Skip to main content
Skip table of contents

Command

The specific command executed that has been recorded in the log message. 

Data Type

String

Aliases

UseAlias

Client Console Full Name

Command

Client Console Short Name

Command

Web Console Tab/Name

Command

Elasticsearch Field Name

command

Rule Builder Column Name

Command

Regex Pattern

<command>

NetMon Name

Not applicable

Field Relationships

  • Result
  • Status
  • Process
  • Action

Common Applications

  • PowerShell
  • Windows Command Shell
  • SSH
  • Telnet
  • Bash

Use Case

  • Cron
  • Sudo
  • Auditing

MPE/Data Masking Manipulations

Not applicable.

Usage Standards

  • Vendor Message ID is a unique event type identifier.
  • Command identifies an executable or script with arguments.
  • May contain an executable, but is distinct from Process.
  • Can describe the execution of a process.
  • Command within a process.
  • Often specifically called out as CMD or Command.
  • Not Action (for example, Firewall Block/Allow).
  • Not Result (Command can have a Result).
  • Command may describe Action.

Examples

Correct Examples

  • CrowdStrike FalconHost

12 14 2016 18:53:39 1.1.1.1 <USER:NOTE> CEF:0|CrowdStrike|FalconHost|1.0|ScanResults|AV Scan Results In A Detection Summary Event|4| externalID=2222222222222222eee799 cn2Label=ProcessId cn2=148181079514282 shost=WIN-HPBKBMLLSST suser=pete.store fname=GoogleUpdate.exe filePath=\\Device\\HarddiskVolume1\\Users\\pete.store\\AppData\\Local fileHash=e361a8c5da2e3d1a0ed3be85ed906dad cs1Label=CommandLine cs1="C:\\Users\\pete.store\\AppData\\Local\\GoogleUpdate.exe" sntdom=safaware cs2Label=ScanResultEngine cs2=AVware cs3Label=ScanResultName cs3=Trojan-Downloader.Win32.Fraudload cn4Label=ScanResultVersion cs4=1.1.1.1 cs6Label=FalconHostLink cs6=https://falcon.crowdstrike.com/activity/detections/detail/ec3f4ca727a04f025f2ea97647a61799/222222222 cn3Label=Offset cn3=1066242

Specifically called out Command Line, even though it is an executable.

  • CrowdStrike FalconHost

12 15 2016 00:19:05 1.1.1.1 <USER:NOTE> CEF:0|CrowdStrike|FalconHost|1.0|ScanResults|AV Scan Results In A Detection Summary Event|3| externalID=022222222222222222ea584f3783f5b1eee9 cn2Label=ProcessId cn2=1482087830222222 shost= USABLDRRECFLOW01suser=Pete.Store fname=upnp.exe filePath=\\Device\\HarddiskVolume1\\Users\\pete.store\\AppData\\Local\\Temp fileHash=13804f8dc4e72ba103d5e34de895c9db cs1Label=CommandLine cs1="C:\\Users\\ALVINF~1\\AppData\\Local\\Temp\\upnp.exe" -a 1.1.1.1 1604 1604 TCP sntdom=safaware cs2Label=ScanResultEngine cs2=TrendMicro cs3Label=ScanResultName cs3=TROJ_GEN.R0FBC0CI116 cn4Label=ScanResultVersion cs4=1.1.1.12 cs6Label=FalconHostLink cs6=https://falcon.crowdstrike.com/activity/detections/detail/02c60e7a579b4fea584f3783f5b1eee9/222222222 cn3Label=Offset cn3=1066392

Executable with arguments.

  • AIX

02 20 2013 09:16:33 1.1.1.1 <SAU1:NOTE> Feb 20 09:16:33 Message forwarded from USABLDRRECFLOW01: sudo:  dt14437 : TTY=pts/0 ; PWD=/dst/home/omg37 ; USER=root ; COMMAND=/usr/bin/crontab -l

Command called out explicitly.

  • Proofpoint Spam Firewall

12 07 2011 14:19:10 1.1.1.1 <USER:NOTE> Dec  7 14:19:10 filter_instance1 rprt s=11huq2222 m=1 x=pB7JJAlE02222 mod=access cmd=run rule=spamsafe duration=0.000

Run is the Command, not the Process.

Incorrect Examples

  • Check Point Firewall

26Feb2013 14:59:21 Product=VPN-1 & FireWall-1 OriginIP=1.1.1.1 Origin= USABLDRRECFLOW01Action=encrypt SIP=1.1.1.1 Source= USABLDRRECFLOW01SPort=0 DIP=1.1.1.1 Destination= USABLDRRECFLOW01DPort=0 Protocol=icmp ICMPType=8 ICMPCode=0 IFName=eth1 IFDirection=inbound Reason=- Rule=32 Info=- XlateSIP=1.1.1.1 XlateSPort=- XlateDIP=- XlateDPort=-

Encrypt is not a command. Encrypt is better parsed into Action.

  • Juniper Firewall

04 22 2012 17:28:13 1.1.1.1 <USER:INFO> 1 2012-04-23T08:27:25.564  RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@21.1.1.1.2.41 reason="unset" source-address="1.1.1.1" source-port="138" destination-address="1.1.1.1" destination-port="138" service-name="junos-nbds" nat-source-address="1.1.1.1" nat-source-port="138" nat-destination-address="1.1.1.1" nat-destination-port="138" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="17" policy-name="allowAll" source-zone-name="trust" destination-zone-name="trust" session-id-32="21434" packets-from-client="1" bytes-from-client="229" packets-from-server="0" bytes-from-server="0" elapsed-time="59" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="fe-0/0/7.0"]

RT_FLOW_SESSION_CLOSE is not a command. RT_FLOW_SESSION_CLOSE is VMID.

  • Palo Alto Firewall

02 24 2015 15:21:01 1.1.1.1 <USER:INFO> Feb 24 15:21:01 1,2015/02/24 15:21:01,0011C100222,TRAFFIC,drop,0,2015/02/24 15:21:01,1.1.1.1,1.1.1.1,1.1.1.1,1.1.1.1,denyall,,,not-applicable,vsys1,dmz,inet,ethernet1/9,,LogRhythm-Receiver,2015/02/24 15:21:00,0,1,64812,443,0,0,0x0,tcp,deny,66,66,0,1,2015/02/24 15:21:02,0,any,0,27629666933,0x0,United States,United States,0,1,0

Drop is not the Command. Drop is the Action. Denyall is not Command either. Denyall is closer to Result (could also be the name of a Policy).

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close