Normalized Field | Type | Parser Field | Description |
---|---|---|---|
resource_id | string | resourceId$ | Full resource string identifying the record. |
tenant_id | string | tenantId$ | The ID of the tenant that owns this specific to CTPX ID |
sensor_type | string | sensorType$ | Type of device that generated this event. Ex: redcloak |
sensor_event_id | string | sensorEventId$ | Event ID of original_data assigned by the sensor |
sensor_tenant | string | sensorTenant$ | A customer ID supplied by the application that originated the data. Ex: redloak-domain, ctp-client-id |
sensor_id | string | sensorId$ | An ID for the data supplied by the application that originated it. Ex: redcloak-agent-id |
sensor_cpe | string | sensorCpe$ | CPE of the platform producing the alert. Ex: cpe:2.3:a:secureworks:redcloak:::::::: |
original_data | string | originalData$ | Original, unadulterated data prior to any transformation. |
event_time_usec | uint64 | eventTimeUsec$ | Event time in microseconds (µs) |
ingest_time_usec | uint64 | IngestTimeUsec$ | Ingest time in microseconds (µs). |
event_time_fidelity | TimeFidelity | eventTimeFidelity$ | Specifies the original precision of the time used to populate event_time_usec |
host_id | string | hostId$ | Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address |
sensor_version | string | sensorVersion$ | The agent version as string. |
user_name | string | userName$ | Name of the Cloud user who conducted the audited activity |
user_type | string | userType$ | Type of the audited user, categoried by Cloud Providers |
access_key | string | accessKey$ | Access key used by the user during the audited activity |
mfa_used | bool | mfaUsed$ | Was MFA used when user was authenticated |
user_id | string | userId$ | Unique ID for the user |
event_type | string | eventType$ | Audit event type assigned by Cloud Provider, e.g. 'AwsApiCall' |
event_name | string | eventName$ | Audit event name assigned by Cloud Provider, e.g. 'PutObject' |
event_source | string | eventSource$ | Audit event source assigned by Cloud Provider, e.g. 's3.amazonaws.com' |
recipient_account_id | string | recipientAccountId$ | Audit event's receipient account_id assigned by Cloud Provider |
read_only | bool | readOnly$ | Audit event is read-only |
management_event | bool | managementEvent$ | Audit event is management event |
bucket_name | string | bucketName$ | Name for the bucket containing the object, e.g. 'us-bucket01' |
target_hostname | string | targetHostname$ | The name of the target host, e.g. 'us-bucket01.s3.amazonaws.com' |
object_key | string | objectKey$ | The key of the object, e.g. 'sample_image.jpg', 'mydatabase/mytable/data-content.snappy.parquet' |
object_prefix | string | objectPrefix$ | The prefix specified for the object |
resources | CloudAudit.CloudResource | repeated | Complete list of resources accessed by the audited event. Each resource is decribed by resource_account_id, resource_id, resource_type |
source_address | string | sourceAddress$ | The Internet IP address from where the user initiated the request which triggered the audited event |
user_agent | string | userAgent$ | User-Agent used in the request |
source_ipgeo_summary | GeoSummary | sourceIpgeoSummary$ | The geographic location of the source IP |
os | OperatingSystem | $os.$os | Operating system, architecture of the user's machine |
logon_application_family | string | logonApplicationFamily$ | The application used by the user to logon, devoid of version information (ex. chrome, firefox) |
region | string | region$ | The data center region, e.g. 'sa-east-1' |
status | string | status$ | The result status of the audited event |
error_code | string | errorCode$ | The result error code if any of the audited event |
error_message | string | errorMessage$ | The result error message, if any, of the audited event |
request_parameters | KeyValuePairsIndexed | requestParameters$ | List of parameters in the request in key-value pairs |
responses | KeyValuePairsIndexed | responses$ | Responses from Cloud services |
additional_event_data | KeyValuePairsIndexed | additionalEventData$ | Additional metadata of the audited events in key-value pairs |
CloudAudit.CloudResource ⫘
CloudResource identifies and describes an audited resource in the cloud
Normalized Field | Type | Parser Field | Description |
---|---|---|---|
resource_id | string | resourceId$ | A unique identifier for a resource assigned by Cloud Provider |
resource_account_id | string | resourceAccountId$ | Account Id to which the resource belongs in the Cloud |
resource_type | string | resourceType$ | Resource type assigned by the Cloud Provider |