minOccurs="0"/>
<xs:element name="rdx" type="xs:string" minOccurs="0"/>
<xs:element name="rsi" type="xs:string" minOccurs="0"/>
<xs:element name="rdi" type="xs:string" minOccurs="0"/>
251 © 2017 FireEye

XML Notifications
<xs:element name="rip" type="xs:string" minOccurs="0"/>

<xs:element name="rsp" type="xs:string" minOccurs="0"/>
<xs:element name="rbp" type="xs:string" minOccurs="0"/>
</xs:sequence>
<xs:sequence>
<xs:element name="eax" type="xs:string" minOccurs="0"/>
<xs:element name="ebx" type="xs:string" minOccurs="0"/>
<xs:element name="ecx" type="xs:string" minOccurs="0"/>
<xs:element name="edx" type="xs:string" minOccurs="0"/>
<xs:element name="esi" type="xs:string" minOccurs="0"/>
<xs:element name="edi" type="xs:string" minOccurs="0"/>
<xs:element name="eip" type="xs:string" minOccurs="0"/>
<xs:element name="esp" type="xs:string" minOccurs="0"/>
<xs:element name="ebp" type="xs:string" minOccurs="0"/>
</xs:sequence>
</xs:choice>
<xs:element name="r8" type="xs:string" minOccurs="0"/>
<xs:element name="iopl" type="xs:string" minOccurs="0"/>
<xs:element name="cs" type="xs:string" minOccurs="0"/>
<xs:element name="ss" type="xs:string" minOccurs="0"/>
<xs:element name="ds" type="xs:string" minOccurs="0"/>
<xs:element name="es" type="xs:string" minOccurs="0"/>
<xs:element name="fs" type="xs:string" minOccurs="0"/>
<xs:element name="gs" type="xs:string" minOccurs="0"/>
<xs:element name="efl" type="xs:string" minOccurs="0"/>
</xs:sequence>
</xs:choice>
</xs:complexType>
</xs:element>
<xs:element name="appexception">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element minOccurs="0" name="processor" type="xs:string"/>
<xs:element minOccurs="0" name="exception_faulting_address" type="xs:string"/>
© 2017 FireEye 252

XML Notifications
<xs:element minOccurs="0" name="exception_code" type="xs:string"/>

<xs:element minOccurs="0" name="exception_level" type="xs:string"/>
<xs:element minOccurs="0" name="exception_type" type="xs:string"/>
<xs:element minOccurs="0" ref="EIPInfo"/>
<xs:element minOccurs="0" name="InstructionPtr" type="xs:string"/>
<xs:element ref="StackAddress" minOccurs="0"/>
<xs:element ref="StackBottom" minOccurs="0"/>
<xs:element ref="StackTop" minOccurs="0"/>
<xs:element minOccurs="0" name="StackRegionBase" type="xs:string"/>
<xs:element minOccurs="0" name="StackRegionLimit" type="xs:string"/>
<xs:element minOccurs="0" name="StackPtr" type="xs:string"/>
<xs:element minOccurs="0" ref="Instructions"/>
<xs:element minOccurs="0" name="Skip" type="xs:string"/>
<xs:element minOccurs="0" name="instruction_address" type="xs:string"/>
<xs:element minOccurs="0" name="instruction_module" type="xs:string"/>
<xs:element minOccurs="0" name="faulting_instruction" type="xs:string"/>
<xs:element minOccurs="0" name="FaultingInstruction" type="xs:string"/>
<xs:element minOccurs="0" name="FaultingAddress" type="xs:string"/>
<xs:element minOccurs="0" name="description" type="xs:string"/>
<xs:element minOccurs="0" name="classification" type="xs:string"/>
<xs:element minOccurs="0" ref="registers"/>
<xs:element minOccurs="0" ref="teb"/>
<xs:element minOccurs="0" ref="callstack"/>
<xs:element minOccurs="0" name="bug_title" type="xs:string"/>
<xs:element minOccurs="0" name="Content" type="xs:string"/>
</xs:all>
<xs:attribute name="reason" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="appexception_data">
<xs:complexType>
<xs:complexContent>
253 © 2017 FireEye

XML Notifications
<xs:all>
<xs:element minOccurs="0" name="data" type="xs:string"/>
</xs:all>
<xs:attribute name="sequence" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="debugcontrol">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element minOccurs="0" name="controlcode" type="xs:string"/>
<xs:element minOccurs="0" name="codedescription" type="xs:string"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="SUSPICIOUS_OBJECT_CREATION">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element minOccurs="0" name="clsid" type="xs:string"/>
<xs:element minOccurs="0" name="desc" type="xs:string"/>
© 2017 FireEye 254

XML Notifications
<xs:element minOccurs="0" name="progid" type="xs:string"/>

</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="hiddenproc">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element minOccurs="0" name="imagename" type="xs:string"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="dll-exports">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element minOccurs="0" ref="exports"/>
</xs:all>
255 © 2017 FireEye

XML Notifications

</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="exports">
<xs:complexType>
<xs:sequence>
<xs:element name="export-function" type="xs:string" maxOccurs="unbounded" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="TotalCount" use="optional" type="xs:integer"/>
<xs:attribute name="ValidName" use="optional" type="xs:string"/>
</xs:complexType>
</xs:element>
<xs:element name="AsyncKeyLogger">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="ProbePattern" type="xs:string"/>
<xs:element name="Yields" type="xs:string"/>
<xs:element name="Probes" type="xs:string"/>
<xs:element name="KeyLoggerType" type="xs:string" minOccurs="0" />
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="CmdLine">
<xs:complexType>
<xs:complexContent>
<xs:sequence>
<xs:element name="ExitCode" type="xs:string"/>
© 2017 FireEye 256

XML Notifications

</xs:sequence>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="spooler-dll-injection">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element ref="dllname" minOccurs="0"/>
<xs:element ref="apiname" minOccurs="0"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="firefox">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="old_homepage" type="xs:string" minOccurs="0"/>
<xs:element name="new_homepage" type="xs:string" minOccurs="0"/>
</xs:all>
257 © 2017 FireEye

XML Notifications
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="systemshutdown">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="actiondescription" type="xs:string"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="SSDT">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="GPA" minOccurs="0" type="xs:string"/>
<xs:element name="function" minOccurs="0" type="xs:string"/>
<xs:element name="newvalue" minOccurs="0" type="xs:string"/>
<xs:element name="target" minOccurs="0" type="xs:string"/>
<xs:element name="mode" minOccurs="0" type="xs:string"/>
<xs:element name="value" minOccurs="0" type="xs:string"/>
</xs:all>
<xs:attribute type="xs:integer" name="timestamp" use="optional"/>
</xs:extension>
© 2017 FireEye 258

XML Notifications
</xs:complexType>
</xs:element>
<xs:element name="started" type="xs:string"/>
<xs:element name="values">
<xs:complexType>
<xs:sequence>
<xs:element ref="value" maxOccurs="unbounded" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="value">
<xs:complexType>
<xs:simpleContent>
<xs:attribute name="result" use="optional" type="xs:string"/>
<xs:attribute name="action" use="optional" type="xs:string"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="bytesreceived" type="xs:string"/>
<xs:element name="totalmemory" type="xs:string"/>
<xs:element name="filesize" type="xs:string"/>
<xs:element name="md5sum" type="xs:string"/>
<xs:element name="sha1sum" type="xs:string"/>
<xs:element name="pid" type="xs:integer"/>
<xs:element name="tid" type="xs:string"/>
<xs:element name="current_tid" type="xs:string"/>
<xs:element name="hidden_tid" type="xs:string"/>
<xs:element name="uac">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element minOccurs="0" name="status" type="xs:string"/>
<xs:element minOccurs="0" name="accountenabled" type="xs:string"/>
<xs:element minOccurs="0" name="accountcreated" type="xs:string"/>
<xs:element minOccurs="0" name="accountname" type="xs:string"/>
<xs:element minOccurs="0" name="passwordchange" type="xs:string"/>
<xs:element minOccurs="0" name="group" type="xs:string"/>
259 © 2017 FireEye

XML Notifications
<xs:element minOccurs="0" name="memberadded" type="xs:string"/>

<xs:element minOccurs="0" name="memberremoved" type="xs:string"/>
</xs:all>
<xs:attribute name="mode" type="xs:string"/>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="dialog-dismissed">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="dlg-id" type="xs:string" minOccurs="0"/>
<xs:element name="note" type="xs:string" minOccurs="0"/>
<xs:element name="hwnd" type="xs:string" minOccurs="0"/>
</xs:all>
<xs:attribute name="windowless" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="dialog-detected">
<xs:complexType>
<xs:complexContent>
<xs:all>
© 2017 FireEye 260

XML Notifications
</xs:all>
<xs:attribute name="windowless" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="text-fields">
<xs:complexType>
<xs:sequence>
<xs:element ref="text-field" maxOccurs="unbounded" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="text-field">
<xs:complexType>
<xs:simpleContent>
<xs:attribute name="id" use="required" type="xs:integer"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="new-dialog-popup">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="title" type="xs:string" minOccurs="0"/>
<xs:element name="window-class" type="xs:string" minOccurs="0"/>
<xs:element name="size-width" type="xs:integer" minOccurs="0"/>
<xs:element name="size-height" type="xs:integer" minOccurs="0"/>
<xs:element name="position-x" type="xs:integer" minOccurs="0"/>
<xs:element name="position-y" type="xs:integer" minOccurs="0"/>
<xs:element name="visible" type="xs:string" minOccurs="0"/>
<xs:element name="topmost" type="xs:string" minOccurs="0"/>
<xs:element ref="text-fields" minOccurs="0"/>
</xs:all>
261 © 2017 FireEye

XML Notifications

</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="popup-dialog">
<xs:complexType>
<xs:complexContent>
<xs:element name="title" type="xs:string" minOccurs="0"/>
<xs:element name="static" type="xs:string" minOccurs="0"/>
</xs:choice>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="thread">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="imagepath" type="xs:string" minOccurs="0"/>
<xs:element ref="current_tid" minOccurs="0"/>
<xs:element ref="hidden_tid" minOccurs="0"/>
<xs:element ref="duplicate_source" minOccurs="0"/>
<xs:element ref="duplicate_target" minOccurs="0"/>
<xs:element name="InheritHandle" type="xs:string" minOccurs="0"/>
<xs:element name="Options" type="xs:string" minOccurs="0"/>
© 2017 FireEye 262

XML Notifications
<xs:element ref="apc_routine" minOccurs="0"/>

<xs:element ref="apc_routine_context" minOccurs="0"/>
<xs:element ref="apc_routine_context2" minOccurs="0"/>
<xs:element ref="start_Address" minOccurs="0"/>
<xs:element ref="win32_Start" minOccurs="0"/>
<xs:element ref="context" minOccurs="0"/>
<xs:element ref="context2" minOccurs="0"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="start_Address">
<xs:complexType>
<xs:complexContent>
<xs:all>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="win32_Start">
<xs:complexType>
<xs:complexContent>
<xs:all>
</xs:all>
</xs:extension>
263 © 2017 FireEye

XML Notifications
</xs:complexType>
</xs:element>
<xs:element name="context2">
<xs:complexType>
<xs:complexContent>
<xs:all>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="context">
<xs:complexType>
<xs:complexContent>
<xs:all>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="apc_routine">
<xs:complexType mixed="true">
<xs:complexContent>
<xs:all>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
© 2017 FireEye 264

XML Notifications
<xs:element name="apc_routine_context2">
<xs:complexContent>
<xs:all>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="apc_routine_context">
<xs:complexContent>
<xs:all>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="javacall">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="class" type="xs:string" minOccurs="0"/>
<xs:element name="parentClass" type="xs:string" minOccurs="0"/>
<xs:element name="method" type="xs:string" minOccurs="0"/>
<xs:element name="parentMethod" type="xs:string" minOccurs="0"/>
<xs:element name="this" type="xs:string" minOccurs="0"/>
</xs:all>
<xs:attribute name="context" use="optional" type="xs:string"/>
265 © 2017 FireEye

XML Notifications

</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="javaevent">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="id" type="xs:string" minOccurs="0"/>
<xs:element name="spanalsis" minOccurs="0" type="xs:string"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="eventlogcmd">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="exitcode" type="xs:string" minOccurs="0"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
© 2017 FireEye 266

XML Notifications
<xs:element name="alive">
<xs:complexType/>
</xs:element>
<xs:element name="BootSectorModified">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="md5sum_original" type="xs:string" minOccurs="0"/>
<xs:element name="md5sum_orginal" type="xs:string" minOccurs="0"/>
<xs:element name="md5sum_current" type="xs:string" minOccurs="0"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="api_patch">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element minOccurs="0" ref="target"/>
<xs:element ref="caller_addr" minOccurs="0"/>
<xs:element name="size" type="xs:string" minOccurs="0"/>
</xs:all>
<xs:attribute name="target" use="optional" type="xs:string"/>
</xs:extension>
267 © 2017 FireEye

XML Notifications
</xs:complexType>
</xs:element>
<xs:element name="ROP">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="valid_call_instruction" type="xs:string" minOccurs="0"/>
<xs:element name="ModuleName" type="xs:string" minOccurs="0"/>
<xs:element name="ModuleBase" type="xs:string" minOccurs="0"/>
<xs:element name="CallerOffset" type="xs:string" minOccurs="0"/>
<xs:element name="PreviousBytes" type="xs:string" minOccurs="0"/>
<xs:element name="ForwardBytes" type="xs:string" minOccurs="0"/>
</xs:all>
<xs:attribute name="sequenceId" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="SuppressionData">
<xs:complexType>
<xs:all>
<xs:element name="SPStackBase" minOccurs="0" type="xs:string"/>
<xs:element name="SPStackEnd" minOccurs="0" type="xs:string"/>
<xs:element name="ExceptionRegionBase" minOccurs="0" type="xs:string"/>
<xs:element name="ExceptionRegionEnd" minOccurs="0" type="xs:string"/>
<xs:element name="ExceptionList" minOccurs="0" type="xs:string"/>
<xs:element name="ExceptionListMemType" minOccurs="0" type="xs:string"/>
<xs:element name="ExceptionListMemProtect" minOccurs="0" type="xs:string"/>
© 2017 FireEye 268

XML Notifications
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="stackpivot">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="CallerAddress" minOccurs="0" type="xs:string"/>
<xs:element name="CallerModule" minOccurs="0" type="xs:string"/>
<xs:element ref="StackBottom" minOccurs="0"/>
<xs:element ref="StackTop" minOccurs="0"/>
<xs:element name="SuppressMode" minOccurs="0" type="xs:string"/>
<xs:element ref="SuppressionData" minOccurs="0"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="application">
<xs:complexType>
<xs:complexContent>
<xs:all>
</xs:all>
<xs:attribute name="app-name" use="required" type="xs:string"/>
<xs:attribute name="timestamp" use="optional" type="xs:string"/>
</xs:extension>
269 © 2017 FireEye

XML Notifications
</xs:complexType>
</xs:element>
<xs:element name="Ransom">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element ref="pattern"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="Infector">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element ref="pattern"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="Stealer">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="newPath" type="xs:string"/>
© 2017 FireEye 270

XML Notifications

</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="ProtectionChange">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element minOccurs="0" name="CallerAddress" type="xs:string"/>
<xs:element minOccurs="0" name="CallerModule" type="xs:string"/>
<xs:element minOccurs="0" name="Base" type="xs:string"/>
<xs:element minOccurs="0" name="Limit" type="xs:string"/>
<xs:element minOccurs="0" name="Size" type="xs:string"/>
<xs:element minOccurs="0" name="NewProt" type="xs:string"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="EmbeddedObject">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="Application" type="xs:string"/>
<xs:element ref="pid"/>
<xs:element minOccurs="0" name="Page" type="xs:string"/>
<xs:element minOccurs="0" name="Slide" type="xs:string"/>
271 © 2017 FireEye

XML Notifications
<xs:element minOccurs="0" name="Sheet" type="xs:string"/>

<xs:element name="Type" type="xs:string"/>
<xs:element name="CreatorID" type="xs:string"/>
<xs:element minOccurs="0" name="Name" type="xs:string"/>
<xs:element minOccurs="0" name="ProgID" type="xs:string"/>
<xs:element minOccurs="0" name="Visible" type="xs:string"/>
<xs:element minOccurs="0" name="Enabled" type="xs:string"/>
<xs:element minOccurs="0" name="AutoLoad" type="xs:string"/>
<xs:element minOccurs="0" name="ShowIcon" type="xs:string"/>
<xs:element minOccurs="0" name="IconLabel" type="xs:string"/>
<xs:element minOccurs="0" name="IconName" type="xs:string"/>
<xs:element minOccurs="0" name="IconPath" type="xs:string"/>
<xs:element minOccurs="0" name="LinkPath" type="xs:string"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="memory">
<xs:complexType>
<xs:all>
<xs:element minOccurs="0" name="address" type="xs:string"/>
<xs:element minOccurs="0" name="modulename" type="xs:string"/>
</xs:all>
<xs:attribute name="cs" use="optional" type="xs:string"/>
</xs:complexType>
</xs:element>
<xs:element name="droppedfile">
<xs:complexType>
<xs:all>
<xs:element minOccurs="0" name="name" type="xs:string"/>
<xs:element minOccurs="0" name="path" type="xs:string"/>
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="memory-range">
<xs:complexType>
<xs:all>
© 2017 FireEye 272

XML Notifications
<xs:element minOccurs="0" name="note" type="xs:string"/>

<xs:element minOccurs="0" name="address" type="xs:string"/>
<xs:element minOccurs="0" name="length" type="xs:string"/>
<xs:element minOccurs="0" name="value" type="xs:string"/>
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="memory-ranges">
<xs:complexType>
<xs:sequence>
<xs:element ref="memory-range" maxOccurs="unbounded" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="custom-patch">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element minOccurs="0" name="module-name" type="xs:string"/>
<xs:element minOccurs="0" name="function-name" type="xs:string"/>
<xs:element minOccurs="0" name="patch-offset" type="xs:string"/>
<xs:element minOccurs="0" name="patch-address" type="xs:string"/>
<xs:element minOccurs="0" ref="memory-ranges"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="log">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element minOccurs="0" name="severity" type="xs:string"/>
<xs:element minOccurs="0" name="module" type="xs:string"/>
<xs:element minOccurs="0" name="message" type="xs:string"/>
<xs:element minOccurs="0" name="gi-time" type="xs:string"/>
273 © 2017 FireEye

