resource_id |
string |
resoureId$ |
Full resource string identifying the record |
tenant_id |
string |
tenantId$ |
The ID of the tenant that owns this specific to CTPX ID |
sensor_type |
string |
sensorType$ |
Type of device that generated this event. Ex: redcloak, iSensor |
sensor_event_id |
string |
sensorEventId$ |
Event ID of original_data assigned by the sensor |
sensor_tenant |
string |
sensorTenant$ |
A customer ID supplied by the application that originated the data. Ex: redloak-domain, ctp-client-id |
sensor_id |
string |
sensorId$ |
An ID for the data supplied by the application that originated it. Ex: redcloak-agent-id, iSensor Dev IP |
sensor_cpe |
string |
sensorCpe$ |
CPE of the platform producing the alert. Ex: cpe:2.3:a:secureworks:redcloak:::::::: |
original_data |
string |
originalData$ |
Original, unadulterated data prior to any transformation. |
event_time_usec |
uint64 |
eventTimeUsec$ |
Event time in microseconds (µs) |
ingest_time_usec |
uint64 |
ingestTimeUsec$ |
Ingest time in microseconds (µs). |
event_time_fidelity |
TimeFidelity |
eventTimeFidelity$ |
Specifies the original precision of the time used to populate event_time_usec |
host_id |
string |
hostId$ |
Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address |
process_id |
string |
processId$ |
Identifier provided by the OS for the running process |
process_create_time_usec |
uint64 |
processCreateTimeUsec$ |
Create time of process requesting authorization |
process_correlation_id |
string |
processCorrelationId$ |
Process correlation ID to protect against rolling IDs redcloak -- host_id:id.pid:id.time_window |
process_filename |
string |
processFilename$ |
Name of the file name of the process that requested authorization |
process_file_hash |
FileHash |
fileHash$ |
Hash of the file of the process that requested authorization |
commandline |
string |
commandline$ |
Full command line of process that made the authorization request |
sensor_version |
string |
sensorVersion$ |
The agent version as string. |
action |
Auth.Action |
action$ |
The type of authentication event (ex. LOGON, LOGOFF) |
auth_system |
string |
authSystem$ |
The system identifying the event (ex. Windows, PAM, SSHD, sudo) |
target_user_name |
string |
targetUserName$ |
Account that user is logging in to |
target_domain_name |
string |
targetDomainName$ |
Domain that user is logging in to |
target_address |
string |
targetAddress$ |
@inject_tag: validate:"ip" IP address that user is logging in to |
target_port |
string |
targetPort$ |
@inject_tag: validate:"lt=65536" Port that user is logging in to. |
target_port_number |
uint32 |
targetPortNumber$ |
Port that user is logging in to. |
target_host_name |
string |
targetHostName$ |
Hostname of the Target Ex: Windows workstation name |
source_user_name |
string |
sourceUserName$ |
Account that user is logging in from |
source_domain_name |
string |
sourceDomainName$ |
Domain that user is logging in from |
source_address |
string |
sourceAddress$ |
@inject_tag: validate:"ip" IP address that user is logging in from |
source_port |
string |
sourcePort$ |
Port that user is logging in from. |
source_port_number |
uint32 |
sourcePortNumber$ |
Port that user is logging in from. |
os |
OperatingSystem |
$os.$os |
Operating system, architecture of the user's machine |
logon_application_family |
string |
logonApplicationFamily$ |
The application used by the user to logon, devoid of version information (ex. chrome, firefox) |
user_agent |
string |
userAgent$ |
The user-agent string used in the request |
user_display_name |
string |
userDisplayName$ |
User account's display name |
member_name |
string |
memberName$ |
Distinguished name of account that was added or removed to/from security-enabled local group |
session_id |
string |
sessionId$ |
Identifier of the session to match logon/logoff |
logon_type |
Auth.LogonType |
logonType$ |
Value of logon type (ex. '...Logon Type: 3...') |
mfa_used |
bool |
mfaUsed$ |
Was MFA used when user was authenticated |
encryption_type |
Auth.EncryptionType |
encryptionType$ |
Ticket encryption type e.g. 0x12 or 0x17 |
