ManagementEvent Schema
| Normalized Field | Type | Parser Field | Description |
|---|---|---|---|
| resource_id | string | resourceId$ | Full resource string identifying the record |
| tenant_id | string | tenantId$ | The ID of the tenant that owns this specific to CTPX ID |
| sensor_type | string | sensorType$ | Ex: redcloak,iSensor |
| sensor_event_id | string | sensorEventId$ | Event ID of original_data assigned by the sensor |
| sensor_tenant | string | sensorTenant$ | Ex: redloak-domain, ctp-client-id |
| sensor_id | string | sensorId$ | Ex: redcloak-agent-id, iSensor Dev IP |
| sensor_cpe | string | sensorCpe$ | CPE of the platform producing the alert. Ex: cpe:2.3:a:secureworks:redcloak:::::::: |
| original_data | string | originalData$ | Original, unadulterated data prior to any transformation. |
| event_time_usec | uint64 | eventTimeUsec$ | Event time in microseconds ( µs) |
| ingest_time_usec | uint64 | ingestTimeUsec$ | Ingest time in microseconds ( µs) |
| event_time_fidelity | TimeFidelity | eventTimeFidelity$ | Specifies the original precision of the time used to populate event_time_usec |
| host_id | string | hostId$ | Host ID -- uniquely identifies the host where the event originated; e.g., IPv(4/6) address; Device Mac Address |
| sensor_version | string | sensorVersion$ | The agent version as string. |
| type | ManagementEvent.ManagementInterface | type$ | Defines the source the type of management system that produced this event. |
| remote_operation | bool | remoteOperation$ | Indicates if this management event was triggered by a remote host. |
| operation_id | uint64 | operationId$ | Provides an ID to identify the specific type of operation being performed. This ID is not unique to specific events within a provider but is unique. |
| operation_group_id | uint64 | operationGroupId$ | Used to group and connect multiple events together. |
| operation_name | string | operationName$ | A name identifying the operation being performed. |
| operation | string | operation$ | The operation being performed. This may be a summary or other human readable information that should provide more insights beyond what operation_name or operation_id may contain. |
| query | string | query$ | The query run by the management event. |
| query_language | string | queryLanguage$ | The language in which the query is being run. |
| command | string | command$ | The command being run as part of the operation. |
| result | string | result$ | The code or message that conveys information about the final result of the operation. |
| namespace | string | namespace$ | The definition of a namespace is dependent on the type of management interface in use. For WMI, this refers to a Windows namespace. |
| filters | repeated string | filters$ | The names of any filters that were applied to or that allowed this event to be emitted. |
| consumers | repeated string | consumers$ | The names of any known downstream consumers of this event. |
| possible_cause | string | possibleCause$ | Contains information about the potential cause of a given management event. Not all management events will have this populated but it may be populated when command/query/operation/etc do not provide enough sufficient information by themselves. |
| channel | string | channel$ | The channel in which the event was emitted. This will be provider specific, ETW for example will have channels that describe the WMI activity being performed. |
| event_id | uint64 | eventId$ | Contains an event ID which is provider specific. This is likely more general than operation_id and may be useful for filtering purposes. |
| script | string | script$ | If a script was run as part of a management event this field will contain the script's contents if available. |
| script_language | string | scriptLanguage$ | If a script was run as part of a management event this field will contain the script's language if available. |
| script_file_path | string | scriptFilePath$ | If a script was run as part of a management event this field will contain the script's file path if available. |
| username | string | username$ | The name of the user the operation was run under. |
| client_hostname | string | clientHostname$ | The host which ran the tool which triggered the management event. If the operation is being performed remotely these values will be identical to the target host. |
| client_hostname_fqdn | string | clientHostnameFqdn$ | |
| target_hostname | string | targetHostname$ | The host on which the management command/modification/etc was performed. If the operation is being performed remotely these values will be different from the client host fields. |
| target_hostname_fqdn | string | targetHostnameFqdn$ | |
| client_process_correlation_id | ProcessCorrelationID | clientProcessCorrelationId | Contains a reference to a process linked with this event. If remote_operation is true then this process will be a process create time on another host. |
| created_process_correlation_id | ProcessCorrelationID | createdProcessCorrelationId$ | Contains a reference to a process linked with this event. |
| client_process_create_time_usec | uint64 | clientProcessCreateTimeUsec$ | Create time of the client process. If remote_operation is true then this will be the process create time on a remote machine. |
| client_process_id | uint64 | clientProcessId$ | Process ID of the client process. If remote_operation is true then this will be the process create time on a remote machine. |
| created_process_create_time_usec | uint64 | createdProcessCreateTimeUsec$ | Create time of a process created by the management command. |
| created_process_id | uint64 | creaetedProcessId$ | Process ID of a process created by the management command. |
ManagementEvent.ManagementInterface ⫘
Represents an enum that identifies different management providers.
| Name | Number | Description |
|---|---|---|
| UNKNOWN | 0 | |
| WMI | 1 | "Windows Management Instrumentation" |
| SUDO | 2 | "SUDO" |