API Reference
Class
SuspicionOptions
Options controlling suspicious task heuristics used during enrichment.
Inheritance
- Object
- SuspicionOptions
Constructors
public SuspicionOptions() #Inherited Methods
public override Boolean Equals(Object obj) #Returns:
BooleanInherited from Object
Parameters
- obj Object
Properties
public Boolean CheckOutsideSystemRoots { get; set; } #Enable check: command directory outside Windows/Program Files roots. Default: true.
public Boolean CheckEncodedArguments { get; set; } #Enable check: arguments contain -enc/-EncodedCommand. Default: true.
public Boolean CheckLolBins { get; set; } #Enable check: LOLBIN executables launched from non-system paths. Default: false.
public Int32 SystemPrincipalOutsideRootsBonus { get; set; } #Additional score to add when a SYSTEM principal runs from outside system roots. Default: 1.
public ISet<String> SafeRoots { get; set; } #Override safe roots (absolute directories) instead of resolving per-target.
public ISet<String> WhitelistTaskPaths { get; set; } #Whitelist of full task paths that should never be flagged.
public ISet<String> WhitelistTaskNames { get; set; } #Whitelist of task names that should never be flagged.