XML Notifications

</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="Meterpreter">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element minOccurs="0" name="CallerAddress" type="xs:string"/>
<xs:element minOccurs="0" name="EndAddress" type="xs:string"/>
<xs:element minOccurs="0" name="Displacement" type="xs:string"/>
<xs:element minOccurs="0" name="MPUrl" type="xs:string"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="browser-plugin-start">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element minOccurs="0" name="browser" type="xs:string"/>
<xs:element minOccurs="0" name="jre" type="xs:string"/>
<xs:element minOccurs="0" name="flash" type="xs:string"/>
</xs:all>
</xs:extension>
© 2017 FireEye 274

XML Notifications
</xs:complexType>
</xs:element>
<xs:element name="high_cpu">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element minOccurs="0" name="total_cpu" type="xs:string"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="Quit">
<xs:complexType>
<xs:complexContent>
<xs:all>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="invert_timing">
<xs:complexType>
<xs:complexContent>
<xs:all>
275 © 2017 FireEye

XML Notifications
<xs:element ref="caller_addr" minOccurs="0"/>

<xs:element minOccurs="0" name="backward_offset" type="xs:integer"/>
<xs:element minOccurs="0" name="forward_offset" type="xs:integer"/>
<xs:element minOccurs="0" name="hex_code" type="xs:string"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="bugcheck">
<xs:complexType>
<xs:complexContent>
<xs:all>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="FEChannel">
<xs:complexType>
<xs:complexContent>
<xs:all>
</xs:all>
</xs:extension>
© 2017 FireEye 276

XML Notifications
</xs:complexType>
</xs:element>
<xs:element name="Privileges">
<xs:complexType>
<xs:sequence>
<xs:element name="Privilege" maxOccurs="unbounded" minOccurs="0" type="xs:string"/>
</xs:sequence>
<xs:attribute name="present" use="optional" type="xs:string"/>
</xs:complexType>
</xs:element>
<xs:element name="SuperPrivileges">
<xs:complexType>
<xs:all>
<xs:element ref="Privileges" minOccurs="0"/>
</xs:all>
<xs:attribute name="present" use="optional" type="xs:string"/>
</xs:complexType>
</xs:element>
<xs:element name="ProcessToken">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="LogonSession" minOccurs="0" type="xs:string"/>
<xs:element name="User" minOccurs="0" type="xs:string"/>
<xs:element ref="SuperPrivileges" minOccurs="0"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="config-update">
<xs:complexType>
<xs:complexContent>
277 © 2017 FireEye

XML Notifications
<xs:all>
<xs:element name="status" minOccurs="0" type="xs:string"/>
<xs:element name="update-requested" minOccurs="0" type="xs:string"/>
<xs:element name="files" minOccurs="0" type="xs:string"/>
<xs:element name="version" minOccurs="0" type="xs:string"/>
<xs:element name="error" minOccurs="0" type="xs:string"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="raw-data">
<xs:complexType>
<xs:simpleContent>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="critical-error">
<xs:complexType>
<xs:complexContent>
<xs:sequence>
<xs:element name="error-id" minOccurs="0" type="xs:integer"/>
<xs:element name="error-string" minOccurs="0" type="xs:string"/>
<xs:element ref="raw-data" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="CmdInfo">
<xs:complexType>
<xs:complexContent>
© 2017 FireEye 278

XML Notifications
<xs:sequence>
<xs:element name="error-id" minOccurs="0" type="xs:integer"/>
<xs:element name="error-string" minOccurs="0" type="xs:string"/>
<xs:element ref="raw-data" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="internal-error">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="data" minOccurs="0" type="xs:string"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="SendMessage">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="MessageType" minOccurs="0" type="xs:string"/>
</xs:all>
</xs:extension>
279 © 2017 FireEye

XML Notifications
</xs:complexType>
</xs:element>
<xs:element name="NullPageMapping">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="AllocType" type="xs:string" minOccurs="0" />
<xs:element name="Protect" type="xs:string" minOccurs="0" />
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="kexploit">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="Api" type="xs:string" minOccurs="0" />
<xs:element name="Caller" type="xs:string" minOccurs="0" />
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="SystemTime">
<xs:complexType>
<xs:all>
© 2017 FireEye 280

XML Notifications
<xs:element name="Time" minOccurs="0" type="xs:string"/>

</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="PreviousTime">
<xs:complexType>
<xs:all>
<xs:element name="Time" minOccurs="0" type="xs:string"/>
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="SetSystemTime">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="ntstatus" minOccurs="0" type="xs:string"/>
<xs:element ref="SystemTime" minOccurs="0"/>
<xs:element ref="PreviousTime" minOccurs="0"/>
</xs:all>
<xs:attribute name="Allowed" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="QuerySystemTime">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="ntstatus" minOccurs="0" type="xs:string"/>
<xs:element ref="SystemTime" minOccurs="0"/>
</xs:all>
<xs:attribute name="Allowed" use="optional" type="xs:string"/>
281 © 2017 FireEye

XML Notifications
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="KExploit">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="Api" type="xs:string" minOccurs="0" />
<xs:element name="Caller" type="xs:string" minOccurs="0" />
<xs:element name="CallerMemType" type="xs:string" minOccurs="0" />
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="Method">
<xs:complexType>
<xs:all>
<xs:element minOccurs="0" name="Name" type="xs:string"/>
<xs:element minOccurs="0" name="Ptr" type="xs:string"/>
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="Vector">
<xs:complexType>
<xs:all>
<xs:element name="VectorSize" minOccurs="0" type="xs:string"/>
<xs:element name="PageBoundary" type="xs:string" minOccurs="0" />
<xs:element name="SizeFrequency" minOccurs="0" type="xs:string"/>
</xs:all>
</xs:complexType>
</xs:element>
© 2017 FireEye 282

XML Notifications
<xs:element name="List">
<xs:complexType>
<xs:sequence>
<xs:element ref="Method" maxOccurs="unbounded" minOccurs="0"/>
<xs:element ref="Vector" maxOccurs="unbounded" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Flash">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="Dll" type="xs:string" minOccurs="0" />
<xs:element ref="List" minOccurs="0" />
<xs:element name="VectorSize" type="xs:string" minOccurs="0" />
<xs:element name="PageBoundary" type="xs:string" minOccurs="0" />
<xs:element name="SizeFrequency" type="xs:integer" minOccurs="0" />
<xs:element name="TotalVectors" type="xs:integer" minOccurs="0" />
<xs:element name="SumVectorLengths" type="xs:string" minOccurs="0" />
<xs:element name="Method" type="xs:string" minOccurs="0" />
<xs:element name="Length" type="xs:string" minOccurs="0" />
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="names">
<xs:complexType>
<xs:sequence>
<xs:element name="name" maxOccurs="unbounded" minOccurs="0" type="xs:string"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="DllCharacteristics">
<xs:complexType>
<xs:all>
<xs:element minOccurs="0" ref="value"/>
283 © 2017 FireEye

XML Notifications
<xs:element minOccurs="0" ref="names"/>

</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="Characteristics">
<xs:complexType>
<xs:all>
<xs:element minOccurs="0" ref="value"/>
<xs:element minOccurs="0" ref="names"/>
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="PE">
<xs:complexType>
<xs:all>
<xs:element minOccurs="0" name="Dll" type="xs:string"/>
<xs:element minOccurs="0" name="Machine" type="xs:string"/>
<xs:element minOccurs="0" name="TimeDateStamp" type="xs:string"/>
<xs:element minOccurs="0" ref="Characteristics"/>
<xs:element minOccurs="0" name="Magic" type="xs:string"/>
<xs:element minOccurs="0" name="Subsystem" type="xs:string"/>
<xs:element minOccurs="0" ref="DllCharacteristics"/>
</xs:all>
<xs:attribute name="InspectionType" use="optional" type="xs:string"/>
</xs:complexType>
</xs:element>
<xs:element name="SMEP">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="ip" type="xs:string" minOccurs="0" />
<xs:element name="address" type="xs:string" minOccurs="0" />
</xs:all>
</xs:extension>
© 2017 FireEye 284

XML Notifications
</xs:complexType>
</xs:element>
<xs:element name="msrinfo">
<xs:complexType>
<xs:all>
<xs:element name="type" type="xs:string" minOccurs="0" />
<xs:element name="address" type="xs:string" minOccurs="0" />
<xs:element name="content" type="xs:string" minOccurs="0" />
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="MSR">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element ref="msrinfo" minOccurs="0"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="action_fopen">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="ext" type="xs:string" minOccurs="0" />
<xs:element name="name" type="xs:string" minOccurs="0" />
</xs:all>
</xs:extension>
285 © 2017 FireEye

XML Notifications
</xs:complexType>
</xs:element>
<xs:element name="shellcode">
<xs:complexType>
<xs:complexContent>
<xs:all>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="stackexec">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="StackPointer" type="xs:string" minOccurs="0" />
<xs:element name="InstructionPointer" type="xs:string" minOccurs="0" />
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="Destructor">
<xs:complexType>
<xs:complexContent>
© 2017 FireEye 286

XML Notifications
<xs:all>
<xs:element minOccurs="0" name="value" type="xs:string"/>
<xs:element minOccurs="0" name="md5sum" type="xs:string"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="ExfilDetect">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element minOccurs="0" name="Offset" type="xs:string"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="MemInjectOp">
<xs:complexType>
<xs:complexContent>
<xs:all>
</xs:all>
287 © 2017 FireEye

XML Notifications

</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="MemBruteForce">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element minOccurs="0" name="Adjacency" type="xs:string"/>
<xs:element minOccurs="0" name="TotalCount" type="xs:string"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="JSSymbols">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="JStrLen" type="xs:string" minOccurs="0" />
<xs:element name="JList" type="xs:string" minOccurs="0" />
<xs:element name="JLeft" type="xs:string" minOccurs="0" />
<xs:element name="JRight" type="xs:string" minOccurs="0" />
</xs:all>
<xs:attribute name="sequence" use="optional" type="xs:integer"/>
</xs:extension>
© 2017 FireEye 288

XML Notifications
</xs:complexType>
</xs:element>
<xs:element name="JSData">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="JSNote" type="xs:string" minOccurs="0" />
<xs:element name="JSSize" type="xs:string" minOccurs="0" />
<xs:element name="JScript" type="xs:string" minOccurs="0" />
<xs:element name="JSType" type="xs:string" minOccurs="0" />
</xs:all>
<xs:attribute name="sequence" use="optional" type="xs:string"/>
<xs:attribute name="chunk" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="FirstRpidMemOp">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element minOccurs="0" name="IsMinApplAddress" type="xs:string"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
289 © 2017 FireEye

XML Notifications
<xs:element name="OpList">
<xs:complexType>
<xs:sequence>
<xs:element minOccurs="0" maxOccurs="unbounded" name="OpLine" type="xs:string"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="CmdOp">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element ref="OpList"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
</xs:schema>
© 2017 FireEye 290

XML Notifications
XML Schema for OS Changes—Macintosh

The following schema is for Macintosh.

<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified">
<xs:include schemaLocation="CommonOSCDataSet.xsd"/>
<xs:complexType name="OSCChangeSet">
<xs:sequence>
<xs:element ref="analysis" minOccurs="0"/>
<xs:element ref="os" minOccurs="0"/>
<xs:element ref="os_monitor" minOccurs="0"/>
<xs:element ref="event_logger" minOccurs="0"/>
<xs:element ref="apicall"/>
<xs:element ref="codeinjection"/>
<xs:element ref="driver"/>
<xs:element ref="exploitcode"/>
<xs:element ref="file"/>
<xs:element ref="folder"/>
<xs:element ref="heapspraying"/>
<xs:element ref="mutex"/>
<xs:element ref="network"/>
<xs:element ref="process"/>
<xs:element ref="process-packed"/>
<xs:element ref="processstats"/>
<xs:element ref="regkey"/>
<xs:element ref="uac"/>
<xs:element ref="keyloggerdetected"/>
<xs:element ref="HardwareAccessDetection"/>
<xs:element ref="dll-loaded"/>
<xs:element ref="appexception"/>
<xs:element ref="debugcontrol"/>
<xs:element ref="hiddenproc"/>
<xs:element ref="dll-exports"/>
<xs:element ref="guestos-not-pingable"/>
<xs:element ref="SSDT"/>
<xs:element ref="spooler-dll-injection"/>
<xs:element ref="detection-monitor-killed"/>
<xs:element ref="started"/>
<xs:element ref="firefox"/>
<xs:element ref="AsyncKeyLogger"/>
291 © 2017 FireEye

XML Notifications
<xs:element ref="CmdLine"/>
<xs:element ref="systemshutdown"/>
<xs:element ref="os-inactivity-send-keys"/>
<xs:element ref="dialog-dismissed"/>
<xs:element ref="thread"/>
<xs:element ref="javacall"/>
<xs:element ref="javaevent"/>
<xs:element ref="eventlogcmd"/>
<xs:element ref="alive"/>
<xs:element ref="BootSectorModified"/>
<xs:element ref="dylib"/>
<xs:element ref="mach"/>
<xs:element ref="time"/>
<xs:element ref="sudo"/>
<xs:element ref="kext"/>
<xs:element ref="exploit"/>
<xs:element ref="plist"/>
<xs:element ref="ROP"/>
<xs:element ref="application"/>
</xs:choice>
<xs:element ref="end-of-report" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
<xs:element name="analysis">
<xs:complexType>
<xs:complexContent>
<xs:attribute name="ftype" use="required" type="xs:string"/>
<xs:attribute name="product" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="os">
<xs:complexType>
<xs:complexContent>
<xs:attribute name="sp" use="optional" type="xs:string"/>
© 2017 FireEye 292

XML Notifications
<xs:attribute name="arch" use="optional" type="xs:string"/>

<xs:attribute name="build" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="os_monitor">
<xs:complexType>
<xs:complexContent>
<xs:attribute name="build" type="xs:string"/>
<xs:attribute name="date" type="xs:string"/>
<xs:attribute name="time" type="xs:string"/>
<xs:attribute name="version" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="event_logger">
<xs:complexType>
<xs:complexContent>
<xs:attribute name="build" use="required" type="xs:string"/>
<xs:attribute name="date" use="required" type="xs:string"/>
<xs:attribute name="time" use="required" type="xs:string"/>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="keyloggerdetected">
<xs:complexType>
<xs:complexContent>
<xs:sequence>
<xs:element name="idhook" type="xs:string" minOccurs="0"/>
<xs:element name="hookprocaddr" type="xs:string" minOccurs="0"/>
<xs:element name="moduleaddr" type="xs:string" minOccurs="0"/>
<xs:element name="threadid" type="xs:long" minOccurs="0"/>
<xs:element name="module-name" type="xs:string" minOccurs="0"/>
<xs:element name="symbol-name" type="xs:string" minOccurs="0"/>
293 © 2017 FireEye

XML Notifications
<xs:element name="symbol-displacement" type="xs:string" minOccurs="0"/>

</xs:sequence>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="HardwareAccessDetection">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element minOccurs="0" name="function" type="xs:string"/>
<xs:element minOccurs="0" name="device" type="xs:string"/>
<xs:element minOccurs="0" name="handle" type="xs:string"/>
<xs:element minOccurs="0" name="size" type="xs:string"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="dll-loaded">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="dllpath" type="xs:string" minOccurs="0"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="apicall">
<xs:complexType>
<xs:complexContent>
© 2017 FireEye 294

XML Notifications
<xs:all>
<xs:element name="options" type="xs:string" minOccurs="0"/>
<xs:element name="assembly" type="xs:string" minOccurs="0"/>
<xs:element ref="callsites" minOccurs="0"/>
</xs:all>
<xs:attribute name="repeat" use="optional" type="xs:long"/>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="codeinjection">
<xs:complexType>
<xs:complexContent>
<xs:sequence>
</xs:sequence>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="source">
<xs:complexType>
<xs:sequence>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="target">
<xs:complexType>
295 © 2017 FireEye

XML Notifications
<xs:sequence>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="driver">
<xs:complexType>
<xs:complexContent>
<xs:sequence>
<xs:element ref="registrypath"/>
<xs:element ref="driverimage"/>
<xs:element ref="method"/>
</xs:sequence>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="registrypath" type="xs:string"/>
<xs:element name="driverimage" type="xs:string"/>
<xs:element name="method" type="xs:string"/>
<xs:element name="exploitcode">
<xs:complexType>
<xs:complexContent>
<xs:sequence>
</xs:sequence>
<xs:attribute name="protection" use="optional" type="xs:string"/>
© 2017 FireEye 296

XML Notifications
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="file">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element minOccurs="0" name="filedes"/>
<xs:element minOccurs="0" ref="filesize"/>
<xs:element minOccurs="0" name="target" type="xs:string"/>
<xs:element minOccurs="0" name="rename" type="xs:string"/>
<xs:element minOccurs="0" name="perm" type="xs:string"/>
</xs:all>
<xs:attribute name="type" use="optional" type="xs:integer"/>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="folder">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element minOccurs="0" name="rename" type="xs:string"/>
297 © 2017 FireEye

XML Notifications

</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="Entry">
<xs:complexType>
<xs:all>
<xs:element minOccurs="0" name="Byte" type="xs:string"/>
<xs:element minOccurs="0" name="Count" type="xs:integer"/>
<xs:element minOccurs="0" name="Percent" type="xs:integer"/>
<xs:element minOccurs="0" name="FirstOffset" type="xs:string"/>
<xs:element minOccurs="0" name="IsNOP" type="xs:string"/>
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="BytesList">
<xs:complexType>
<xs:sequence>
<xs:element ref="Entry" maxOccurs="unbounded" minOccurs="0"/>
</xs:sequence>
<xs:attribute name="Count" use="optional" type="xs:integer"/>
<xs:attribute name="Distinct" use="optional" type="xs:integer"/>
</xs:complexType>
</xs:element>
<xs:element name="heapspraying">
<xs:complexType>
<xs:complexContent>
<xs:all>
© 2017 FireEye 298

