Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

CloudAudit Schema

Normalized Field Type Parser Field Description
resource_id string resourceId$ Full resource string identifying the record.
tenant_id string tenantId$ The ID of the tenant that owns this specific to CTPX ID
sensor_type string sensorType$ Type of device that generated this event. Ex: redcloak, iSensor
sensor_event_id string sensorEventId$ Event ID of original_data assigned by the sensor
sensor_tenant string sensorTenant$ A customer ID supplied by the application that originated the data. Ex: redloak-domain, ctp-client-id
sensor_id string sensorId$ An ID for the data supplied by the application that originated it. Ex: redcloak-agent-id, iSensor Dev IP
sensor_cpe string sensorCpe$ CPE of the platform producing the alert. Ex: cpe:2.3:a:secureworks:redcloak::::::::
original_data string originalData$ Original, unadulterated data prior to any transformation.
event_time_usec uint64 eventTimeUsec$ Event time in microseconds (µs)
ingest_time_usec uint64 IngestTimeUsec$ Ingest time in microseconds (µs).
event_time_fidelity TimeFidelity eventTimeFidelity$ Specifies the original precision of the time used to populate event_time_usec
host_id string hostId$ Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address
sensor_version string sensorVersion$ The agent version as string.
user_name string userName$ Name of the Cloud user who conducted the audited activity
user_type string userType$ Type of the audited user, categoried by Cloud Providers
access_key string accessKey$ Access key used by the user during the audited activity
mfa_used bool mfaUsed$ Was MFA used when user was authenticated
user_id string userId$ Unique ID for the user
event_type string eventType$ Audit event type assigned by Cloud Provider, e.g. 'AwsApiCall'
event_name string eventName$ Audit event name assigned by Cloud Provider, e.g. 'PutObject'
event_source string eventSource$ Audit event source assigned by Cloud Provider, e.g. 's3.amazonaws.com'
recipient_account_id string recipientAccountId$ Audit event's receipient account_id assigned by Cloud Provider
read_only bool readOnly$ Audit event is read-only
management_event bool managementEvent$ Audit event is management event
bucket_name string bucketName$ Name for the bucket containing the object, e.g. 'us-bucket01'
target_hostname string targetHostname$ The name of the target host, e.g. 'us-bucket01.s3.amazonaws.com'
object_key string objectKey$ The key of the object, e.g. 'sample_image.jpg', 'mydatabase/mytable/data-content.snappy.parquet'
object_prefix string objectPrefix$ The prefix specified for the object
resources CloudAudit.CloudResource repeated Complete list of resources accessed by the audited event. Each resource is decribed by resource_account_id, resource_id, resource_type
source_address string sourceAddress$ The Internet IP address from where the user initiated the request which triggered the audited event
user_agent string userAgent$ User-Agent used in the request
source_ipgeo_summary GeoSummary sourceIpgeoSummary$ The geographic location of the source IP
os OperatingSystem $os.$os Operating system, architecture of the user's machine
logon_application_family string logonApplicationFamily$ The application used by the user to logon, devoid of version information (ex. chrome, firefox)
region string region$ The data center region, e.g. 'sa-east-1'
status string status$ The result status of the audited event
error_code string errorCode$ The result error code if any of the audited event
error_message string errorMessage$ The result error message, if any, of the audited event
request_parameters KeyValuePairsIndexed requestParameters$ List of parameters in the request in key-value pairs
responses KeyValuePairsIndexed responses$ Responses from Cloud services
additional_event_data KeyValuePairsIndexed additionalEventData$ Additional metadata of the audited events in key-value pairs


CloudResource identifies and describes an audited resource in the cloud

Normalized Field Type Parser Field Description
resource_id string resourceId$ A unique identifier for a resource assigned by Cloud Provider
resource_account_id string resourceAccountId$ Account Id to which the resource belongs in the Cloud
resource_type string resourceType$ Resource type assigned by the Cloud Provider


On this page: