Plugin Reference

• account_policy
• acquire_handles
• acquire_hashes
• activitiescache
• activity
• adpolicy
• alternateshell
• amcache
• amcache.applaunches
• amcache.application_files
• amcache.applications
• amcache.device_containers
• amcache.drivers
• amcache.files
• amcache.programs
• amcache.shortcuts
• amcache_install
• anydesk
• anydesk.logs
• apache
• apache.access
• apache.error
• apache.logs
• appinit
• appxdebugkeys
• apt
• apt.logs
• atop
• audit
• auditpol
• authlog
• bam
• bashhistory
• bootshell
• brave
• brave.cookies
• brave.downloads
• brave.extensions
• brave.history
• browser
• browser.cookies
• browser.downloads
• browser.extensions
• browser.history
• btmp
• caddy
• caddy.access
• caddy.logs
• capability_binaries
• chrome
• chrome.cookies
• chrome.downloads
• chrome.extensions
• chrome.history
• chromium
• chromium.cookies
• chromium.downloads
• chromium.extensions
• chromium.history
• cim
• cim.consumerbindings
• cit
• cit.cit
• cit.dp
• cit.modules
• cit.puu
• cit.telemetry
• citrix
• citrix.access
• citrix.error
• citrix.logs
• clfs
• clsid
• clsid.machine
• clsid.user
• cmdline
• codepage
• commandhistory
• commandprocautorun
• cpanel
• cpanel.lastlogin
• cronjobs
• datetime
• defender
• defender.evtx
• defender.exclusions
• defender.quarantine
• defender.recover
• docker
• docker.containers
• docker.images
• docker.logs
• domain
• dpkg
• dpkg.log
• dpkg.status
• edge
• edge.cookies
• edge.downloads
• edge.extensions
• edge.history
• environ
• environment_variables
• etc
• etl
• etl.boot
• etl.etl
• etl.shutdown
• evt
• evtx
• exchange
• exchange.transport_agents
• filerenameop
• firefox
• firefox.cookies
• firefox.downloads
• firefox.history
• firewall
• gnulocate
• gnulocate.locate
• icat
• iexplore
• iexplore.downloads
• iexplore.history
• iis
• iis.access
• iis.logs
• install_date
• iptables
• keyboard
• knowndlls
• language
• lastlog
• lnk
• locate
• locate.locate
• lsmod
• mcafee
• mcafee.msc
• messages
• mft
• mft_timeline
• mlocate
• mlocate.locate
• mru
• mru.acmru
• mru.lastvisited
• mru.msoffice
• mru.mstsc
• mru.networkdrive
• mru.opensave
• mru.recentdocs
• mru.run
• muicache
• ndis
• netstat
• network_history
• nginx
• nginx.access
• nginx.logs
• notifications
• notifications.appdb
• notifications.wpndatabase
• ntversion
• nullsessionpipes
• openssh
• openssh.authorized_keys
• openssh.known_hosts
• openssh.private_keys
• openssh.public_keys
• opensshd
• opensshd.config
• openvpn
• openvpn.config
• packagemanager
• packagemanager.logs
• passwords
• path_extensions
• pathenvironment
• pfro
• plocate
• plocate.locate
• powershell_history
• prefetch
• proc
• processes
• recentfilecache
• recyclebin
• regf
• registry
• remoteaccess
• remoteaccess.logs
• runkeys
• schedlgu
• scraped_evt
• scraped_evtx
• securelog
• services
• sessionmanager
• sevenzip
• shellbags
• shimcache
• sockets
• sockets.packet
• sockets.raw
• sockets.tcp
• sockets.udp
• sockets.unix
• sophos
• sophos.hitmanlogs
• sophos.sophoshomelogs
• sru
• sru.application
• sru.application_timeline
• sru.energy_estimator
• sru.energy_usage
• sru.energy_usage_lt
• sru.network_connectivity
• sru.network_data
• sru.push_notification
• sru.sdp_cpu_provider
• sru.sdp_network_provider
• sru.sdp_physical_disk_provider
• sru.sdp_volume_provider
• sru.vfu
• ssh
• ssh.authorized_keys
• ssh.config
• ssh.known_hosts
• ssh.private_keys
• ssh.public_keys
• startupinfo
• suid_binaries
• symantec
• symantec.firewall
• symantec.logs
• syscache
• syslog
• sysmodules
• tasks
• teamviewer
• teamviewer.logs
• thumbcache
• thumbcache.iconcache
• thumbcache.thumbcache
• timezone
• trendmicro
• trendmicro.wffirewall
• trendmicro.wflogs
• trusteddocs
• ual
• ual.client_access
• ual.domains_seen
• ual.role_access
• ual.system_identities
• ual.virtual_machines
• usb
• userassist
• usnjrnl
• walkfs
• webserver
• webserver.access
• webserver.error
• webserver.logs
• wer
• winrar
• winsocknamespaceprovider
• wireguard
• wireguard.config
• wtmp
• yum
• yum.logs
• zypper
• zypper.logs