XML Notifications
<xs:element ref="blocksize" minOccurs="0"/>

<xs:element ref="shellcodesize" minOccurs="0"/>
<xs:element ref="region" minOccurs="0"/>
<xs:element ref="regionsize" minOccurs="0"/>
<xs:element name="javascript" type="xs:string" minOccurs="0" />
<xs:element name="RUnit" type="xs:string" minOccurs="0" />
<xs:element name="RCount" type="xs:integer" minOccurs="0" />
<xs:element name="TotalSize" type="xs:string" minOccurs="0" />
<xs:element name="ProcessedRCount" type="xs:integer" minOccurs="0" />
<xs:element name="TotalRCount" type="xs:integer" minOccurs="0" />
<xs:element name="Processed" type="xs:string" minOccurs="0" />
<xs:element name="DNA" type="xs:integer" minOccurs="0" />
<xs:element ref="bytesreceived" minOccurs="0"/>
<xs:element ref="totalmemory" minOccurs="0"/>
<xs:element ref="lastbytesreceived" minOccurs="0"/>
<xs:element ref="lasttotalmemory" minOccurs="0"/>
<xs:element ref="incrementCount" minOccurs="0"/>
<xs:element ref="BytesList" minOccurs="0"/>
<xs:element name="Pattern" type="xs:string" minOccurs="0" />
<xs:element name="CUnit" type="xs:string" minOccurs="0" />
<xs:element name="CCount" type="xs:integer" minOccurs="0" />
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="pattern" type="xs:string"/>
<xs:element name="blocksize" type="xs:string"/>
<xs:element name="lastbytesreceived" type="xs:string"/>
<xs:element name="lasttotalmemory" type="xs:string"/>
<xs:element name="incrementCount" type="xs:string"/>
<xs:element name="mutex">
<xs:complexType>
<xs:complexContent>
<xs:sequence>
299 © 2017 FireEye

XML Notifications
</xs:sequence>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="network">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element ref="protocol_type" minOccurs="0"/>
<xs:element ref="destination_port" minOccurs="0"/>
<xs:element ref="listen_port" minOccurs="0"/>
<xs:element minOccurs="0" ref="ipaddress"/>
<xs:element name="http_request" type="xs:string" minOccurs="0"/>
<xs:element minOccurs="0" name="qtype" type="xs:string"/>
<xs:element minOccurs="0" name="hostname" type="xs:string"/>
<xs:element minOccurs="0" name="answer_number" type="xs:string"/>
<xs:element minOccurs="0" name="winsock_res" type="xs:string"/>
<xs:element minOccurs="0" name="dns_response_code" type="xs:string"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="protocol_type" type="xs:string"/>
<xs:element name="destination_port" type="xs:string"/>
<xs:element name="listen_port" type="xs:string"/>
<xs:element name="ipaddress" type="xs:string"/>
<xs:element name="http_request" type="xs:string"/>
<xs:element name="parameter">
<xs:complexType>
<xs:simpleContent>
</xs:extension>
</xs:simpleContent>
© 2017 FireEye 300

XML Notifications
</xs:complexType>
</xs:element>
<xs:element name="parameters">
<xs:complexType>
<xs:sequence>
<xs:element ref="parameter" maxOccurs="unbounded" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="process">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element ref="filesize" minOccurs="0"/>
<xs:element name="packed" type="xs:string" minOccurs="0"/>
<xs:element minOccurs="0" name="gui" type="xs:string"/>
<xs:element name="args" type="xs:string" minOccurs="0"/>
<xs:element name="app_version" type="xs:string" minOccurs="0"/>
<xs:element name="app_short_version" type="xs:string" minOccurs="0"/>
<xs:element name="app_crash_info" type="xs:string" minOccurs="0"/>
<xs:element name="code_type" type="xs:string" minOccurs="0"/>
<xs:element name="signal" minOccurs="0" type="xs:string"/>
<xs:element name="signal_code" minOccurs="0" type="xs:string"/>
<xs:element name="trapno" minOccurs="0" type="xs:string"/>
<xs:element name="err" minOccurs="0" type="xs:string"/>
<xs:element name="cpu_num" minOccurs="0" type="xs:string"/>
<xs:element name="faultvaddr" minOccurs="0" type="xs:string"/>
<xs:element name="exception_type" minOccurs="0" type="xs:string"/>
<xs:element name="exception_code" minOccurs="0" type="xs:string"/>
301 © 2017 FireEye

XML Notifications
<xs:element name="register_dump" type="xs:string" minOccurs="0"/>

<xs:element name="crash_stack" type="xs:string" minOccurs="0"/>
<xs:element ref="parameters" minOccurs="0"/>
</xs:all>
<xs:attribute name="state" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="ppid" type="xs:string"/>
<xs:element name="parentname" type="xs:string"/>
<xs:element name="cmdline" type="xs:string"/>
<xs:element name="process-packed">
<xs:complexType>
<xs:complexContent>
<xs:sequence>
</xs:sequence>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="processstats">
<xs:complexType>
<xs:complexContent>
<xs:sequence>
<xs:element ref="bytesreceived"/>
<xs:element ref="totalmemory"/>
<xs:element ref="id"/>
<xs:element ref="deltatime"/>
</xs:sequence>
</xs:extension>
© 2017 FireEye 302

XML Notifications
</xs:complexType>
</xs:element>
<xs:element name="id" type="xs:string"/>
<xs:element name="deltatime" type="xs:string"/>
<xs:element name="regkey">
<xs:complexType>
<xs:complexContent>
<xs:all>
</xs:all>
<xs:attribute name="randomized" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="os-inactivity-send-keys">
<xs:complexType>
<xs:complexContent>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="end-of-report">
<xs:complexType>
<xs:complexContent>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="processinfo">
<xs:complexType>
<xs:complexContent>
<xs:all>
303 © 2017 FireEye

XML Notifications

<xs:element ref="imagepath" minOccurs="0"/>
<xs:element minOccurs="0" ref="md5sum"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="imagepath" type="xs:string"/>
<xs:element name="dllname" type="xs:string"/>
<xs:element name="apiname" type="xs:string"/>
<xs:element name="address" type="xs:string"/>
<xs:element name="shellcodesize" type="xs:string"/>
<xs:element name="region" type="xs:string"/>
<xs:element name="regionsize" type="xs:string"/>
<xs:element name="StackAddress" type="xs:string"/>
<xs:element name="StackLimit" type="xs:string"/>
<xs:element name="StackBase" type="xs:string"/>
<xs:element name="StackBottom" type="xs:string"/>
<xs:element name="StackTop" type="xs:string"/>
<xs:element name="is64bit" type="xs:string"/>
<xs:element name="params">
<xs:complexType>
<xs:sequence>
<xs:element maxOccurs="unbounded" minOccurs="0" ref="param"/>
<xs:element minOccurs="0" ref="gadgets"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="param">
<xs:complexType>
<xs:simpleContent>
<xs:attribute name="id" use="optional" type="xs:long"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
© 2017 FireEye 304

XML Notifications
<xs:element name="gadgets">
<xs:complexType>
<xs:simpleContent>
<xs:attribute name="enc" use="optional" type="xs:string"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="callsites">
<xs:complexType>
<xs:sequence>
<xs:element maxOccurs="unbounded" minOccurs="0" ref="callsite-entry"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="callsite-entry">
<xs:complexType>
<xs:all>
<xs:element name="address" minOccurs="0" type="xs:string" />
<xs:element name="module-name" minOccurs="0" type="xs:string" />
<xs:element name="count" minOccurs="0" type="xs:integer" />
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="callstack">
<xs:complexType>
<xs:sequence>
<xs:element maxOccurs="unbounded" ref="callstack-entry"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="callstack-entry">
<xs:complexType>
<xs:sequence>
<xs:element maxOccurs="unbounded" minOccurs="0" name="frame-number" type="xs:string"/>
<xs:element maxOccurs="unbounded" minOccurs="0" name="instruction-address" type="xs:string"/>
<xs:element maxOccurs="unbounded" minOccurs="0" name="module-name" type="xs:string"/>
<xs:element maxOccurs="unbounded" minOccurs="0" name="symbol-name" type="xs:string"/>
<xs:element maxOccurs="unbounded" minOccurs="0" name="symbol-displacement" type="xs:string"/>
</xs:sequence>
305 © 2017 FireEye

XML Notifications
</xs:complexType>
</xs:element>
<xs:element name="fid">
<xs:complexType>
<xs:simpleContent>
<xs:attribute name="ads" use="optional" type="xs:string"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="appexception">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element minOccurs="0" name="exception_faulting_address" type="xs:string"/>
<xs:element minOccurs="0" name="exception_code" type="xs:string"/>

<xs:element minOccurs="0" name="exception_level" type="xs:string"/>
<xs:element minOccurs="0" name="exception_type" type="xs:string"/>
<xs:element minOccurs="0" name="instruction_address" type="xs:string"/>
<xs:element minOccurs="0" name="description" type="xs:string"/>
<xs:element minOccurs="0" name="classification" type="xs:string"/>
<xs:element minOccurs="0" name="bug_title" type="xs:string"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="debugcontrol">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element minOccurs="0" name="controlcode" type="xs:string"/>
<xs:element minOccurs="0" name="codedescription" type="xs:string"/>
</xs:all>
</xs:extension>
© 2017 FireEye 306

XML Notifications
</xs:complexType>
</xs:element>
<xs:element name="hiddenproc">
<xs:complexType>
<xs:complexContent>
<xs:sequence>
<xs:element minOccurs="0" name="imagename" type="xs:string"/>
</xs:sequence>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="dll-exports">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element minOccurs="0" ref="exports"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="exports">
<xs:complexType>
<xs:sequence>
<xs:element name="export-function" type="xs:string" maxOccurs="unbounded" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="AsyncKeyLogger">
<xs:complexType>
<xs:complexContent>
<xs:all>
307 © 2017 FireEye

XML Notifications
<xs:element name="ProbePattern" type="xs:string"/>
<xs:element name="Yields" type="xs:string"/>
<xs:element name="Probes" type="xs:string"/>
<xs:element name="KeyLoggerType" type="xs:string" minOccurs="0" />
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="CmdLine">
<xs:complexType>
<xs:complexContent>
<xs:sequence>
<xs:element name="ExitCode" type="xs:string"/>
</xs:sequence>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="spooler-dll-injection">
<xs:complexType>
<xs:complexContent>
<xs:sequence>
</xs:sequence>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="firefox">
<xs:complexType>
© 2017 FireEye 308

XML Notifications
<xs:complexContent>
<xs:sequence>
<xs:element name="old_homepage" type="xs:string" minOccurs="0"/>
<xs:element name="new_homepage" type="xs:string" minOccurs="0"/>
<xs:element name="pid" type="xs:string" minOccurs="0"/>
</xs:sequence>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="systemshutdown">
<xs:complexType>
<xs:complexContent>
<xs:sequence>
<xs:element name="actiondescription" type="xs:string"/>
</xs:sequence>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="detection-monitor-killed" type="xs:string"/>
<xs:element name="SSDT">
<xs:complexType>
<xs:complexContent>
<xs:sequence>
<xs:element name="mode" minOccurs="0" type="xs:string"/>
<xs:element name="value" minOccurs="0" type="xs:string"/>
</xs:sequence>
<xs:attribute type="xs:short" name="timestamp" use="optional"/>
</xs:extension>
</xs:complexType>
</xs:element>
309 © 2017 FireEye

XML Notifications
<xs:element name="started" type="xs:string"/>

<xs:element name="guestos-not-pingable" type="xs:string"/>
<xs:element name="value">
<xs:complexType>
<xs:simpleContent>
<xs:attribute name="result" use="optional" type="xs:string"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="bytesreceived" type="xs:string"/>
<xs:element name="totalmemory" type="xs:string"/>
<xs:element name="filesize" type="xs:string"/>
<xs:element name="md5sum" type="xs:string"/>
<xs:element name="sha1sum" type="xs:string"/>
<xs:element name="pid" type="xs:string"/>
<xs:element name="tid" type="xs:string"/>
<xs:element name="current_tid" type="xs:string"/>
<xs:element name="hidden_tid" type="xs:string"/>
<xs:element name="uac">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element minOccurs="0" name="status" type="xs:string"/>
<xs:element minOccurs="0" name="accountenabled" type="xs:string"/>
<xs:element minOccurs="0" name="accountcreated" type="xs:string"/>
<xs:element minOccurs="0" name="accountname" type="xs:string"/>
<xs:element minOccurs="0" name="passwordchange" type="xs:string"/>
<xs:element minOccurs="0" name="group" type="xs:string"/>
<xs:element minOccurs="0" name="memberadded" type="xs:string"/>
<xs:element minOccurs="0" name="memberremoved" type="xs:string"/>
</xs:all>
<xs:attribute name="mode" type="xs:string"/>
</xs:extension>
</xs:complexType>
</xs:element>
© 2017 FireEye 310

XML Notifications
<xs:element name="dialog-dismissed">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="pid" type="xs:string" minOccurs="0"/>
<xs:element name="note" type="xs:string" minOccurs="0"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="thread">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="imagepath" type="xs:string" minOccurs="0"/>
<xs:element ref="current_tid" minOccurs="0"/>
<xs:element ref="hidden_tid" minOccurs="0"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="javacall">
<xs:complexType>
<xs:complexContent>
<xs:all>
311 © 2017 FireEye

XML Notifications
<xs:element name="class" type="xs:string" minOccurs="0"/>

<xs:element name="parentClass" type="xs:string" minOccurs="0"/>
<xs:element name="method" type="xs:string" minOccurs="0"/>
<xs:element name="parentMethod" type="xs:string" minOccurs="0"/>
<xs:element name="this" type="xs:string" minOccurs="0"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="javaevent">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="id" type="xs:string" minOccurs="0"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="eventlogcmd">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="exitcode" type="xs:string" minOccurs="0"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
© 2017 FireEye 312

XML Notifications
<xs:element name="alive">
<xs:complexType/>
</xs:element>
<xs:element name="BootSectorModified">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="md5sum_orginal" type="xs:string" minOccurs="0"/>
<xs:element name="md5sum_original" type="xs:string" minOccurs="0"/>
<xs:element name="md5sum_current" type="xs:string" minOccurs="0"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="dylib">
<xs:complexType>
<xs:complexContent>
<xs:all>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="mach">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="addr" type="xs:string" minOccurs="0"/>
<xs:element name="size" type="xs:string" minOccurs="0"/>
<xs:element name="target-process" type="xs:string" minOccurs="0"/>
<xs:element name="target-pid" type="xs:string" minOccurs="0"/>
<xs:element name="target-port" type="xs:string" minOccurs="0"/>
<xs:element name="remote-addr" type="xs:string" minOccurs="0"/>
313 © 2017 FireEye

XML Notifications
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="time">
<xs:complexType>
<xs:complexContent>
<xs:all>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="sudo">
<xs:complexType>
<xs:complexContent>
<xs:all>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="kext">
<xs:complexType>
<xs:complexContent>
<xs:all>
</xs:all>
© 2017 FireEye 314

XML Notifications

</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="exploit">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="nop-start-addr" type="xs:string" minOccurs="0"/>
<xs:element name="nop-pattern" type="xs:string" minOccurs="0"/>
<xs:element name="nop-length" type="xs:string" minOccurs="0"/>
<xs:element name="stack-pointer-value" type="xs:string" minOccurs="0"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="plist">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element name="key" type="xs:string" minOccurs="0"/>
<xs:element name="string" type="xs:string" minOccurs="0"/>
<xs:element name="old_string" type="xs:string" minOccurs="0"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="ROP">
<xs:complexType>
315 © 2017 FireEye

XML Notifications
<xs:complexContent>
<xs:all>
</xs:all>
<xs:attribute name="sequenceId" use="optional" type="xs:string"/>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="application">
<xs:complexType>
<xs:complexContent>
<xs:attribute name="app-name" use="required" type="xs:string"/>
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="machtrap">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element ref="is64bit" minOccurs="0"/>
</xs:all>
<xs:attribute name="state" use="optional" type="xs:string"/>
© 2017 FireEye 316

XML Notifications
</xs:extension>
</xs:complexType>
</xs:element>
<xs:element name="syscall">
<xs:complexType>
<xs:complexContent>
<xs:all>
<xs:element ref="is64bit" minOccurs="0"/>
</xs:all>
</xs:extension>
</xs:complexType>
</xs:element>
</xs:schema>
317 © 2017 FireEye

JSON Notifications
The following section provides Java Script Object Notation (JSON) notification examples for each infection type. Additional sections
describe each element and sub-element provided by JSON notification messages. The format shares definitions with the XML Notifications
Schema on page 115 , XML Schema for OS Changes—Macintosh on page 291, and XML Schema for OS Changes—Windows on page 216.
If you are sending alert notifications in XML or JSON to a rsyslog server using the extended output option, the size of the alert
notification is likely to exceed the 4K UDP limit. To avoid this limit, use TCP as the transportation layer instead of UDP.
l JSON Notification Examples per Infection Type on the next page

l JSON Definitions on page 346
l JSON Definitions for HX Series on page 425
© 2017 FireEye 318

JSON Notifications
JSON Notification Examples per Infection Type

Event: malware-callback (CM Series)
{
"product": "CMS",
"appliance-id": "00259085F738",
"appliance": "center1.eng.fireeye.com",
"alert": {
"src": {
"ip": "xxx.xxx.xxx.xxx",
"mac": "00:00:50:40:00:44",
"vlan": "0",
"port": "1114"
},
"product": "Web MPS",
"appliance-id": "0025907F5E42",
"dst": {
"mac": "00:00:00:50:40:55",
"port": "80"
},
"explanation": {
"malware-detected": {
"malware": {
"name": "Trojan.MalJava",
"stype": "bot-command",
"sid": "86100470"
}
},
"cnc-services": {
"cnc-service": {
"location": "GB/High Wycombe",
"protocol": "tcp",
"port": "80",
"channel": "GET /jb/jar.class HTTP/1.1\r\nUser-Agent: Mozilla/4.0 (Windows XP 5.1)
Java/1.6.0_16\r\nHost: 3635736986\r\nAccept: text/html, image/gif, image/jpeg, *; q=.2, */*;
q=.2\r\nConnection: keep-alive",
"address": "xxx.xxx.xxx.xxx"
}
},
319 © 2017 FireEye

JSON Notifications
"protocol": "tcp",
"analysis": "content"
},
"alert-url": "https://center1.eng.fireeye.com/event_stream/events_for_bot?ev_id=1",
"locations": "GB/High Wycombe",
"root-infection": "1",
"name": "malware-callback",
"action": "notified",
"version": "7.9.0.474115",
"occurred": "2016-07-13 00:52:14+00",
"interface": {
"interface": "pether4",
"mode": "tap",
"label": "A2"
},
"sensor-ip": "xxx.xxx.xxx.xxx",
"sensor": "qa-607-5",
"id": "1",
"severity": "crit"
},
"version": "7.9.0.474115",
"msg": "normal"
}
Event: malware-callback (NX Series)

