RPM package info SCHEMA arch string Architecture(s) supported name string Name of the registry value entry release string Package release source string ` version string Plugin short version ...

Linux running processes SCHEMA cmdline string Process command line egid long Effective group ID at process start euid long Effective user ID at process start gid long Group ID (unsigned) of the user running...

Mac os running process info SCHEMA cmdline string Process command line egid long Effective group ID at process start euid long Effective user ID at process start gid long Group ID (unsigned) of the user running...

Windows process history SCHEMA cmdline string Process command line file_size long File size now gid long Group ID (unsigned) of the user running the process global_rep int The machine learning global reputation...

Sophos record of IPS activity on Windows SCHEMA destination_ip string The destination ip address of the ip event destination_port int The destination port of the ip event pids string List of PIDs protocol int...

Scheduled queries with the Threat prefix are identification of potential threats that may warrant investigation. This identifies hidden users on OSX SCHEMA shell string User's configured default shell uid long The local user...

Detects potential pass the hash threats SCHEMA eventid int The Windows event ID key_length int The length of NTLM Session Security key logon_process string The name of the trusted logon process that was used for the logon...

Detect promiscuous interfaces on LInux https://en.wikipedia.org/wiki/Promiscuous_mode SCHEMA flags int Flags (netdevice) for the device interface string Interface name loopback long Loopback interface mac string...

Windows sticky keys have been changed SCHEMA data string Data content of registry value key string Name of the key mtime long time of the most recent registry write name string Name of the registry value entry...

List user accounts SCHEMA description string Plugin description text directory string User's home directory gid long Group ID (unsigned) of the user running the process shell string User's configured default...