win_event_level |
string |
winEventLevel$ |
The urgency level the event was assigned by Windows |
win_summary |
string |
winSummary$ |
The event summary as provided by Windows |
win_keywords |
string |
winKeywords$ |
Keywords Windows applies to the event |
win_task_category |
string |
winTaskCategory$ |
The category in which Windows has classified the event |
win_event_id |
string |
winEventId$ |
Identifier of event generated by the Windows log |
device_trust_type |
string |
deviceTrustType$ |
Taken from trustType field in deviceDetails from Microsoft Graph Signin Events: https://docs.microsoft.com/en-us/graph/api/resources/devicedetail?view=graph-rest-1.0{: target="_blank"}; Can be used as an indicator of trustworthiness for the sign-in device |
src_ipblacklist_hits |
string |
repeated |
Provides the names of blacklists matched by the source |
dest_ipblacklist_hits |
string |
repeated |
Provides the names of blacklists matched by the destination |
src_ipgeo_summary |
GeoSummary |
|
The geographic location of the source IP |
dest_ipgeo_summary |
GeoSummary |
|
The geographic location of the destination IP |
status |
string |
status$ |
|
sub_status |
string |
subStatus$ |
|
extra_authenticationpackagename |
string |
extraAuthenticationpackagename$ |
The system performing authentication, Ex. NTLM, Kerberos |
extra_elevatedtoken |
string |
extraElevatedtoken$ |
Indicates if the session represented by this event has administration privileges |
extra_failurereason |
string |
extraFailurereason$ |
The reason for a failed login, resource access, et.al. |
extra_homedirectory |
string |
extraHomedirector$ |
The home directory of the user process associated with the log event |
extra_impersonationlevel |
string |
extraImpersonationlevel$ |
MS WMI impersonation level |
extra_keylength |
int32 |
extraKeylength$ |
Length of key protecting the "secure channel" |
extra_lmpackagename |
string |
extraLmpackagename$ |
If this logon was authenticated via the NTLM protocol (instead of Kerberos for instance) this field tells you which version of NTLM was used |
extra_logonprocessname |
string |
extraLogonprocessname$ |
The name of the MS trusted logon process, Ex. Winlogon, IKE, et.al. |
extra_restrictedadminmode |
string |
extraRestrictedadminmode$ |
"Yes" for incoming Remote Desktop Connections where the client specified /restrictedAdmin on the command line |
extra_samaccountname |
string |
extraSamaccountname$ |
user logon name used to support clients and servers from a previous version of Windows ( Pre-Windows 2000) |
extra_targetoutbounddomainname |
string |
extraTargetoutbounddomainname$ |
MS domain name of target logon |
extra_targetoutboundusername |
string |
extraTargetoutboundusername$ |
MS user name of target logon |
extra_targetservername |
string |
extraTargetservername$ |
Hostname of target logon |
extra_userprincipalname |
string |
extraUserpricipalname$ |
Internet-style login name for the user based on the Internet standard RFC 822 |
extra_virtualaccount |
string |
extraVirtualAccount$ |
Indicates MS services are configured to logon with a "Virtual Account" |
extra_workstationname |
string |
extraWorkstationname$ |
The computer name where the user is physically present in most cases unless this logon was initiated by a server application acting on behalf of the user |
extra_subject_domain_user_id |
string |
extraSubjectDomainUserId$ |
Identifies the account that requested the logon - NOT the user being logged onto |
extra_target_domain_user_id |
string |
extraTargetDomainUserId$ |
Identifies the account being logged on |
application_name |
string |
applicationName$ |
Identifies the application being logged into. Notably for cloud integrations |
service_name |
string |
serviceName$ |
The name of the service where the user is trying to login |
service_sid |
string |
serviceSid$ |
Identifies the service where the user is trying to login |
ticket_options |
string |
ticketOptions$ |
The logon ticket options |
event_metadata |
KeyValuePairsIndexed |
|
event_metadata can be provided by the appliance to add context |