{
"appliance-id": "0CC47A12279C",
"appliance": "tikka.mrl.fireeye.com",
"alert": {
"src": {
"mac": "92:73:75:00:00:35",
"host": "119-168-188-108.rev.home.ne.jp",
"vlan": "0",
"port": "1176"
},
"severity": "crit",
"alert-url": "https://tikka.mrl.fireeye.com/event_stream/events_for_bot?ev_id=2000",
"explanation": {
"malware": {
"name": "Trojan.Downloader.Delf.UD",
© 2017 FireEye 320

JSON Notifications
"sid": "89042535"
}
},
"cnc-services": {
"cnc-service": {
"location": "US/CA/Rancho Cordova",
"protocol": "tcp",
"port": "80",
"channel": "GET /newad.exe HTTP/1.1\r\nAccept: */*\r\nAccept-Encoding: gzip,
deflate\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\nHost:
the.microgood.net\r\nConnection: Keep-Alive",
}
},
"protocol": "tcp",
},
"locations": "US/CA/Rancho Cordova",
"id": "2000",
"occurred": "2016-07-19 07:37:13+00",
"interface": {
"mode": "tap",
"label": "A1"
},
"dst": {
"mac": "00:19:d1:fd:a2:52",
"port": "80"
},
"name": "malware-callback"
},
"version": "7.9.0.476843",
"msg": "extended"
}
Event: malware-object (CM Series)

{
"product": "CMS",
"appliance-id": "00259085F738",
321 © 2017 FireEye

JSON Notifications
"alert": {
"src": {
"mac": "00:00:50:40:00:44",
"vlan": "0",
"port": "4260"
},
"name": "malware-object",
"dst": {
"mac": "00:00:00:50:40:55",
"port": "80"
},
"explanation": {
"malware": {
"http-header": "GET
/ber/bery.py/oH85ad2e26V03009f35002R1d006976102Tce61e035Q00000049901801F002a000aJ02000601l0409Ke496c0ad303
HTTP/1.1\r\naccept-encoding: pack200-gzip,gzip\r\nUser-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_
02\r\nHost: ockvfsqtbkm.com\r\nAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2\r\nConnection:
keep-alive\r\n\r\nHTTP/1.1 200 OK\r\nServer: nginx/0.7.62\r\nDate: Mon, 19 Apr 2010 21:41:43 GMT\r\nContent-
Type: application/octet-stream\r\nConnection: close\r\nPragma: no-cache\r\nContent-Length: 6386",
"malicious": "yes",
"name": "Malware.Binary",
"downloaded-at": "2016-07-13T00:53:26Z",
"md5sum": "4f8d2d616b1324db5dfa60b54f8fcf1a",
"executed-at": "2016-07-13T00:53:32Z",
"type": "jar",
"original":
"oH85ad2e26V03009f35002R1d006976102Tce61e035Q00000049901801F002a000aJ02000601l0409Ke496c0ad303",
"stype": "known-md5sum"
}
},
"protocol": "tcp",
"analysis": "binary"
},
"alert-url": "https://center1.eng.fireeye.com/event_stream/events_for_bot?ma_id=2",
"occurred": "2016-07-13 00:53:32+00",
"class": "IPS",
"version": "7.9.0.474115",
"interface": {
© 2017 FireEye 322

JSON Notifications
"mode": "tap"
},
"sensor": "qa-607-5",
"id": "2",
"severity": "majr"
},
"version": "7.9.0.474115",
"msg": "normal"
}

{
"alert": {
"src": {
"mac": "08:00:27:c1:7f:5a",
"vlan": "0",
"port": "1984"
},
"severity": "crit",
"alert-url": "https://tikka.mrl.fireeye.com/event_stream/events_for_bot?ma_id=432",
"explanation": {
"malware": {
"profile": "win7-sp1m",
"http-header": "GET /qa-test-data/14R1-test-data/mas-test-data/14R2-test-data/cve-samples/2014-1761.rtf
HTTP/1.1\r\nHost: xxx.xxx.xxx.xxx\r\nUser-Agent: Mozilla/5.0 (Windows NT 5.1; rv:34.0) Gecko/20100101
Firefox/34.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-
US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://xxx.xxx.xxx.xxx/qa-test-data/14R1-test-
data/mas-test-data/14R2-test-data/cve-samples/\r\nConnection: keep-alive\r\n\r\n HTTP/1.1 200 OK\r\nDate: Fri,
22 May 2015 08:43:24 GMT\r\nServer: Apache/2.2.22 (Ubuntu)\r\nLast-Modified: Thu, 03 Jul 2014 10:38:21
GMT\r\nETag: \"4635838-6b8f-4fd479b8c2140\"\r\nAccept-Ranges: bytes\r\nContent-Length: 27535\r\nKeep-Alive:
timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: application/rtf",
"md5sum": "b59bd1a54e2456fc6557dd571c7603e7",
"name": "FE_APT_Generic_Exploit_JDOC_CVE_2014_1761_2",
"downloaded-at": "2016-07-19T08:57:20Z",
"origid": "431",
"malicious": "yes",
"executed-at": "2016-07-19T08:57:23Z",
323 © 2017 FireEye

JSON Notifications
"application": "Multiple MS Word X",

"sid": "431",
"type": "rtf",
"original": "2014-1761.rtf",
"stype": "duplicate-md5sum"
}
},
"protocol": "tcp",
"analysis": "binary"
},
"occurred": "2016-07-19 08:57:23+00",
"id": "432",
"interface": {
"mode": "tap"
},
"dst": {
"mac": "52:54:00:12:35:02",
"port": "80"
},
"name": "malware-object"
},
"version": "7.9.0.476843",
"msg": "extended"
}

{
"alert": {
"action": "blocked",
"alert-url": "https://lionking-97.mrl.fireeye.com/emps/eanalysis?e_id=18",
"dst": {
"smtp-to": "[email protected]"
},
"explanation": {
"malware": {
"executed-at": "2017-02-09T11:20:54Z",
"md5sum": "2b5ac4b4f89a136c7e5a8bac11b2344f",
"name": "Trojan.Xtrat",
"type": "exe"
}
© 2017 FireEye 324

JSON Notifications
}
},
"id": "21",
"name": "malware-object",
"occurred": "2017-02-09T11:20:54Z",
"severity": "majr",
"src": {
"smtp-mail-from": "[email protected]",
"url": "/cfe32123-ff6a-4c4b-861b-f33bd1b89fc4"
}
},
"appliance": "lionking-97.mrl.fireeye.com",
"appliance-id": "0C:C4:7A:69:10:1C",
"msg": "concise",
"product": "Email MPS",
"version": "7.9.0.588405"
}
Event: web-infection (NX Series)

{
"alert": {
"src": {
"vlan": "0"
},
"severity": "majr",
"alert-url": "https://tikka.mrl.fireeye.com/event_stream/events_for_bot?inc_id=627",
"explanation": {
"malware": {
"name": "Exploit.Dropper.url.MVX"
}
}
},
"occurred": "2016-07-19T09:13:48Z",
"class": "IPS",
"id": "627",
"name": "web-infection"
},
325 © 2017 FireEye

JSON Notifications
"version": "7.9.0.476843",
"msg": "concise"
}
Event: infection-match (CM Series)

{
"product": "CMS",
"appliance-id": "00259085F738",
"alert": {
"src": {
"mac": "00:0c:29:9e:e9:da",
"host": "ip-95-223-164-201.hsi16.unitymediagroup.de",
"vlan": "0",
"port": "1106"
},
"name": "infection-match",
"dst": {
"mac": "00:50:56:f7:db:db",
"port": "80"
},
"explanation": {
"malware": {
"name": "Exploit.Kit.TDS",
"sid": "84000130"
}
},
"cnc-services": {
"cnc-service": {
"protocol": "tcp",
"port": "80",
"channel": "GET /in.cgi?2 HTTP/1.1\r\nAccept: */*\r\nAccept-Language: en-us\r\nUser-Agent: Mozilla/4.0
(compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)\r\nAccept-Encoding: gzip, deflate\r\nHost: w0.five-
mountain.org\r\nConnection: Keep-Alive",
}
},
© 2017 FireEye 326

JSON Notifications
"protocol": "tcp",
},
"occurred": "2016-07-13 00:54:15+00",
"class": "IPS",
"version": "7.9.0.474115",
"interface": {
"mode": "tap",
"label": "A2"
},
"sensor": "qa-607-5",
"id": "11",
"severity": "minr"
},
"version": "7.9.0.474115",
"msg": "normal"
}

{
"alert": {
"src": {
"mac": "d6:96:0a:84:24:15",
"host": "67-218-73-59.dyn.actaccess.net",
"vlan": "0",
"port": "1057"
},
"severity": "minr",
"explanation": {
"malware": {
"name": "Trojan.Ramnit",
327 © 2017 FireEye

JSON Notifications
"sid": "84400000"
}
},
"cnc-services": {
"cnc-service": {
"protocol": "tcp",
"port": "80",
"channel": "GET http://yipinlawyer.com/ HTTP/1.1\r\nHost: yipinlawyer.com\r\nversion=6,0,0,0\" width=\"'+
swf_width +'\" height=\"'+ swf_height +'\">');\r\ndocument.write('<param name=\"movie\"
value=\"/flash/slideflash.swf\"><param name=\"quality\" value=\"high\">');\r\ndocument.write('<param
name=\"menu\" value=\"false\"><param name=wmode value=\"opaque\">');\r\ndocument.write('<param
name=\"FlashVars\" value=\"bcastr_file='+files+'&bcastr_link='+links+'&bcastr_title='+texts+'&bcastr_
config='+configtg+'\">');\r\ndocument.write('<embed src=\"/flash/slideflash.swf\" wmode=\"opaque\"
FlashVars=\"bcastr_file='+files+'&bcastr_link='+links+'&bcastr_title='+texts+'&bcastr_config='+configtg+'&
menu=\"false\" quality=\"high\" width=\"'+ swf_width +'\" height=\"'+ swf_height +'\" type=\"application/x-
shockwave-flash\" pluginspage=\"http://www.macromedia.com/go/getflashplayer\" />'); document.write
('</object>'); \r\n</SCRIPT></div><SCRIPT Language=VBScript><!--\r\nDropFileName = \"svchost.exe\"\r\nWriteData
= \"4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000",
}
},
"protocol": "tcp",
},
"occurred": "2016-07-19 09:07:18+00",
"id": "2085",
"interface": {
"mode": "tap",
"label": "A1"
},
"dst": {
"mac": "00:50:56:e5:3f:c5",
"port": "80"
},
"name": "infection-match"
},
"version": "7.9.0.476843",
"msg": "extended"
}
© 2017 FireEye 328

JSON Notifications
Event: domain-match (CM Series)

{
"product": "CMS",
"appliance-id": "00259085F738",
"alert": {
"src": {
"mac": "00:0c:29:9e:e9:da",
"host": "ip-95-223-164-201.hsi16.unitymediagroup.de",
"vlan": "0",
"port": "1025"
},
"name": "domain-match",
"dst": {
"mac": "00:50:56:f7:db:db"
},
"explanation": {
"malware": {
"name": "Trojan.Generic.DNS",
"stype": "blacklist",
"sid": "80481791"
}
},
"cnc-services": {
"cnc-service": {
"protocol": "udp",
"port": "53",
"address": "refullania.com"
}
},
"protocol": "udp",
},
"occurred": "2016-07-13 00:54:16+00",
"class": "IPS",
"version": "7.9.0.474115",
329 © 2017 FireEye

JSON Notifications
"interface": {
"mode": "tap",
"label": "A2"
},
"sensor": "qa-607-5",
"id": "50",
"severity": "minr"
},
"version": "7.9.0.474115",
"msg": "normal"
}
Event: domain-match (NX Series)

{
"alert": {
"src": {
"mac": "92:73:75:00:00:35",
"host": "119-168-188-108.rev.home.ne.jp",
"vlan": "0",
"port": "1025"
},
"severity": "minr",
"explanation": {
"malware": {
"name": "Trojan.Win32.Dogrobot.gen.E",
"stype": "blacklist",
"sid": "89017273"
}
},
"cnc-services": {
"cnc-service": {
"protocol": "udp",
"port": "53",
"address": "the.microgood.net"
}
© 2017 FireEye 330

JSON Notifications
},
"protocol": "udp",
},
"occurred": "2016-07-19 07:37:13+00",
"id": "1999",
"interface": {
"mode": "tap",
"label": "A1"
},
"dst": {
"mac": "00:19:d1:fd:a2:52"
},
"name": "domain-match"
},
"version": "7.9.0.476843",
"msg": "extended"
}
Event: ips-event
{
"alert": {
"occurred": "2016-07-13T00:54:15Z",
"name": "ips-event",
"version": "7.9.0.474115",
"severity": "crit",
"src": {
"port": 80,
"mac": "00:50:56:f7:db:db"
},
"class": "IPS",
"id": 2,
"sensor": "qa-607-5",
"vlan": "0",
"alert-url": "https://center1.eng.fireeye.com/notification_url/ips_events?ev_id=2",
"dst": {
331 © 2017 FireEye

JSON Notifications
"port": 1111,
"mac": "00:0c:29:9e:e9:da"
},
"explanation": {
"ips-detected": {
"cve-id": "",
"action-taken": "may be blocked in future by the default policy",
"attack-mode": "client",
"match-count": 1,
"sig-name": "Suspicious Java Jar Instantiation",
"sig-id": "85305189",
"sig-revision": "9",
"mvx-status": "ATTACK"
}
},
"interface": {
"mode": "tap",
"label": "A2"
}
},
"appliance-id": "00259085F738",
"msg": "normal",
"version": "7.9.0.474115",
"product": "CMS",
"appliance": "center1.eng.fireeye.com"
}
{
"version": "7.9.0.517470",
"msg": "normal",
"appliance": "axhwmps.eng.fireeye.com",
"appliance-id": "0025908673D0",
"alert": {
"occurred": "2016-08-13T07:18:49Z",
"name": "riskware-callback",
"id": 14914,
"class": "RISKWARE",
"severity": "minr",
"alert-url": "https://axhwmps.eng.fireeye.com/notification_url/riskware?ev_id=637&inf_id=14914&inf_
© 2017 FireEye 332

JSON Notifications
type=Riskware%20Callback",
"explanation": {
"malware": {
"name": "Adware.MultiPlug",
"malicious": "no",
"url": "http://49939.northstar.api.socdn.com/installer/ad0d8641-dff0-11e3-8a58-
80c16e6f498c/12932238/config",
"downloaded-at": "2016-08-13T07:18:49Z",
"executed-at": "2016-08-13T07:18:49Z"
}
},
"cnc-services": {
"cnc-service": {
"port": 80,
"protocol": "tcp",
"address": "49939.northstar.api.socdn.com",
"location": "IT"
}
}
}
}
}
{
"version": "7.9.0.517470",
"msg": "normal",
"appliance": "axhwmps.eng.fireeye.com",
"appliance-id": "0025908673D0",
"alert": {
"occurred": "2016-08-11T12:58:36Z",
"name": "riskware-object",
"id": 5772,
"class": "RISKWARE",
"severity": "minr",
"alert-url": "https://axhwmps.eng.fireeye.com/notification_url/riskware?ev_id=311&inf_id=5772&inf_
type=Riskware%20Callback",
"explanation": {
"malware": {
333 © 2017 FireEye

JSON Notifications
"md5sum": "4e3abdb86d76859a2595766512743196",
"name": "PUP.Generic.MVX",
"malicious": "no",
"executed-at": "2016-08-11T12:58:36Z",
"type": "exe",
"url": "xxx.xxx.xxx.xxx/4e3abdb86d76859a2595766512743196",
"sha256": "911c7379ac995628da64606a0726305d961c64be6e5a1a1421081cde1884f370",
"downloaded-at": "2016-08-11T12:58:35Z",
"http-header": "GET /4e3abdb86d76859a2595766512743196 HTTP/1.0::~~User-Agent: Wget/1.12 (linux-
gnu)::~~Accept: */*::~~Host: 16.16.16.11::~~Connection: Keep-Alive::~~X-Forwarded-For:
159.54.252.133::~~HTTP/1.1 200 OK::~~Date: Wed, 30 Sep 2015 16:01:03 GMT::~~Server: Apache/2.2.15
(CentOS)::~~Last-Modified: Tue, 29 Sep 2015 22:18:09 GMT::~~ETag: \"1940777-a390a-520ea305bb73d\"::~~Accept-
Ranges: bytes::~~Content-Length: 669962::~~Connection: close::~~Content-Type: text/plain; charset=UTF-8::~~"
}
}
}
}
}
Event: indicator-presence
{
"msg": "normal",
"product": "HX",
"alert": {
"_id": 35,
"host": {
"hostname": "random_925_13",
"ip": "::1",
"containment_state": "normal",
"os": "Mac OS X",
"agent_id": "029FFC1489600237718B14",
"agent_version": "24.0.1"
},
"resolution": "ALERT",
"event_id": 22711,
"condition": {
"_id": "KTJc8+cso4CIbODVBFDShw==",
"enabled": true,
"tests": [
{
"operator": "ends-with",
"token": "fileWriteEvent/filePath",
"type": "text",
© 2017 FireEye 334

JSON Notifications
"value": "\\temp"
},
{
"operator": "equal",
"token": "fileWriteEvent/md5",
"type": "md5",
"value": "aae466492bb90812d0ff1a7158885a6c",
"negate": true
},
{
"operator": "contains",
"token": "fileWriteEvent/filePath",
"type": "text",
"value": "janitor_21days",
"negate": true
},
{
"token": "fileWriteEvent/fileName",
"type": "text",
"value": "process.dll"
},
{
"type": "md5",
"value": "84b904fa12c1a5528bf5730d5e6a5e8b",
"negate": true
},
{
"type": "md5",
"value": "09b130ebf4f2356efe383e1956f4a7bc",
"negate": true
},
{
"type": "md5",
"value": "d7350452606c57b16c3d4f92a9d949fa",
"negate": true
}
]
},
335 © 2017 FireEye

