| resource_id |
string |
resourceId$ |
Full resource string identifying the record |
| tenant_id |
string |
tenantId$ |
The ID of the tenant that owns this specific to CTPX ID |
| sensor_type |
string |
sensorType$ |
Ex: redcloak,iSensor |
| sensor_event_id |
string |
sensorEventId$ |
Event ID of original_data assigned by the sensor |
| sensor_tenant |
string |
sensorTenant$ |
Ex: redloak-domain, ctp-client-id |
| sensor_id |
string |
sensorId$ |
Ex: redcloak-agent-id, iSensor Dev IP |
| sensor_cpe |
string |
sensorCpe$ |
CPE of the platform producing the alert. Ex: cpe:2.3:a:secureworks:redcloak:::::::: |
| original_data |
string |
originalData$ |
Original, unadulterated data prior to any transformation. |
| event_time_usec |
uint64 |
eventTimeUsec$ |
Event time in microseconds (µs) |
| ingest_time_usec |
uint64 |
ingestTimeUsec$ |
Ingest time in microseconds (µs). |
| event_time_fidelity |
TimeFidelity |
eventTimeFidelity$ |
Specifies the original precision of the time used to populate event_time_usec |
| host_id |
string |
hostId$ |
Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address |
| was_modification_allowed |
bool |
wasModificationAllowed$ |
sensor_action |
| process_id |
string |
processId$ |
Identifier provided by the OS for the running process that modified the file |
| process_create_time_usec |
uint64 |
processCreateTimeUsec$ |
Create time of process that modified the file in µs |
| process_correlation_id |
string |
processCorrelationId$ |
Process correlation ID to protect against rolling IDs redcloak -- host_id:id.pid:id.time_window |
| file_name |
string |
fileName$ |
Name of the file modified |
| file_hash |
FileHash |
fileHash$ |
Hash of the file modified |
| action |
string |
action$ |
Action take on the file. Created, deleted, updated, etc |
| commandline |
string |
commandline$ |
Full command line of process that made the file modification |
| parent_commandline |
string |
parentCommandline$ |
Full command line of the parent process of the process that made the file modification |
| parent_path |
string |
parentPath$ |
Path to binary of the parent process of the process that made the file modification |
| parent_process_file_hash |
FileHash |
parentProcessFileHash$ |
File hashes of the binary file of the parent process of the process that made the file modification |
| parent_process_id |
string |
parentProcessId$ |
Process id of the parent process of the process that made the file modification |
| process_username |
string |
processUsername$ |
Username of the user that ran the process that made the file modification |
| process_file_hash |
FileHash |
processFileHash$ |
File hashes of the binary file of the process that made the file modification |
| process_image_path |
string |
processImagePath$ |
process_path from cb filemod should be considered process_image_path |
| sensor_version |
string |
sensorVersion$ |
The agent version as string. |
