FileMod Schema
Normalized Field | Type | ParserField | Description |
---|---|---|---|
resource_id | string | resourceId$ | Full resource string identifying the record |
tenant_id | string | tenantId$ | The ID of the tenant that owns this specific to CTPX ID |
sensor_type | string | sensorType$ | Ex: redcloak,iSensor |
sensor_event_id | string | sensorEventId$ | Event ID of original_data assigned by the sensor |
sensor_tenant | string | sensorTenant$ | Ex: redloak-domain, ctp-client-id |
sensor_id | string | sensorId$ | Ex: redcloak-agent-id, iSensor Dev IP |
sensor_cpe | string | sensorCpe$ | CPE of the platform producing the alert. Ex: cpe:2.3:a:secureworks:redcloak:::::::: |
original_data | string | originalData$ | Original, unadulterated data prior to any transformation. |
event_time_usec | uint64 | eventTimeUsec$ | Event time in microseconds (µs) |
ingest_time_usec | uint64 | ingestTimeUsec$ | Ingest time in microseconds (µs). |
event_time_fidelity | TimeFidelity | eventTimeFidelity$ | Specifies the original precision of the time used to populate event_time_usec |
host_id | string | hostId$ | Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address |
was_modification_allowed | bool | wasModificationAllowed$ | sensor_action |
process_id | string | processId$ | Identifier provided by the OS for the running process that modified the file |
process_create_time_usec | uint64 | processCreateTimeUsec$ | Create time of process that modified the file in µs |
process_correlation_id | string | processCorrelationId$ | Process correlation ID to protect against rolling IDs redcloak -- host_id:id.pid:id.time_window |
file_name | string | fileName$ | Name of the file modified |
file_hash | FileHash | fileHash$ | Hash of the file modified |
action | string | action$ | Action take on the file. Created, deleted, updated, etc |
commandline | string | commandline$ | Full command line of process that made the file modification |
parent_commandline | string | parentCommandline$ | Full command line of the parent process of the process that made the file modification |
parent_path | string | parentPath$ | Path to binary of the parent process of the process that made the file modification |
parent_process_file_hash | FileHash | parentProcessFileHash$ | File hashes of the binary file of the parent process of the process that made the file modification |
parent_process_id | string | parentProcessId$ | Process id of the parent process of the process that made the file modification |
process_username | string | processUsername$ | Username of the user that ran the process that made the file modification |
process_file_hash | FileHash | processFileHash$ | File hashes of the binary file of the process that made the file modification |
process_image_path | string | processImagePath$ | process_path from cb filemod should be considered process_image_path |
sensor_version | string | sensorVersion$ | The agent version as string. |