JSON Notifications
"event_at": "2017-03-15T18:47:41.205+00:00",
"matched_at": "2017-03-15T18:47:41.205+00:00",
"reported_at": "2017-03-15T18:47:41.205+00:00",
"source": "IOC",
"matched_source_alerts": null,
"event_type": "fileWriteEvent",
"event_values": {
"fileWriteEvent/timestamp": "2011-11-19T01:22:45.726Z",
"fileWriteEvent/drive": "C",
"fileWriteEvent/id": 316951377,
"fileWriteEvent/closed": 1,
"fileWriteEvent/pid": 28102,
"fileWriteEvent/filePath": "Program Files\\Internet Explorer",
"fileWriteEvent/fileName": "a.exe",
"fileWriteEvent/lowestFileOffsetSeen": 40,
"fileWriteEvent/textAtLowestOffset": "",
"fileWriteEvent/dataAtLowestOffset": "",
"fileWriteEvent/process": "csrss.exe",
"fileWriteEvent/md5": "232bbd00d62f84d63152db286b1e59f8",
"fileWriteEvent/writes": 64,
"fileWriteEvent/size": 1839,
"fileWriteEvent/fileExtension": "",
"fileWriteEvent/fullPath": "C:\\windows\\system32\\s.dll",
"fileWriteEvent/numBytesSeenWritten": 55
},
"uuid": "c81db400-5324-43a8-b0b9-c952d9103000"
},
"version": "3.5.0.615648",
"appliance-id": "870000000000",
"appliance": "yi-callisto1"
}
Event: indicator-executed
{
"msg": "normal",
"product": "HX",
"alert": {
"_id": 32,
"host": {
"ip": "10.78.198.100",
"os": "Mac OS X",
© 2017 FireEye 336

JSON Notifications
"agent_id": "DD333E1489600237717B11",
},
"event_id": 11424,
"condition": {
"_id": "RvTjvvDZtyRXCmz+40L_YQ==",
"enabled": true,
"tests": [
{
"token": "regKeyEvent/valueName",
"type": "text",
"value": "javaupdater"
},
{
"operator": "contains",
"token": "regKeyEvent/path",
"type": "text",
"value": "currentversion\\run"
}
]
},
"event_at": "2017-03-15T18:42:44.014+00:00",
"matched_at": "2017-03-15T18:42:44.014+00:00",
"reported_at": "2017-03-15T18:42:44.014+00:00",
"source": "IOC",
"event_type": "regKeyEvent",
"event_values": {
"regKeyEvent/path": "System",
"regKeyEvent/value": "25",
"regKeyEvent/hive": "HKEY_CURRENT_USER",
"regKeyEvent/keyPath": "XX",
"regKeyEvent/eventType": "None",
"regKeyEvent/timestamp": "2017-03-15T18:42:44.014Z",
"regKeyEvent/valueType": "DWORD",
"regKeyEvent/valueName": "Logon",
"regKeyEvent/id": "20",
"regKeyEvent/text": "25",
"regKeyEvent/process": "explorer.exe",
"regKeyEvent/pid": "10000"
},
"uuid": "5e732338-b5a1-495b-bbd4-81c504019e40"
},
337 © 2017 FireEye

JSON Notifications
"version": "3.5.0.615648",
"appliance-id": "870000000000",
}
Event: exploit-blocked
{
"msg": "normal",
"appliance": "yi-callisto3",
"product": "HX",
"alert": {
"uuid": "4b337f9c-ec05-4240-82a7-bb5c33475af0",
"condition": null,
"_id": 6424,
"event_type": null,
"host": {
"os": "Windows XP SP2",
"ip": "10.95.112.58",
"agent_id": "E7E6C61489344714203B13",
"agent_version": "12.0.1",
"containment_state": "normal"
},
"resolution": "BLOCK",
"event_values": null,
"event_at": "2017-03-15T18:18:25.501+00:00",
"matched_at": "2017-03-15T18:18:25.501+00:00",
"source": "EXD",
"analysis_details": [
{
"detail_type": "analysis",
"analysis": {
"mode": "malware",
"ftype": "unknown type",
"rules_version": "1.34",
"engine_version": "2.0.0.91",
"whitelist_version": "0.20"
}
},
{
"detail_type": "os",
"os": {
"name": "windows",
© 2017 FireEye 338

JSON Notifications
"version": "6.1.7601",
"sp": "1"
}
},
{
"EXPLOITED_PROCESS": {
"pid": "1088",
"processinfo": {
"pid": "1088",
"imagepath": "C:\\Users\\Administrator.W7EN86-0\\Desktop\\DropTools\\iexplore.exe",
"md5sum": "407cd767ac09047f8573066858cc871e"
}
},
"detail_type": "EXPLOITED_PROCESS"
},
{
"detail_time": "2017-03-15T18:18:25.501Z",
"detail_type": "exploitcode",
"exploitcode": {
"timestamp": "131340755055010000",
"processinfo": {
"pid": "1088",
"md5sum": "407cd767ac09047f8573066858cc871e"
},
"analysis-id": "31"
}
},
{
"detail_type": "OS-CORRELATION",
"OS-CORRELATION": {
"MESSAGE": "Exploit Shellcode launching a process",
"analysis-id": "31"
}
},
{
"detail_time": "2017-03-15T18:18:25.501Z",
"detail_type": "action",
"action": {
"analysis-id": "31",
"mode": "terminate",
"timestamp": "131340755055010000",
"result": "success",
"processinfo": {
"pid": "1088",
339 © 2017 FireEye

JSON Notifications
"md5sum": "407cd767ac09047f8573066858cc871e"
}
}
},
{
"detail_time": "2017-03-15T18:18:25.501Z",
"detail_type": "process",
"process": {
"value": "C:\\Users\\Administrator.W7EN86-0\\Desktop\\DropTools\\iexplore.exe",
"ppid": "2376",
"mode": "terminated",
"analysis-id": "32",
"eventid": "65382",
"pid": "1088",
"parentname": "N/A",
"cmdline": "iexplore.exe --fileevent",
"timestamp": "131340755055010000"
}
},
{
"analysis_result": {
"is_malicious": "no",
"is_blocked": "yes",
"_CONTENTS": "\nExploit Shellcode launching a process\n"
},
"detail_type": "analysis_result"
}
],
"reported_at": "2017-03-15T18:18:25.502+00:00",
"event_id": null
},
"appliance-id": "860AD5C199E0",
"version": "3.5.0.614932"
}
Event: exploit-detected
{
"msg": "normal",
"product": "HX",
"alert": {
"_id": 8,
© 2017 FireEye 340

JSON Notifications
"host": {
"ip": "c497:a2e4:1c74:80c5:c00b:ff8a:359d:b7ab",
"os": "Mac OS X",
"agent_id": "CF29E91489600237716B10",
},
"event_id": null,
"condition": null,
"event_at": "2017-03-15T17:51:18.943+00:00",
"matched_at": "2017-03-15T17:51:18.943+00:00",
"reported_at": "2017-03-15T17:51:18.947+00:00",
"source": "EXD",
"event_type": null,
"event_values": {
"earliest_detection_time": "2017-03-15T17:51:18Z",
"analysis_details": [
{
"detail_type": "analysis",
"analysis": {
"whitelist_version": "0.20",
"mode": "malware",
"rules_version": "1.34",
"ftype": "unknown type",
"engine_version": "2.0.0.91"
}
},
{
"os": {
"version": "6.1.7601",
"name": "windows",
"sp": "1"
},
"detail_type": "os"
},
{
"EXPLOITED_PROCESS": {
"pid": "612",
"processinfo": {
"pid": "612",
"md5sum": "407cd767ac09047f8573066858cc871e"
341 © 2017 FireEye

JSON Notifications
}
},
"detail_type": "EXPLOITED_PROCESS"
},
{
"detail_type": "heapspraying",
"heapspraying": {
"timestamp": "131340738789430000",
"processinfo": {
"pid": "612",
"md5sum": "407cd767ac09047f8573066858cc871e"
},
"analysis-id": "5"
},
"detail_time": "2017-03-15T17:51:18.943Z"
},
{
"detail_type": "OS-CORRELATION",
"OS-CORRELATION": {
"MESSAGE": "Heap spray pattern detected",
"analysis-id": "5"
}
},
{
"heapspraying": {
"timestamp": "131340738789430000",
"processinfo": {
"pid": "612",
"md5sum": "407cd767ac09047f8573066858cc871e"
},
"analysis-id": "6"
},
"detail_time": "2017-03-15T17:51:18.943Z"
},
{
"heapspraying": {
"timestamp": "131340738789430000",
"processinfo": {
"pid": "612",
"md5sum": "407cd767ac09047f8573066858cc871e"
© 2017 FireEye 342

JSON Notifications
},
"analysis-id": "7"
},
"detail_time": "2017-03-15T17:51:18.943Z"
},
{
"heapspraying": {
"timestamp": "131340738789430000",
"processinfo": {
"pid": "612",
"md5sum": "407cd767ac09047f8573066858cc871e"
},
"analysis-id": "8"
},
"detail_time": "2017-03-15T17:51:18.943Z"
},
{
"heapspraying": {
"timestamp": "131340738789430000",
"processinfo": {
"pid": "612",
"md5sum": "407cd767ac09047f8573066858cc871e"
},
"analysis-id": "9"
},
"detail_time": "2017-03-15T17:51:18.943Z"
},
{
"heapspraying": {
"timestamp": "131340738789430000",
"processinfo": {
"pid": "612",
"md5sum": "407cd767ac09047f8573066858cc871e"
},
"analysis-id": "10"
},
"detail_time": "2017-03-15T17:51:18.943Z"
},
{
343 © 2017 FireEye

JSON Notifications
"heapspraying": {
"timestamp": "131340738789430000",
"processinfo": {
"pid": "612",
"md5sum": "407cd767ac09047f8573066858cc871e"
},
"analysis-id": "11"
},
"detail_time": "2017-03-15T17:51:18.943Z"
},
{
"heapspraying": {
"timestamp": "131340738789430000",
"processinfo": {
"pid": "612",
"md5sum": "407cd767ac09047f8573066858cc871e"
},
"analysis-id": "12"
},
"detail_time": "2017-03-15T17:51:18.943Z"
},
{
"heapspraying": {
"timestamp": "131340738789430000",
"processinfo": {
"pid": "612",
"md5sum": "407cd767ac09047f8573066858cc871e"
},
"analysis-id": "13"
},
"detail_time": "2017-03-15T17:51:18.943Z"
},
{
"heapspraying": {
"timestamp": "131340738789430000",
"processinfo": {
"pid": "612",
© 2017 FireEye 344

JSON Notifications
"md5sum": "407cd767ac09047f8573066858cc871e"
},
"analysis-id": "14"
},
"detail_time": "2017-03-15T17:51:18.943Z"
},
{
"detail_type": "process",
"detail_time": "2017-03-15T17:51:18.943Z",
"process": {
"value": "C:\\Users\\Administrator.W7EN86-0\\Desktop\\DropTools\\iexplore.exe",
"pid": "612",
"parentname": "N/A",
"ppid": "2376",
"cmdline": "iexplore.exe --patternspray",
"mode": "terminated",
"timestamp": "131340738789430000",
"eventid": "42332",
"analysis-id": "15"
}
},
{
"detail_type": "analysis_result",
"analysis_result": {
"is_malicious": "no",
"is_blocked": "no",
"_CONTENTS": "\nHeap spray pattern detected\n"
}
}
],
"process_id": "612",
"messages": [
"Heap spray pattern detected"
],
"process_name": "iexplore.exe"
},
"uuid": "fbafb320-4da3-4441-ba50-6bb1e81e117a"
},
"version": "3.5.0.615648",
"appliance-id": "870000000000",
}
345 © 2017 FireEye

JSON Notifications
JSON Definitions
All of FireEyeʼs JSON values are strings. See the parameters in the table for examples of JSON syntax.
© 2017 FireEye 346

JSON Notifications
Event
Type
alerts alerts represents the topmost element NX MC (See more examples in XML 6.0
NAME in the notification XPath. AX WI Notification Examples per 6.1
FX BA Infection Type on page 122): 6.2
For example:
EX IM 6.3
(same for all releases) l /appliance
CM MW 6.4
"appliance": DM l /appliance-id 7.x
"2001:470:84a7:1720:2e0:81ff:fe4f:ac03", MO l /product
"product": "Web MPS", IE
l /version
"version": "6.2.0.75853", RC
"msg": "concise", RO l /msg
"alert": { l /alert/id
"id": "918",
l /alert/name
"name": "domain-match",
"severity": "minr", l /alert/severity
"src": " " l /alert/src/vlan
"smtp-message
l /alert/smtp-message/id
"alert-url": "https://xxx.xxx.xxx.xxx/...", l /alert/interface/label
"dst": {
l /alert/interface/mode
"mac": "00:50:56:e8:ba:21"
"malware-detected": { l /alert/explanation/
"malware": { analysis
"name": "Trojan.Downloader.Bredolab" l /alert/explanation/
} protocol
}
l /alert/explanation/urls
}
347 © 2017 FireEye

JSON Notifications
Event
Type
}, l /alert/explanation/
{ malware-detected/
"appliance": malware/content
"2001:470:84a7:1720:2e0:81ff:fe4f:ac03",
malware-detected/
"version": "6.2.0.75853",
malware/name
"alert": {
"id": "2989", l /alert/explanation/
"name": "infection-match", malware-detected/
"severity": "minr", malware/scan
"action": "notified", l /alert/explanation/
"alert-url": "https://xxx.xxx.xxx.xxx/" malware-detected/
"dst": { malware/sid
"mac": "0a:20:02:8f:a4:27",
malware-detected/
"port": "80"
malware/type
},
"explanation": { l /alert/explanation/
"analysis": "binary", malware-detected/
"protocol": "tcp", malware/stype
"cnc-services": { l /alert/explanation/
"cnc-service": { malware-detected/
"port": "80", malware/archives
"protocol": "tcp",
"address": "xxx.xxx.xxx.xxx",
malware-detected/
"channel": "GET /games/...
malware/parent
HTTP/1.1::...::~~::~~"
© 2017 FireEye 348

JSON Notifications
Event
Type
} l /alert/explanation/
}, malware-detected/
"malware-detected": { malware/origid
"malware": {
"name": "Exploit.ToolKit",
malware-detected/
"sid": "84000006",
malware/malicious
"stype": "bot-command"
} l /alert/explanation/
} stolen_data/event_id
}, l /alert/explanation/
"interface": { stolen_data/size
"label": "A1",
"mode": "tap",
stolen_data/info/
"interface": "pether3"
decrypted
},
"occurred": "2012-10-10T07:10:50Z", l /alert/explanation/
"src": { stolen_data/info/
"vlan": "0", encryption
"ip": "xxx.xxx.xxx.xxx", l /alert/explanation/
"mac": "42:54:11:11:ff:03", stolen_data/info/type
"port": "49169"
}
stolen_data/info/
}
field/name
}
cnc-services/
cnc-service/port
349 © 2017 FireEye

JSON Notifications
Event
Type
cnc-services/
cnc-service/protocol
os-changes/osinfo
os-changes/id
os-changes/version
alerts/ appliance-id represents the appliance that NX MC Appliance ID. 7.x

appliance-id was the origin of the alert. AX WI
Six hexadecimal numbers
FX BA
For example (from a CM Series appliance):
EX IM
"product": "CMS", CM MW
"appliance-id": "01234567897A", DM
"appliance": "xxx.xxx.xxx.xxx", MO
"alert": { IE
"src": { RC
"ip": "87.678.913.234", RO
"mac": "00:0c:29:4e:57:60",
"vlan": "0"
},
"appliance-id": "9876543210D0",
© 2017 FireEye 350

JSON Notifications
Event
Type
alerts/ alert represents the element REF= in the NX MC “/alert“ is the secondary level 6.0
alert notification XPath AX WI element of each notification 6.1
FX BA message. It may include at least 6.2
For example:
EX IM one of the following sub- 6.3
(not applicable for release 6.0; same for CM MW elements: 6.4
(See more examples in XML
"alert": { MO
Notification Examples per
"id": "29129", IE
Infection Type on page 122):
"name": "malware-object", RC
"severity": "majr", RO l /src
"action": "notified", l /explanation
"alert-url":
l /alert-url
"https://xxx.xxx.xxx.xxx/
event_stream/events_for_bot? l /action
ma_id=29129&lms_ l /locations
iden=00:E0:81:4F:AC:03",
l /occurred
"dst": {
"ip": "221.187.185.88"
},
351 © 2017 FireEye

JSON Notifications
Event
Type
alerts/ src represents the element REF for the NX MC This element might include at 6.0
alert/ infected host. The source is either an email AX WI least one of the following sub- 6.1
src address or an IP address. The source FX BA elements or attributes in the 6.2
IP address is that of the victim of the EX IM notification: 6.3
infection, not the origin of the malware. CM MW 6.4
l /alerts/alert/src
DM 7.x
For example:
MO l /alerts/alert/src/vlan
(not applicable for release 6.0; same for IE l /alerts/alert/src/ip
releases 6.1 and later) RC
l /alerts/alert/src/mac
"src": { RO
"ip": "xxx.xxx.xx.xxx", l /alerts/alert/src/url
"mac": "00:20:18:11:ff:40", l /alerts/alert/src/host
"vlan": "0",
l /alerts/alert/src/port
"port": "49177"
}, l /alerts/alert/src/
domain
or
"src": {
smtp-mail-from
"url": "/3lC3L55QC4z3NZNm
-1-5_mal_files.zip", l /alerts/alert/src/
"domain": "sender.com", repository
"smtp-mail-from": l /alerts/alert/src/
"[email protected]" proxy
},
These sub-elements and attribute
are described further in other
rows of this table.
© 2017 FireEye 352

JSON Notifications
Event
Type
alerts/ vlan represents the VLAN ID. NX MC vlan is an XPath attribute of the 6.0
alert/ AX WI src element, and this attribute 6.1
For example:
src/ FX BA includes the following sub- 6.2
vlan (not applicable for release 6.0; same for EX IM element values: 6.3
releases 6.1 and later) CM MW 6.4
l ip
"src": { DM 7.x
"vlan": "0", MO l port
"ip": "xxx.xxx.xxx.xxx", IE l mac
"mac": "42:54:11:11:ff:03", RC
"port": "49169" RO
}
alerts/ ip represents the IP address of the infected NX MC 16-byte integer IPv4 address 6.0
alert/ host. AX WI 6.1
src/ FX BA 6.2
For example:
ip EX IM 6.3
"src": { MO
"vlan": "0", IE
"ip": "xxx.xxx.xxx.xxx", RC
} RO
353 © 2017 FireEye

