Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Antivirus Schema

Normalized Field Type Parser Field Description
resource_id string resourceId$ Full resource string identifying the record
tenant_id string tenantId$ The ID of the tenant
sensor_type string sensorType$ Type of device that generated this event. Ex: redcloak, iSensor
sensor_event_id string sensorEventId$ Event ID of original_data assigned by the sensor
sensor_tenant string sensorTenant$ A customer ID supplied by the application that originated the data. Ex: redloak-domain, ctp-client-id
sensor_id string sensorId$ An ID for the data supplied by the application that originated it. Ex: redcloak-agent-id, iSensor Dev IP
sensor_cpe string sensorCpe$ CPE of the platform producing the alert. Ex: cpe:2.3:a:secureworks:redcloak::::::::
original_data string originalData$ Original, unadulterated data prior to any transformation.
event_time_usec uint64 eventTimeUsec$ Event time in microseconds (µs)
ingest_time_usec uint64 ingestTimeUsec$ Ingest time in microseconds (µs).
event_time_fidelity TimeFidelity eventTimeFidelity$ Specifies the original precision of the time used to populate event_time_usec
host_id string hostId$ Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address
threat_type Antivirus.ThreatType threatType$
action_taken Antivirus.ActionTaken actionTaken$
threat_name string threatName$ Threat name as reported by the antivirus product.
agent_priority string agentPriority$ Priority assigned to the threat by the agent/vendor.
agent_confidence_score float agentConfidenceScore$ Alert confidence score provided by the agent/vendor. Recommended value range of 0-1, which equates to a percentage.
threat_category Antivirus.ThreatCategory threatCategory$
policy_name string policyName$ Name of the policy applied on the reporting agent.
process_name string procesName$ Information to identify the offending process, file, or network source/destination. Name of a malicious process found running in memory.
file_path string filePath$ File file and path of an infected file.
file_hash FileHash fileHash$ File has of an infected file - useful for checking against vendor HASHes in case of an out of date policy.
url_string string urlString$ URL of malicious traffic.
user_name string userName$ Username of the running process/logged in user/file owner.
agent_device_id string agentDeviceId$ Device identifier eg GUID - this id is assigned by the agent, not Secureworks.
agent_device_score int32 agentDeviceScore$ Device score for AV products which allow you to add a score to differentiate between mission-critical and low risk hosts.
os OperatingSystem os$.os$ Operating system, architecture on which process executed.
agent_alert_url string agentAlertUrl$ URL for documentation of threat (not the threat itself).
file_create_time_usec uint64 fileCreateTimeUsec$ Time the file containing the virus was created.
file_modified_time_usec uint64 fileModifiedTimeUsec$ Time the file containing the virus was modified.
vendor_alert_type string vendorAlertType$ Vendor-provided description of the alert type (ex. Abnormal, Suspicious, Communications Alert, etc.).
agent_version string agentVersion$ Version of the agent that reported the event.
computer_name string computerName$ Hostname of the affected endpoint
vendor_signature_id uint32 vendorSignatureId$ The rule ID provided by the vendor that was used to create the event
event_metadata KeyValuePairsIndexed event_metadata can be provided by the data source to add context


Name Number Description
UNKNOWN_ACTIONTAKEN 0 unused but required for proto3
QUARANTINED 1 File is quarantined.
ALERT 2 Alert but no other action.
DELETED 3 File is deleted.
BLOCKED 4 File or traffic blocked from starting.
TERMINATED 5 Running process terminated.
NONE 6 No action taken.
RESTORED 7 File is restored from quarantine.


Name Number Description
UNKNOWN_THREATCATEGORY 0 internal: unused but required for proto3
APPLICATION 1 Unwanted application
TROJAN 2 Files with a trojan payload.
VIRUS 3 Files infected with a virus.
MALWARE 4 General malware.
MINER 5 Cryptocurrency miners.
TORRENT 6 Torrents.
RANSOMWARE 7 Ransomware.
GENERIC 8 Generic/undefined.
BACKDOOR 9 Backdoor
AI_DETECTION 10 Unspecified classification detected by ML
EXPLOIT 11 Exploit


The detection method used to identify the threat.

Name Number Description
UNKNOWN_THREATTYPE 0 internal: unused but required for proto3
PROCESS 1 Threat detected from process execution.
FILE 2 Threat detected on filesystem.
MEMORY 3 Threat detected running in memory.
SCAN 4 Threat detected from scanning.


On this page: