API Reference
Class
SuspicionOptions
Options controlling suspicious task heuristics used during enrichment.
Inheritance
- Object
- SuspicionOptions
Usage
This type appears in these public API surfaces even when no hand-authored example is attached directly to the page.
Returned or exposed by
Accepted by parameters
- Method TaskScheduler.Get
- Method TaskScheduler.GetOne
- Method TaskScheduler.GetSuspicion
- Method TaskSchedulerQuery.Get
- Method TaskSchedulerQuery.GetOne
Constructors
public SuspicionOptions() #Inherited Methods
public override Boolean Equals(Object obj) #Returns:
BooleanInherited from Object
Parameters
- obj Object
Properties
public Boolean CheckOutsideSystemRoots { get; set; } #Enable check: command directory outside Windows/Program Files roots. Default: true.
public Boolean CheckEncodedArguments { get; set; } #Enable check: arguments contain -enc/-EncodedCommand. Default: true.
public Boolean CheckLolBins { get; set; } #Enable check: LOLBIN executables launched from non-system paths. Default: false.
public Int32 SystemPrincipalOutsideRootsBonus { get; set; } #Additional score to add when a SYSTEM principal runs from outside system roots. Default: 1.
public ISet<String> SafeRoots { get; set; } #Override safe roots (absolute directories) instead of resolving per-target.
public ISet<String> WhitelistTaskPaths { get; set; } #Whitelist of full task paths that should never be flagged.
public ISet<String> WhitelistTaskNames { get; set; } #Whitelist of task names that should never be flagged.