JSON Notifications
Event
Type
alerts/ mac represents the MAC address of the NX MC MAC Address 6.0
alert/ infected host. AX WI Six colon-separated hexadecimal 6.1
src/ FX BA numbers 6.2
For example:
mac EX IM 6.3
"src": { MO
"vlan": "0", IE
"mac": "42:54:11:11:ff:03", RO
"port": "49169"
}
© 2017 FireEye 354

JSON Notifications
Event
Type
alerts/ url represents the URL associated with the NX MC HTTP or HTTPS source URL of 6.0
alert/ malware. AX WI the malware. 6.1
src/ FX BA 6.2
For example:
url EX IM 6.3
"src": { MO
"vlan": "0", IE
"mac": "42:54:11:11:ff:03", RO
"port": "49169"
"url": “https://xxx.xxx.xxx.xxx/event_
stream/
events_for_bot?ma_id\=51056&lms_
iden\=00:25:90:54:7E:6E cs1Label=sname
cs1=Trojan.
Generic”
}
355 © 2017 FireEye

JSON Notifications
Event
Type
alerts/ host represents the hostname of the NX MC String 6.0

1023 characters
host EX IM 6.3
For example:
CM MW 6.4
"src": { IE
"host": "icqdos0", RC
} RO
alerts/ port is the port of the infected machine as NX MC Integer 6.0

src/ FX BA Valid Port Numbers 0~65535 6.2
For example:
port EX IM 6.3
"src": { MO
"port": "49169", IE
} RC
RO
© 2017 FireEye 356

JSON Notifications
Event
Type
alerts/ domain represents the domain of the NX MC String 6.x

alert/ infected machine as detected by a FireEye AX WI 7.x
src/ appliance MVX FX BA
domain EX IM
For example:
CM MW
"src": { IE
"domain": "networkAlpha.com", RC
} RO
alerts/ smtp-mail-from represents the user name EX MC String 6.0

alert/ of the sender of the malicious email CM WI 6.1
1023 characters
src/ detected by a FireEye appliance. BA 6.2
smtp-mail-from IM 6.3
For example:
MW 6.4
- “smtp-mail-from”: “perfEmailauto IE
mation.local” RC
RO
357 © 2017 FireEye

JSON Notifications
Event
Type
alerts/ repository is the file system SharePoint or AX MC String 6.0

alert/ mount point. FX WI 6.1
1023 characters
src/ CM BA 6.2
For example:
repository IM 6.3
(not applicable for release 6.0; same for MW 6.4
- “repository”: “sharepoint” MO
IE
RC
RO
alerts/ proxy represents HTTP proxy (IP address) NX MC IP address 6.0

alert/ of the infected host system. AX WI 6.1
src/ FX BA 6.2
For example:
proxy EX IM 6.3
- “proxy”: “xxx.xxx.xxx.xxx” MO
IE
RC
RO
© 2017 FireEye 358

JSON Notifications
Event
Type
alerts/ alert-url represents the URL generated by NX MC String 6.0

alert/ the FireEye MVX of the alert notification AX WI 6.1
1023 characters
alert-url for a detected malware. FX BA 6.2
EX IM 6.3
For example:
CM MW 6.4
- “alert-url”: IE
“https://xxx.xxx.xxx.xxx/event_ RC
stream_events_for_bot?ev_id= RO
12762&lms_iden=00:E0:81
:4F:AC:03”
alerts/ action represents the notification action NX MC action options: 6.0

alert/ taken by the system during a malware AX WI 6.1
l notified
action detection. FX BA 6.2
EX IM l blocked 6.3
For example:
CM MW 6.4
- “action”: “notified”, IE
- “action”: “blocked” RC
RO
359 © 2017 FireEye

JSON Notifications
Event
Type
alerts/ locations represents the geolocation from NX MC String 6.0

alert/ which the detected malware originated. AX WI 6.1
Two-letter abbreviation of
locations FX BA 6.2
For example: country name(s); comma-
EX IM 6.3
separated multiple locations are
supported.
- “locations”: “FR” MO
IE
RC
RO
alerts/ occurred represents the date and time of NX MC Time stamp: 6.0
alert/ the malware infection. AX WI 6.1
l yyyy-mm-ddTHH:mm
occurred FX BA 6.2
For example:
EX IM l standard XML daytime 6.3
(not applicable for release 6.0; same for CM MW format 6.4
- “occurred”: “2012-10-11T20:09:39Z” MO
IE
RC
RO
© 2017 FireEye 360

JSON Notifications
Event
Type
alerts/ For EX Series appliances, dst represents EX MC This element might include at 6.x
alert/ the email destination of the targeted host. CM WI least one of the following sub- 7.x
dst For NX Series appliances, dst represents BA elements in the notification:
the destination host targeted by the IM
l alerts/alert/dst/mac
infected source host. MW
DM l alerts/alert/dst/port
For example, for an EX Series appliance:
MO l alerts/alert/dst/ip
(not applicable for release 6.0; same for IE
releases 6.1 and later) l alerts/alert/dst/smtp-to
RC
- "dst": { RO l alerts/alert/dst/smtp-cc
"ip": "xxx.xxx.xxx.xxx", These sub-elements are described
"mac": "00:10:db:ff:20:80", further in other rows of this table.
"port": "80"
...
For example, for an NX Series appliance:
(not applicable for release 6.0; same for
releases 6.1 and later)
"dst": {
"mac": "02:35:4b:f8:74:8e",
"port": "80"
...
361 © 2017 FireEye

JSON Notifications
Event
Type
alerts/ mac represents the MAC address of the NX MC MAC Address 6.x
alert/ attacker host. AX WI 7.x
Six colon-separated hexadecimal
dst/ FX BA
For example: numbers
mac EX IM
- "dst": { MO
"ip": "xxx.xxx.xxx.xxx", IE
"mac": "00:10:db:ff:20:80", RC
"port": "80" RO
...
alerts/ port is the port of the attacker machine as NX MC Integer 6.0

Valid port numbers 0~65535
dst/ FX BA 6.2
For example:
port EX IM 6.3
- "dst": { MO
"mac": "00:10:db:ff:20:80", RC
"port": "80" RO
...
© 2017 FireEye 362

JSON Notifications
Event
Type
alerts/ ip represents the IP address of the attacker EX MC 16-byte integer IPv4 address 6.x
alert/ host. CM WI 7.x
dst/ BA
For example:
ip IM
- "dst": { MO
"mac": "00:10:db:ff:20:80", RC
"port": "80" RO
...
alerts/ smtp-to represents the recipient of the NX MC String 6.x

alert/ malicious email detected by a FireEye AX WI 7.x
1023 characters
dst/ appliance. FX BA
smtp-to EX IM
For example:
CM MW
"dst": { IE
"smtp-to": RC
"[email protected]" RO
},
363 © 2017 FireEye

JSON Notifications
Event
Type
alerts/ smtp-cc represents the recipient of the EX MC String 6.x

alert/ malicious email detected by a FireEye CM WI 7.x
1023 characters
dst/ appliance BA
smtp-cc IM
For example:
MW
- "dst": { IE
"smtp-cc": "[email protected]", RO
"port": "80"
...
© 2017 FireEye 364

JSON Notifications
Event
Type
alerts/ smtp-message represents the SMTP email EX MC String 6.x

alert/ message ID and other information CM WI 7.x
1023 characters
smtp-message associated with the infected email. BA
IM This element might include at
For example:
MW least one of the following sub-
(not applicable for release 6.0; same for DM elements and attribute in the
releases 6.1 and later) MO notification:
- "smtp-message": IE l alerts/alert/
“20121017232425.6706.77689. RC smtp-message/
Email-48fireeye.com” RO subject
... l alerts/alert/
smtp-message/
smtp-header
l alerts/alert/
smtp-message/
last-malware
l alerts/alert/
smtp-message/
protocol
l alerts/alert/
smtp-message
/id
These sub-elements and attribute

are described further in other
rows of this table.
365 © 2017 FireEye

JSON Notifications
Event
Type
alerts/ subject represents the SMTP email EX MC String 6.x

alert/ message subject line on the infected email. CM WI 7.x
1023 characters
smtp-message/ BA
For example:
subject IM
- "smtp-message": { MO
“subject”: IE
“RE:Upcoming Meeting” RC
} RO
...
alerts/ smtp-header provides the SMTP email EX MC String 6.x

alert/ message header (including any configured CM WI 7.x
1023 characters
smtp-message/ X-header data) of the infected email. BA
smtp-header IM
For example:
MW
- "smtp-message": { IE
“smtp-header”: RC
“X-FireEye: Malicious Email Found” RO
}
...
© 2017 FireEye 366

JSON Notifications
Event
Type
alerts/ last-malware represents the name EX MC String 6.x

alert/ associated with last malicious email CM WI 7.x
1023 characters
smtp-message/ infection. BA
last-malware IM
For example:
MW
- "smtp-message": { IE
“last-malware”: RC
“Trojan.Win32” RO
}
...
alerts/ protocol represents the transport protocol EX MC TCP or UDP 6.x

alert/ detected by the FireEye appliance MVX. CM WI 7.x
smtp-message/ BA
For example:
protocol IM
(not applicable for release 6.0) MW
- "smtp-message": { DM
“protocol”: MO
“udp” IE
} RC
RO
...
367 © 2017 FireEye

JSON Notifications
Event
Type
alerts/ The id attribute represents the SMTP email EX MC String 6.x

alert/ message ID of the infected email. CM WI 7.x
1023 characters
smtp-message/ BA
For example:
id IM
- "smtp-message": { MO
“id”: “20121017232425.6706.77689.Email- IE
48fireeye.com” RC
} RO
...
alerts/ The interface element represents the NX MC String 6.0

alert/ configured interface n the FireEye AX WI 6.1
1023 characters
interface appliance. FX BA 6.2
EX IM 6.3
For example: This element might include at
CM MW 6.4
least one of the following
attributes in the notification:
"interface": { IE l alerts/alert/interface/
"label": "A1", RC label
"mode": "tap", RO l alerts/alert/interface/
"interface": "pether3" mode
},
further in other rows of this table.
© 2017 FireEye 368

JSON Notifications
Event
Type
alerts/ The label attribute represents the label of NX MC String 6.x

alert/ the FireEye appliance interface. AX WI 7.x
1023 characters
interface/ FX BA
For example:
label EX IM
"interface": { MO
"label": "A1", IE
"mode": "tap", RC
"interface": "pether3" RO
},
alerts/ The mode attribute indicates whether the NX MC String 6.0

alert/ FireEye appliance is deployed in SPAN or AX WI 6.1
1023 characters
interface/ TAP mode. FX BA 6.2
mode EX IM There are two values: 6.3
For example:
CM MW l tap 6.4
releases 6.1 and later) l inline
MO
"interface": { IE
"label": "A1", RC
"mode": "tap", RO
"interface": "pether3"
},
369 © 2017 FireEye

JSON Notifications
Event
Type
alerts/ The explanation element provides NX MC This element might include at 6.0
alert/ supporting details about the MVX AX WI least one of the following 6.1
explanation analysis and detected malware. FX BA attributes and sub-elements in 6.2
EX IM the notification: 6.3
For example:
CM MW 6.4
(not applicable for release 6.0; same for l alerts/alert/explanation/
DM 7.x
releases 6.1 and later) analysis
MO
"explanation": { IE l alerts/alert/explanation/
"analysis": "binary", RC protocol
"protocol": "tcp", RO l alerts/alert/explanation/
"cnc-services": { urls
"cnc-service": {
"port": "80",
service
"protocol": "tcp",
"address": "xxx.xxx.xxx.xxx", l alerts/alert/explanation/
"channel": "GET /games/... anomaly
...Connection: keep- l alerts/alert/explanation/
alive::~~Referer: http:// target-application
moa3.co.cc/imgurlfx.php?
hl=180ce3af78870604::~~::
target-os
~~"
} l alerts/alert/explanation/
}, stolen_data
"malware-detected": { l alerts/alert/explanation/
"malware": { malware-detected/
"name": "Exploit.Tool
Kit.BlackHole",
malware-detected
"sid": "84000006",
© 2017 FireEye 370

JSON Notifications
Event
Type
"stype": "bot-command" l alerts/alert/explanation/

} cnc-services
}
},
os-changes
alerts/ The “explanation” element’s attribute NX MC The type of malware analysis 6.0
alert/ analysis describes the type of analysis AX WI model used with the following 6.1
explanation/ performed by the FireEye appliance MVX. FX BA possible values: 6.2
analysis EX IM 6.3
For example: l none
CM MW 6.4
(not applicable for release 6.0; same for DM l replay 7.x
releases 6.1 and later) MO l direct-entry
"explanation": { IE
l malware
"analysis": "binary", RC
"protocol": "tcp", RO l binary-analysis
"cnc-services": { l content-analysis
"cnc-service": {
"port": "80",
"protocol": "tcp",
...
371 © 2017 FireEye

JSON Notifications
Event
Type
alerts/ The “explanation” element’s attribute NX MC protocol options include: 6.0

alert/ protocol describes the type of protocol AX WI 6.1
l udp
explanation/ detected by the FireEye appliance MVX. FX BA 6.2
protocol EX IM l tcp 6.3
For example:
CM MW 6.4
"explanation": { IE
"protocol": "tcp", RO
...
alerts/ The “explanation” element’s attribute urls NX MC URLs that may have been 6.0
alert/ represents the URLs detected by the AX WI involved in an infection. 6.1
explanation/ FireEye appliance MVX, separated by FX BA 6.2
urls commas. EX IM 6.3
CM MW 6.4
For example:
DM 7.x
"explanation": { RC
"analysis": "binary", RO
"protocol": "tcp",
"urls”: “https://xxx.xxx.xxx.xxx/event_
stream/events_for_bot?ma_id\=51056&l
ms_iden\=00:25:90:54:7E:6E
cs1Label=sname cs1=Trojan. Generic>”...
...}
© 2017 FireEye 372

JSON Notifications
Event
Type
alerts/ The service element represents the profile NX MC String 6.0

alert/ service name set for the FireEye appliance AX WI 6.1
1023 characters
explanation/ MVX. FX BA 6.2
service EX IM 6.3
For example:
CM MW 6.4
"explanation": IE
"service": "service name”... RC
... RO
alerts/ The anomaly element defines the type of NX MC Available values for the type of 6.0
alert/ anomalous event detected by the FireEye AX WI anomaly detected: 6.1
explanation/ appliance MVX. FX BA 6.2
l anomaly-tag
anomaly EX IM 6.3
For example:
CM MW l datatheft 6.4
l keylogger
l misc-anomaly
"explanation": IE
"anomaly": "misc-anomaly”... RC
... RO
373 © 2017 FireEye

JSON Notifications
Event
Type
alerts/ The target-application element indicates NX MC String 6.0

alert/ the application running in the FireEye AX WI 6.1
1023 characters
explanation/ appliance MVX profile at the time of FX BA 6.2
target-application infection. EX IM Name of the application running 6.3
CM MW on the infected target. 6.4
For example:
DM 7.x
"explanation": RC
"target-application": "InternetEx RO
plorer 6.0.2600.0000.xpcli
ent.010817-1148”...
...
alerts/ The target-os element indicates the NX MC String 6.0

alert/ operating system running in the FireEye AX WI 6.1
1023 characters
explanation/ appliance MVX at the time of infection. FX BA 6.2
target-os EX IM Name of the OS running on the 6.3
For example:
CM MW infected target. 6.4
"explanation": IE
"target-os": "Microsoft WindowsXP RC
Professional 5.1 RO
base”...
© 2017 FireEye 374

JSON Notifications
Event
Type
alerts/ The stolen-data element provides NX MC This element might include at 6.0
alert/ information about data stolen at the time AX WI least one of the following 6.1
explanation/ of infection. FX BA attributes in the notification: 6.2
stolen_data EX IM 6.3
For example: l alerts/alert/explanation/
CM MW 6.4
(not applicable for release 6.0; same for stolen_data/event_id
DM 7.x
releases 6.1 and later) MO l alerts/alert/explanation/
“stolen_data”: } IE stolen_data/size
” "size”: "99" l alerts/alert/explanation/
} stolen_data/info/decrypted
"info:”: { l alerts/alert/explanation/
"type”: "identity" , stolen_
"encryption": “RC4", data/info/encryption
"decrypted”: "yes"
} stolen_data/info/type
"description”: l alerts/alert/explanation/
"FireEye sample malware-call stolen_
back data-theft plugin output data/info/description
for sid 2345”,
"severity”: “3”, stolen_data/info/severity
"field”: { l alerts/alert/explanation/
"service" “https://www.fe-/ stolen_
examples.com/samples/ data/info/field/name
reporting/login
"name”: "user",
"name”: "password",
375 © 2017 FireEye

JSON Notifications
Event
Type
alerts/ The event_id attribute represents the NX MC String 6.0

alert/ stolen data event ID. AX WI 6.1
1023 characters
For example:
stolen_data/ EX IM FireEye appliance internal 6.3
event_id (not applicable for release 6.0; same for CM MW unique event ID 6.4
“stolen_data”: } MO
” "size”: "99" IE
” "event_id”: "events_for_bot?ma_id\ RC
=51056&lms_iden\= 00:25:90:54:7E:6E" RO
}
alerts/ The size attribute represents the size of the NX MC String 6.0
alert/ stolen data in bytes. AX WI 6.1
1023 characters
For example:
size (not applicable for release 6.0; same for CM MW 6.4
” "size”: "99" IE
” "event_id”: "events_for_bot?ma_id\ RC
=51056&lms_iden\= 00:25:90:54:7E:6E" RO
}
© 2017 FireEye 376

JSON Notifications
Event
Type
alerts/ The decrypted attribute indicates whether NX MC String 6.0

alert/ the stolen data file was decrypted. AX WI 6.1
1023 characters
For example:
decrypted releases 6.1 and later) DM 7.x
” "size”: "99" IE
} RC
RO
"info:”: {
"type”: "identity" ,
"encryption": “RC4",
}
377 © 2017 FireEye

JSON Notifications
Event
Type
alerts/ The encrypted attribute indicates whether NX MC String 6.0

alert/ the stolen data file was encrypted. AX WI 6.1
1023 characters
For example:
encrypted releases 6.1 and later) DM 7.x
” "size”: "99" IE
} RC
RO
"info:”: {
"type”: "identity" ,
}
© 2017 FireEye 378

