CloudAudit Schema
| Normalized Field | Type | Parser Field | Description |
|---|---|---|---|
| resource_id | string | resourceId$ | Full resource string identifying the record. |
| tenant_id | string | tenantId$ | The ID of the tenant that owns this specific to CTPX ID |
| sensor_type | string | sensorType$ | Type of device that generated this event. Ex: redcloak, iSensor |
| sensor_event_id | string | sensorEventId$ | Event ID of original_data assigned by the sensor |
| sensor_tenant | string | sensorTenant$ | A customer ID supplied by the application that originated the data. Ex: redloak-domain, ctp-client-id |
| sensor_id | string | sensorId$ | An ID for the data supplied by the application that originated it. Ex: redcloak-agent-id, iSensor Dev IP |
| sensor_cpe | string | sensorCpe$ | CPE of the platform producing the alert. Ex: cpe:2.3:a:secureworks:redcloak:::::::: |
| original_data | string | originalData$ | Original, unadulterated data prior to any transformation. |
| event_time_usec | uint64 | eventTimeUsec$ | Event time in microseconds (µs) |
| ingest_time_usec | uint64 | IngestTimeUsec$ | Ingest time in microseconds (µs). |
| event_time_fidelity | TimeFidelity | eventTimeFidelity$ | Specifies the original precision of the time used to populate event_time_usec |
| host_id | string | hostId$ | Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address |
| sensor_version | string | sensorVersion$ | The agent version as string. |
| user_name | string | userName$ | Name of the Cloud user who conducted the audited activity |
| user_type | string | userType$ | Type of the audited user, categoried by Cloud Providers |
| access_key | string | accessKey$ | Access key used by the user during the audited activity |
| mfa_used | bool | mfaUsed$ | Was MFA used when user was authenticated |
| user_id | string | userId$ | Unique ID for the user |
| event_type | string | eventType$ | Audit event type assigned by Cloud Provider, e.g. 'AwsApiCall' |
| event_name | string | eventName$ | Audit event name assigned by Cloud Provider, e.g. 'PutObject' |
| event_source | string | eventSource$ | Audit event source assigned by Cloud Provider, e.g. 's3.amazonaws.com' |
| recipient_account_id | string | recipientAccountId$ | Audit event's receipient account_id assigned by Cloud Provider |
| read_only | bool | readOnly$ | Audit event is read-only |
| management_event | bool | managementEvent$ | Audit event is management event |
| bucket_name | string | bucketName$ | Name for the bucket containing the object, e.g. 'us-bucket01' |
| target_hostname | string | targetHostname$ | The name of the target host, e.g. 'us-bucket01.s3.amazonaws.com' |
| object_key | string | objectKey$ | The key of the object, e.g. 'sample_image.jpg', 'mydatabase/mytable/data-content.snappy.parquet' |
| object_prefix | string | objectPrefix$ | The prefix specified for the object |
| resources | CloudAudit.CloudResource | repeated | Complete list of resources accessed by the audited event. Each resource is decribed by resource_account_id, resource_id, resource_type |
| source_address | string | sourceAddress$ | The Internet IP address from where the user initiated the request which triggered the audited event |
| user_agent | string | userAgent$ | User-Agent used in the request |
| source_ipgeo_summary | GeoSummary | sourceIpgeoSummary$ | The geographic location of the source IP |
| os | OperatingSystem | $os.$os | Operating system, architecture of the user's machine |
| logon_application_family | string | logonApplicationFamily$ | The application used by the user to logon, devoid of version information (ex. chrome, firefox) |
| region | string | region$ | The data center region, e.g. 'sa-east-1' |
| status | string | status$ | The result status of the audited event |
| error_code | string | errorCode$ | The result error code if any of the audited event |
| error_message | string | errorMessage$ | The result error message, if any, of the audited event |
| request_parameters | KeyValuePairsIndexed | requestParameters$ | List of parameters in the request in key-value pairs |
| responses | KeyValuePairsIndexed | responses$ | Responses from Cloud services |
| additional_event_data | KeyValuePairsIndexed | additionalEventData$ | Additional metadata of the audited events in key-value pairs |
CloudAudit.CloudResource ⫘
CloudResource identifies and describes an audited resource in the cloud
| Normalized Field | Type | Parser Field | Description |
|---|---|---|---|
| resource_id | string | resourceId$ | A unique identifier for a resource assigned by Cloud Provider |
| resource_account_id | string | resourceAccountId$ | Account Id to which the resource belongs in the Cloud |
| resource_type | string | resourceType$ | Resource type assigned by the Cloud Provider |