JSON Notifications
Event
Type
alerts/ The type attribute represents the type of NX MC String 6.0

alert/ stolen data. AX WI 6.1
1023 characters
For example:
stolen_data/ EX IM Available stolen data types: 6.3
l identity (identity theft)
l credit card theft
” "size”: "99" IE
} RC
RO
"info:”: {
"type”: "credit card theft" ,
}
379 © 2017 FireEye

JSON Notifications
Event
Type
alerts/ The info/description element provides a NX MC String 6.0

alert/ description of the stolen data. AX WI 6.1
4096 characters
For example:
description releases 6.1 and later) DM 7.x
“stolen_data”: MO
"description”: IE
"FireEye sample malware-call RC
back data-theft plugin output RO
for sid 2345”,
"severity”: “3”,
...
© 2017 FireEye 380

JSON Notifications
Event
Type
alerts/ The info/severity element represents the NX MC String 6.0

alert/ severity level of the infection. AX WI 6.1
Available severity levels:
For example:
stolen_data/ EX IM l unkn (unknown 0) 6.3
l minr (minor 1)
severity releases 6.1 and later) DM 7.x
l majr (major 2)
“stolen_data”: MO
"description”: IE l crit (critical 3)
"FireEye sample malware-call RC
back data-theft plugin output RO
for sid 2345”,
"severity”: “crit”,
...
381 © 2017 FireEye

JSON Notifications
Event
Type
alerts/ The name attribute represents name of the NX MC String 6.0

alert/ info field in the alert notification. AX WI 6.1
1023 characters
For example:
field/ releases 6.1 and later) DM 7.x
name “stolen_data”: } MO
” "size”: "99" IE
} RC
RO
"description”:
"FireEye sample malware-call
back data-theft plugin output
for sid 2345”,
"severity”: “3”,
"field”: {
"service" “https://www.fe-/
examples.com/samples/
reporting/login
"name”: "user",
"name”: "password",
}
© 2017 FireEye 382

JSON Notifications
Event
Type
alerts/ The malware-detected element provides NX MC This element might include at 6.0
alert/ details about detected malware. AX WI least one of the following 6.1
For example:
malware-detected EX IM 6.3
(not applicable for release 6.0; same for l alerts/alert/explanation/
CM MW 6.4
releases 6.1 and later) malware-detected/
DM 7.x
malware
"malware-detected": { MO
"malware": { IE l alerts/alert/explanation/
"name": RC malware-detected/
"Worm.Email.Bagle", RO malware/content
"sid": "11111276", l alerts/alert/explanation/
"stype": "bot-command" malware-detected/
} malware/name
malware-detected/
malware/scan
malware-detected/
malware/sid
malware-detected/
malware/type
malware-detected/
malware/stype
383 © 2017 FireEye

JSON Notifications
Event
Type
malware-detected/
malware/archives
malware-detected/
malware/parent
malware-detected/
malware/origid
malware-detected/
malware/archive
malware-detected/
malware/malicious
malware-detected/
malware/note
malware-detected/
malware/url
malware-detected/
malware/profile
© 2017 FireEye 384

JSON Notifications
Event
Type
malware-detected/
malware/md5sum
malware-detected/
malware/application
malware-detected/
malware/http-header
malware-detected/
malware/domain
malware-detected/
malware/user
malware-detected/
malware/original
malware-detected/
malware/downloaded-at
malware-detected/
malware/executed-at
385 © 2017 FireEye

JSON Notifications
Event
Type
malware-detected/
malware/objurl

other rows of this table.
alerts/ The malware element uses attributes that NX MC This element might include at 6.0
alert/ define the detected malware. AX WI least one of the following 6.1
For example:
(not applicable for release 6.0; same for l content
malware CM MW 6.4
releases 6.1 and later) DM l name 7.x
"explanation": { MO l scan
"malware-detected": { IE
l sid
"malware": { RC
"name": "Trojan.Down RO l type
loader.Bredolab" l stype
}
l archives
}
, l parent
l origid
l malicious

further in other rows of this table.
© 2017 FireEye 386

JSON Notifications
Event
Type
alerts/ The content attribute defines the content NX MC Content attribute options: 6.0
alert/ type of a URL associated with the detected AX WI 6.1
l mime
malware-detected/ EX IM l text 6.3
For example:
malware/ CM MW l and so on... 6.4
content (not applicable for release 6.0; same for DM 7.x
"explanation": { IE
"malware-detected": { RC
"malware": { RO
"name": "Trojan.Down
loader.Bredolab"
"content": "mime"
}
}
,
387 © 2017 FireEye

JSON Notifications
Event
Type
alerts/ The name attribute indicates the name of NX MC String 6.0

1023 characters
For example:
name releases 6.1 and later) DM 7.x
"explanation": { MO
"malware": { RC
"name": "InfoStealer.Ban RO
ker.Zbot.DNS"
"content": "mime"
}
}
},
© 2017 FireEye 388

JSON Notifications
Event
Type
alerts/ The scan attribute specifies the scan FX MC String 6.0

alert/ iteration ID for detected malware. CM WI 6.1
1023 characters
explanation/ BA 6.2
For example:
malware-detected/ IM 6.3
malware/ (not applicable for release 6.0; same for MW 6.4
scan releases 6.1 and later) DM 7.x
"explanation": { MO
"malware": { RC
"name": RO
"InfoStealer.Banker.Zbot.DNS"
"scan": "54042166"
}
}
},
389 © 2017 FireEye

JSON Notifications
Event
Type
alerts/ The sid attribute represents the FireEye NX MC Integer 6.0

alert/ internal alert sID for the detected malware. AX WI 6.1
For example:
sid releases 6.1 and later) DM 7.x
"explanation": { MO
"malware": { RC
"name": RO
"sid": "80440378"
}
}
},
© 2017 FireEye 390

JSON Notifications
Event
Type
alerts/ The type attribute specifies the file type of NX MC Possible values: 6.0
l exe
For example:
malware-detected/ EX IM l pdf 6.3
l ppt
l doc
"explanation": { MO
"malware-detected": { IE l docx
"malware": { RC l and so on...
"name": RO
"type": "exe"
}
}
},
391 © 2017 FireEye

JSON Notifications
Event
Type
alerts/ The stype attribute specifies the FireEye- NX MC Possible values: 6.0
alert/ assigned signature for the detected AX WI 6.1
'unknown',
'generated-content',
For example: 'fireeye-content',
malware/ CM MW 6.4
'bot-command',
stype (not applicable for release 6.0; same for DM 7.x
'fqc',
‘known-md5sum',
"explanation": { IE
'duplicate-md5sum',
'av-match',
"malware": { RO
'vm-bot-command',
"name": 'blacklist',
"InfoStealer.Banker.Zbot.DNS" 'yara',
"stype": "blacklist" 'avs',
} 'archive',
} 'encoding',
}, 'timestamp'
© 2017 FireEye 392

JSON Notifications
Event
Type
alerts/ The archives attribute specifies the NX MC Integer 6.0

alert/ archives count. AX WI 6.1
For example:
archives releases 6.1 and later) DM 7.x
"explanation": { MO
"malware": { RC
"name": RO
"archives": "8"
}
}
},
393 © 2017 FireEye

JSON Notifications
Event
Type
alerts/ The parent attribute specifies the parent NX MC String 6.0

alert/ malware ID of detected child/nested AX WI 6.1
1023 characters
For example:
malware/ CM MW 6.4
parent (not applicable for release 6.0; same for DM 7.x
"explanation": { IE
"malware": { RO
"name":
"parent": "33459873"
}
}
},
© 2017 FireEye 394

JSON Notifications
Event
Type
alerts/ The origid attribute specifies the original NX MC String 6.0

alert/ malware ID for an infection, indicating AX WI 6.1
1023 characters
explanation/ that the detected malware is a duplicate of FX BA 6.2
malware-detected/ an original malware. EX IM 6.3
malware/ CM MW 6.4
For example:
origid DM 7.x
"explanation": { RC
"malware-detected": { RO
"malware": {
"name":
"origid": "218799"
}
}
},
395 © 2017 FireEye

JSON Notifications
Event
Type
alerts/ The malicious attribute specifies whether NX MC Available options: 6.0

alert/ the detected malware is malicious: true or AX WI 6.1
l true
explanation/ false. FX BA 6.2
malware-detected/ EX IM l false 6.3
For example:
malware/ CM MW l unknown 6.4
malicious (not applicable for release 6.0; same for DM 7.x
"explanation": { IE
"malware": { RO
"name":
"malicious": "true"
}
}
},
© 2017 FireEye 396

JSON Notifications
Event
Type
alerts/ The note element allows the system to add NX MC String 6.0
alert/ notes or details to alert notifications about AX WI 6.1
1023 characters
For example:
malware/ CM MW 6.4
note (not applicable for release 6.0; same for DM 7.x
"explanation": { IE
"malware": { RO
"note": "AttackZone3"
"content": "mime"
}
}
},
397 © 2017 FireEye

JSON Notifications
Event
Type
alerts/ The url element provides the primary URL NX MC HTTP or HTTPS 6.0
For example:
url releases 6.1 and later) DM 7.x
"explanation": { MO
"malware": { RC
"url": "https://xxx.xxx.xxx.xxx/event_ RO
streamevents_for_bot?ma_
id\=51056&lms_
iden\=00:25:90:54:7E:6Ecs1Label=sname
cs1=Trojan.
Generic"
"malicious": "true"
}
}
},
© 2017 FireEye 398

JSON Notifications
Event
Type
alerts/ The profile element provides details about NX MC String 6.0

alert/ the MVX profile in use during detection of AX WI 6.1
1023 characters
explanation/ the malware. FX BA 6.2
For example:
malware/ CM MW 6.4
profile (not applicable for release 6.0; same for DM 7.x
"explanation": { IE
"malware": { RO
"profile": "winxp-sp2"
}
}
},
alerts/ The md5sum element provides the MD5 NX MC String 6.0

alert/ checksum details for the detected AX WI 6.1
1023 characters
For example:
malware/ CM MW 6.4
md5sum (not applicable for release 6.0; same for DM 7.x
"explanation": IE
"malware-detected": RC
"malware": RO
"md5sum": "4c40057a9b241
2e61472154d66df4c0d"
...
399 © 2017 FireEye

JSON Notifications
Event
Type
alerts/ The application element specifies the NX MC String 6.0

alert/ application running at the time of AX WI 6.1
1023 characters
explanation/ malware detection. FX BA 6.2
For example:
malware/ CM MW 6.4
application (not applicable for release 6.0; same for DM 7.x
"explanation": IE
"malware": RO
"application":
"InternetExplorer6.0.2600.0000
.xpclient010817-1148"
...
© 2017 FireEye 400

JSON Notifications
Event
Type
alerts/ The http-header element provides the NX MC String 6.0

alert/ captured header information for the AX WI 6.1
1023 characters
explanation/ detected malware. FX BA 6.2
For example:
malware/ CM MW 6.4
http-header (not applicable for release 6.0; same for DM 7.x
"explanation": IE
"malware": RO
"http-header": "GET /pood
load.php HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (com
patible; MSIE 6.0; Windows
NT 5.1;SV1)
Host: icqdosug.com
Connection: Keep-Alive..."
...
401 © 2017 FireEye

JSON Notifications
Event
Type
alerts/ The domain element names the domain NX MC String 6.0

1023 characters
For example:
domain releases 6.1 and later) DM 7.x
"explanation": MO
"malware-detected": IE
"malware": RC
"domain":"networkAlpha.com" RO
...
alerts/ The user element specifies the user name NX MC String 6.0
alert/ of the appliance user that has submitted AX WI 6.1
1023 characters
explanation/ the malware for analysis. FX BA 6.2
For example:
malware/ CM MW 6.4
user (not applicable for release 6.0; same for DM 7.x
"explanation": IE
"malware": RO
"user":"networkAlpha.com"
...
© 2017 FireEye 402

JSON Notifications
Event
Type
alerts/ The original element specifies the name of NX MC String 6.0

alert/ the original detected malware. AX WI 6.1
1023 characters
For example:
original releases 6.1 and later) DM 7.x
"explanation": MO
"malware": RC
"original":"load.exe" RO
...
alerts/ The downloaded-at element provides date NX MC String 6.0

alert/ and time information about when the AX WI 6.1
1023 characters
explanation/ detected malware was first downloaded. FX BA 6.2
For example:
malware/ CM MW 6.4
downloaded-at (not applicable for release 6.0; same for DM 7.x
"explanation": IE
"malware": RO
"downloaded-at":"2012-10-
10T04:06:35Z"
...
403 © 2017 FireEye

JSON Notifications
Event
Type
alerts/ The executed-at element provides details NX MC String 6.0

alert/ about when the detected malware was AX WI 6.1
1023 characters
explanation/ executed in the MVX. FX BA 6.2
For example:
malware/ CM MW 6.4
executed-at (not applicable for release 6.0; same for DM 7.x
"explanation": IE
"malware": RO
"executed-at":"2012-10-
10T05:08:30Z"
...
alerts/ The objurl element provides details about NX MC String 6.0

alert/ detected malware URL. AX WI 6.1
1023 characters
For example:
objurl releases 6.1 and later) DM 7.x
"explanation": MO
"malware": RC
"objurl":"www.networkAlpha RO
.com"
...
© 2017 FireEye 404

JSON Notifications
Event
Type
alerts/ The cnc-services element uses attributes NX MC String 6.0

alert/ and sub-elements that detail command AX WI 6.1
1023 characters
explanation/ and control center information. FX BA 6.2
cnc-services EX IM This element might include at 6.3
For example:
releases 6.1 and later) MO l cnc-service
"explanation": { IE
l port
"protocol": "tcp", RO l protocol
"cnc-services": { l address
"cnc-service": {
l channel
"port": "80",
"protocol": "tcp", l location
"address": "xxx.xxx.xxx.xxx", These attributes and sub-
"channel": "GET /images/ elements are described further in
news.php?p=15353&id=349 other rows of the table.
92661&e=0 HTTP/1.1::~
~User-Agent: szNotify
Ident::~~Host: efrering-
basilea.com::~~::~~",
"location": "FR"
}
},
405 © 2017 FireEye

JSON Notifications
Event
Type
alerts/ The cnc-service element uses attributes NX MC cnc-service 6.0

alert/ that detail command and control center AX WI 6.1
l port (integer)
explanation/ port and protocol information. FX BA 6.2
cnc-services/ EX IM l protocol (string: udp or 6.3
For example:
cnc-service CM MW tcp) 6.4
"explanation": { IE
"protocol": "tcp", RO
"cnc-services": {
"cnc-service": {
"port": "80",
"protocol": "tcp",
...
© 2017 FireEye 406

JSON Notifications
Event
Type
alerts/ The address element specifies the IP NX MC IPv4 or IPv6 IP address 6.0
alert/ address associated with the malware’s AX WI 6.1
explanation/ command and control center. FX BA 6.2
For example:
address CM MW 6.4
"explanation": { IE
"cnc-services": { RC
"cnc-service": { RO
"port": "80",
"protocol": "tcp",
...
407 © 2017 FireEye

JSON Notifications
Event
Type
alerts/ The channel element specifies the GET NX MC String 6.x

alert/ command for the channel associated with AX WI 7.x
1023 characters
explanation/ the detected malware. FX BA
cnc-services/ EX IM
For example:
channel CM MW
"explanation": { IE
"cnc-service": { RO
"port": "80",
"protocol": "tcp",
"channel": "GET /images/
news.php?p=15353&id=349
92661&e=0 HTTP/1.1::~
~User-Agent: szNotify
Ident::~~Host: efrering-
basilea.com::~~::~~",
"location": "FR"
}
},
© 2017 FireEye 408

JSON Notifications
Event
Type
alerts/ The location element specifies the NX MC String 6.0

alert/ geolocation(s) from which the detected AX WI 6.1
Location. For example:
explanation/ malware originated. FX BA 6.2
cnc-services/ EX IM l US 6.3
For example:
location CM MW l US/OH/Columbus 6.4
"explanation": { IE
"cnc-service": { RO
"port": "80",
"protocol": "tcp",
"location": "FR"
}
},
409 © 2017 FireEye

JSON Notifications
Event
Type
alerts/ The os-changes element uses attributes NX MC This element might include at 6.0
alert/ that detail MVX operating system AX WI least one of the following 6.1
explanation/ information at the time of infection. FX BA attributes in the notification: 6.2
os-changes EX IM 6.3
For example: os-changes
CM MW 6.4
(not applicable for release 6.0; same for DM l osinfo 7.x
releases 6.1 and later) MO l id
"explanation": { IE
l version
"os-changes": { RC
"“osinfo": “WindowsXP Pro RO
fessional 5.1”
"id": "34872232",
"version": "6.2.0.75853",
...
alerts/ The static-analysis element uses attributes NX MC This element might include at 6.0
alert/ that detail information about the static AX WI least one of the following 6.1
explanation/ analysis tool(s) used during malware FX BA attributes in the notification: 6.2
static-analysis analysis. EX IM 6.3
static-analysis
CM MW 6.4
For example:
DM l tool 7.x
(not applicable for release 6.0; same for MO l version
"explanation": { RC
"static-analysis": { RO
"“osinfo": “Sophos”
""version": "5.1",
...
© 2017 FireEye 410

JSON Notifications
Event
Type
javacall The javacall element is reported when the NX MC This element might include at 7.x
Java method of interest is called. AX WI least one of the following items
FX BA in the notification:
EX IM
l context
CM MW
Always set to "not-signed-
DM
applet".
MO
IE l timestamp
RC A relative VM time.
RO l repeat
Optional. Avoids
reporting too many events.
XML nodes marked with
(*) are not present if the
repeat attribute is present.
l pid
Java VM process ID.
l imagepath
Process path.
l class
Java class name (method
of interest).
411 © 2017 FireEye

JSON Notifications
Event
Type
l method
Java method name
(method of interest). Two
special cases <clinit> and
<init> are reported as
"CLASS-CONSTRUCTOR"
and "CONSTRUCTOR",
respectively.
l parentClass/parentMethod
The class and method that
made a call to the method
of interest.
l this
Address of this class
instance.
l static
The method is static.
l params/param
A list of parameters and
their values.
© 2017 FireEye 412

JSON Notifications
Event
Type
javaevent The javaevent attribute is reported when NX MC This element might include at 7.x
an action is taken to modify the current AX WI least one of the following in the
Java SecurityManager state. FX BA notification:
EX IM
l context
CM MW
Always set to "not-signed-
DM
applet".
MO
IE l timestamp
RC A relative VM time.
RO l sm-reset-init
Reported when the Java
initialized. This value is
nonmalicious.
l sm-reset-null
Reported when a non-null
pointer to the Java
reset to null. This value is
highly malicious.
413 © 2017 FireEye

JSON Notifications
Event
Type
l sm-reset-value
Reported with a non-null
pointer to the Java
SecurityManager is set to
another non-null instance
of the Java Security
Manager. This value is
inconclusive.
dialog-dismissed The dialog-dismissed element is reported NX MC This element might include at 7.x
when a dialog box is recognized and AX WI least one of the following items
about to be dismissed. FX BA in the notification:
EX IM
CM MW
"dialog-dismissed": { A relative VM time.
DM
"note": "Dismissed with a click on the first MO l pid
button", IE The process ID that owns
"timestamp": "30630", RC the dialog box to be
"pid": "3168", RO dismissed.
"sequenceNumber": "22",
l dlg-id
"dlg-id": "General_purpose_
A unique dialog box
Adobe_8_and_better_MB"
identifier.
},
l note
A user friendly string
describing the dismissal
method.
© 2017 FireEye 414

JSON Notifications
Event
Type
popup-dialog The popup-dialog element is reported NX MC This element might include at 7.x
when a recognized dialog box is shown AX WI least one of the following items
from a browser process. FX BA in the notification:
EX IM
CM MW
"popup-dialog": { A relative VM time.
DM
"timestamp": "131480", MO l title
"processinfo": { IE The dialog box title.
"tid": "2624", RC l pid
"imagepath": "c:\\program files RO The process ID that owns
\\internet explorer
the dialog box to be
\\iexplore.exe",
dismissed.
"pid": "3048"
}, l tid
"title": "File Download - Security Warning" The thread ID that created
}, this dialog box.
l imagepath
The process path.
415 © 2017 FireEye

JSON Notifications
Event
Type
api_patch This an internal detection-only feature. NX MC Not applicable 7.x

AX WI
FX BA
EX IM
CM MW
DM
MO
IE
RC
RO
© 2017 FireEye 416

JSON Notifications
Event
Type
thread The thread element is reported for various NX MC This element might include at 7.x
operation on a thread (such as suspended, AX WI least one of the following items
terminated, or hide), for threads created FX BA in the notification:
with NtQueueApcThread EX IM
l source
[Ex]/QueueUserAPC, and for opened CM MW
Specifies the actor (source-
threads (opened or duplicate_opened). DM
process) performing the
MO
action.
IE
RC l target
RO Specifies the target (target-
process) for the action.
l duplicate_source
which the thread handle
is duplicated from. It only
applies to duplicate_
opened.
l duplicate_target
which the tread handle is
copied to. It only applies
to duplicate_opened.
l desiredaccess
An ACCESS request for
open or duplicate_open.
417 © 2017 FireEye

JSON Notifications
Event
Type
l ntstatus
The system-call result. The
result is
0x00000000/STATUS_
SUCCESS for successful
operations. For some
operations, both success
and failure are reported.
BootSectorModified The BootSectorModified element is NX MC Not applicable 7.x

reported when a specimen overwrites the AX WI
master boot record (MBR) of the system FX BA
volume. EX IM
CM MW
DM
MO
IE
RC
RO
© 2017 FireEye 418

JSON Notifications
Event
Type
StackPivot The StackPivot element refers to the stack NX MC This element might include at 7.x
pointer going out of the range maintained AX WI least one of the following items
in the thread execution block (TEB). This FX BA in the notification:
an industry-known indicator of EX IM
l processinfo
exploit/ROP attempts. CM MW
DM
For example: process where the stack
MO
"stackpivot": [ pivot is observed.
IE
{ RC l apiname
"StackBottom": RO The API where the stack
"0x0000000000126000", pivot was discovered.
"processinfo": {
l StackAddress
"imagepath": "C:\\Program Files
The value of the stack
\\Adobe\\Reader 8.0
pointer.
\\Reader\\AcroRd32.exe",
"pid": "860", l StackBottom, StackTop
"md5sum": "1a5b4b58dbb62677 The allowed range for the
6920260704fd0116" stack pointer.
},
"SuppressMode": "None",
"timestamp": "16329",
"CallerAddress":
"0x000000004a802f70",
"StackAddress":
"0x000000000f602038",
"apiname": "MapViewOfFile",
"StackTop":
419 © 2017 FireEye

JSON Notifications
Event
Type
"0x0000000000130000",
"params": {
"param": [
{
"id": "1",
"param": "0x238"
},
{
"id": "2",
"param": "38"
},
{
"id": "3",
"param": "0"
},
{
"id": "4",
"param": "0"
},
{
"id": "5",
"param": "0"
}
]
},
"suppressed": "false",
"CallerModule": "C:\\Program Files
\\Adobe\\Reader 8.0
© 2017 FireEye 420

JSON Notifications
Event
Type
\\Reader\\icucnv34.dll"
},
421 © 2017 FireEye

JSON Notifications
Event
Type
ROP Return-oriented programming (ROP) is an NX MC This element might include at 7.x

exploit technique that leverages executable AX WI least one of the following items
code from loaded system modules. Also a FX BA in the notification:
well-known technique in the security EX IM
l processinfo
space. CM MW
DM
For example: process where ROP is
MO
"ROP": [ observed.
IE
{ RC l mode
"PreviousBytes": "75 08 e8 b1 ff ff ff 59 59 RO The shellcode provides
50 ff 15 1c 0d d1 01", details of the ROP attempt.
"ModuleName": "NULL",
l stack
"processinfo": {
Provides details of stack
"imagepath": "C:\\Program Files
pointer position with
\\Internet Explorer\\iexplore.exe",
respect to the stack limits
"pid": "2768",
(similar to stackpivot.
"md5sum": "b60dddd2d63ce
41cb8c487fcfbb6419e" l shellcode
}, Provides the actual details
"CallerOffset": for the ROP attempt.
"0x0000000000000000", l apiname
"timestamp": "8357", The API where ROP was
"mode": "CallerCheck", discovered.
"apiname": "LoadLibraryA",
l address
"ForwardBytes": "8b d8 33 ff 3b df 74 34 66
The location from where
39 7d 10 76 2e 8b 4d",
the call to the specified
"ModuleBase":
API (apiname) was made.
"0x0000000000000000"
},
© 2017 FireEye 422

JSON Notifications
Event
Type
l gadgets
Encoded using base64.
Crafted disassembly
pieces that perform ROP.
queue-id Postfix queue ID. EX MC String 7.6 and

CM WI later
BA
IM
MW
DM
MO
IE
RC
RO
sname The name of the network anomaly. NX MC String 7.9 and

CM WI later
For example:
BA
"cnc-services": { IM
"cnc-service": { MW
"sname": "InfoStealer.Banker.Zbot.DNS", DM
"sid": "80441019", IE
"port": "53"
}
},
423 © 2017 FireEye

JSON Notifications
Event
Type
type The type of network anomaly. NX MC String 7.9 and

CM WI later
For example:
BA
"cnc-services": { IM
"cnc-service": { MW
"sname": "InfoStealer.Banker.Zbot.DNS", DM
"sid": "80441019", IE
"port": "53"
}
},
© 2017 FireEye 424

JSON Notifications
JSON Definitions for HX Series

The following table describes the JSON fields and values used for HX Series appliances.
Field Description Event Type Release
msg Only the normal format is supported. indicator-presence 3.5

indicator-executed
exploit-blocked
exploit-detected
product Product name indicator-presence 3.5

indicator-executed
exploit-blocked
exploit-detected
_id Identifier indicator-presence 3.5

indicator-executed
exploit-blocked
exploit-detected
hostname Hostname of the infected machine indicator-presence 3.5

indicator-executed
exploit-blocked
exploit-detected
ip IP address of the infected machine indicator-presence 3.5

indicator-executed
exploit-blocked
exploit-detected
425 © 2017 FireEye

JSON Notifications
containment_state Whether the infected machine has been indicator-presence 3.5

contained indicator-executed
exploit-blocked
exploit-detected
os Name of the target OS indicator-presence 3.5

indicator-executed
exploit-blocked
exploit-detected
agent_id Agent identifier indicator-presence 3.5

indicator-executed
exploit-blocked
exploit-detected
agent_version Agent version indicator-presence 3.5

indicator-executed
exploit-blocked
exploit-detected
resolution Valid values are active_threat indicator-presence 3.5

(resolution=alert and resolution=partial_ indicator-executed
block), alert, block, and partial_block. exploit-blocked
exploit-detected
event_id Event identifier indicator-presence 3.5

indicator-executed
exploit-blocked
exploit-detected
© 2017 FireEye 426

JSON Notifications
enabled True for active; false for false-positive indicator-presence 3.5

indicator-executed
operator A mapping between a field and a value indicator-presence 3.5

indicator-executed
token Name of test indicator-presence 3.5

indicator-executed
type Data type indicator-presence 3.5

indicator-executed
value Data value indicator-presence 3.5

indicator-executed
exploit-blocked
exploit-detected
negate The negate operation that negates the indicator-presence 3.5

condition.
event_at Time an event occurred indicator-presence 3.5

indicator-executed
exploit-blocked
exploit-detected
matched_at Match detection time indicator-presence 3.5

indicator-executed
exploit-blocked
exploit-detected
427 © 2017 FireEye

JSON Notifications
reported_at Match reported time indicator-presence 3.5

indicator-executed
exploit-blocked
exploit-detected
source Source of alert. Valid values are "IOC" indicator-presence 3.5

(indicator of compromise), "EXD" (exploit indicator-executed
detection), and "MAL" (malware alert). exploit-blocked
exploit-detected
matched_source_alerts Number of source alerts found indicator-presence 3.5

indicator-executed
exploit-blocked
exploit-detected
event_type Primary event type for this condition (based indicator-presence 3.5
on the first test) indicator-executed
exploit-blocked
exploit-detected
fileWriteEvent/timestamp Time when a file write event occurred indicator-presence 3.5
fileWriteEvent/drive The drive where a file write event occurred indicator-presence 3.5
fileWriteEvent/id File write event identifier indicator-presence 3.5
fileWriteEvent/closed Time when the file was closed indicator-presence 3.5
fileWriteEvent/pid Process identifier indicator-presence 3.5
fileWriteEvent/filePath Path of file that was written to indicator-presence 3.5
© 2017 FireEye 428

JSON Notifications
fileWriteEvent/fileName Name of file that was written to indicator-presence 3.5
fileWriteEvent/lowestFileOffsetSeen The beginning position, in bytes, observed indicator-presence 3.5

during the write operation. The raw data is
in decimal. Redline shows the data in
hexadecimal. The lowest offset of a file from
its beginning is 0.
fileWriteEvent/textAtLowestOffset Up to 64 bytes of plaintext observed starting indicator-presence 3.5

at the lowest offset seen during a write
operation.
fileWriteEvent/dataAtLowestOffset Up to 64 bytes of base64-encoded data indicator-presence 3.5

observed starting at the lowest seen during
a write operation.
fileWriteEvent/process Process name of the file write event. indicator-presence 3.5
fileWriteEvent/md5 MD5 hash value of file indicator-presence 3.5
fileWriteEvent/writes Number of times the file was written to indicator-presence 3.5
fileWriteEvent/size Size of the file written to indicator-presence 3.5
fileWriteEvent/fileExtension Extension of file written to indicator-presence 3.5
fileWriteEvent/fullPath Full path of file written to indicator-presence 3.5
fileWriteEvent/numBytesSeenWritten Number of bytes that were written indicator-presence 3.5
429 © 2017 FireEye

JSON Notifications
uuid Unique identifier indicator-presence 3.5

indicator-executed
exploit-blocked
exploit-detected
version Version indicator-presence 3.5

indicator-executed
exploit-blocked
exploit-detected
appliance-id Appliance identifier indicator-presence 3.5

indicator-executed
exploit-blocked
exploit-detected
appliance Appliance name indicator-presence 3.5

indicator-executed
exploit-blocked
exploit-detected
regKeyEvent/path Path of registry key event indicator-executed 3.5
regKeyEvent/value Value of registry key event indicator-executed 3.5
regKeyEvent/hive Hive of the registry event indicator-executed 3.5
regKeyEvent/KeyPath Path of registry key indicator-executed 3.5
regKeyEvent/eventType Event type indicator-executed 3.5
regKeyEvent/timestamp Time stamp of registry key event indicator-executed 3.5
© 2017 FireEye 430

JSON Notifications
regKeyEvent/valueType Type of value indicator-executed 3.5
regKeyEvent/valueName Name of value indicator-executed 3.5
regKeyEvent/id Identifier of the registry key event indicator-executed 3.5
regKeyEvent/text Text of the registry key event indicator-executed 3.5
regKeyEvent/process Process name of the registry key event indicator-executed 3.5
regKeyEvent/pid Process identifier indicator-executed 3.5
condition Condition exploit-blocked 3.5

exploit-detected
event_values Description of event exploit-blocked 3.5
detail_type Type of analysis exploit-blocked 3.5

exploit-detected
rules_version Rules version exploit-blocked 3.5

exploit-detected
engine_version Engine version exploit-blocked 3.5

exploit-detected
whitelist_version Whitelist version exploit-blocked 3.5

exploit-detected
name Operating system name exploit-blocked 3.5

exploit-detected
431 © 2017 FireEye

JSON Notifications
sp Service pack exploit-blocked 3.5

exploit-detected
pid Process identifier exploit-blocked 3.5

exploit-detected
imagepath Location exploit-blocked 3.5

exploit-detected
md5sum MD5 hash value exploit-blocked 3.5

exploit-detected
detail_time Event time exploit-blocked 3.5

exploit-detected
timestamp Event time exploit-blocked 3.5

exploit-detected
MESSAGE Message reported exploit-blocked 3.5

exploit-detected
analysis-id Analysis identifier exploit-blocked 3.5

exploit-detected
result Result of action exploit-blocked 3.5
ppid Parent process identifier exploit-blocked 3.5

exploit-detected
eventid Event identfier exploit-blocked 3.5

exploit-detected
© 2017 FireEye 432

JSON Notifications
parentname Parent process name exploit-blocked 3.5

exploit-detected
cmdline Command line exploit-blocked 3.5

exploit-detected
is_malicious Whether the exploit is malicious exploit-blocked 3.5

exploit-detected
is_blocked Whether the exploit is blocked exploit-blocked 3.5

exploit-detected
earliest_detection_time Earliest detection time of exploit exploit-detected 3.5
process_id Process identifier exploit-detected 3.5
messages Messages displayed exploit-detected 3.5
process_name Name of process exploit-detected 3.5
433 © 2017 FireEye

Release 2017.01
Technical Support
For technical support, contact FireEye in the following ways:
l Visit the FireEye Customer Support Portal (login required):

https://csportal.fireeye.com
l Call us at 1-877-FIREEYE (USA); +44 203 106 4828 (UK); +1 408.321.6300 (Outside
the USA)
l Email us at [email protected]
Documentation
Documentation for all FireEye products is available on the FireEye documentation portal:
https://docs.fireeye.com/
© 2017 FireEye 434

FireEye, Inc. | 1440 McCarthy Blvd. | Milpitas, CA | 1.408.321.6300 | 1.877.FIREEYE
[email protected] | www.fireeye.com
© 2017 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. All other brands, products, or
service names are or may be trademarks or service marks of their respective owners.

AlertNotifications 2017.01 en

Uploaded by

Copyright:

Available Formats

AlertNotifications 2017.01 en

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AlertNotifications 2017.01 en

Uploaded by

Copyright:

Available Formats

F I R E E Y E T E C H N I C A L D O C U M E N T A T I O N

ALERT NOTIFICATIONS / 2017

Copyright © 2017 FireEye, Inc. All rights reserved.

FireEye Contact Information:

malware-callback (CM Series) 19

XML Notifications 114

JSON Notifications 318

Event: malware-object (NX Series) 323

Technical Support 434

l Common Event Format (CEF)

Malware Callback (Generic)

Malware Callback (DTI.Callback)

Malware Object (with AV-Suite Detection)

Malware Object (with Zero-Day Callback)

l URL (not suspicious)

Web Infection (malware.binary.url)

Concise, Extended, and Normal Format Outputs

Source and Destination Addresses

Abbreviations Used in This Manual

Abbreviation Event Type

Abbreviation Event Type

Email MPS EX Series

File MPS FX Series

Web MPS NX Series

This section covers the following topics:

l Sample CEF Notifications per Event Type on page 18

CEF Field Description

CEF Field Description

Sample CEF Notifications per Event Type

domain-match (CM Series)

domain-match (NX Series)

infection-match (CM Series)

UTC shost=ip-95-223-164-201.hsi16.unitymediagroup.de proto=tcp dst=xxx.xxx.xxx.xxx externalId=11

infection-match (NX Series)

malware-callback (CM Series)

malware-callback (NX Series)

cn2=89052188 cs5Label=cncHost cs5=xxx.xxx.xxx.xxx spt=49397 smac=00:0c:29:77:81:f7 cn1Label=vlan cn1=0

malware-object (CM Series)

malware-object (NX Series)

malware-object (EX Series)

[email protected] cn1Label=vlan cn1=0 externalId=1142 dvc=xxx.xxx.xxx.xxx [email protected]

malware-object (AX Series)

malware-object (FX Series)

web-infection (NX Series)

ips-event (CM Series)

revision cs4=https://center1.eng.fireeye.com/notification_url/ips_events?ev_id\=2 cs4Label=link

ips-event (NX Series)

AT Alert (ETP Cloud)

Every AT alert generates a separate CEF notification.

CEF:0|FireEye|ETP|3.0|etp|malicious email|10|rt=Nov 07 2016 23:27:17 UTC [email protected]

ACE Alert (ETP Cloud)

Every ACE alert generates a separate CEF notification.

CEF:0|FireEye|ETP|3.0|etp|ace alert|10|rt=Nov 07 2016 23:27:17 UTC [email protected] [email protected]

CEF Extension Field Key=Value Pair Definitions

MC (malware-callback), WI (web-infection), IM (infection-match), DM (domain-match), MO (malware-object), and IE (ips-

rt receipt time NX BA Time 6.0

fileHash= fileHash NX BA String 6.0

src= Source Address NX BA IPv4 6.0

request= requestURL NX BA String 6.0