resource_id |
string |
|
Full resource string identifying the record |
tenant_id |
string |
|
The ID of the tenant that owns this specific to CTPX ID |
visibility |
Visibility |
|
Constraints on visibility of the record |
normalizer |
string |
|
Name & version of normalizer that created this record |
sensor_type |
string |
|
Ex: redcloak |
sensor_event_id |
string |
|
Event ID of original_data assigned by the sensor |
sensor_tenant |
string |
|
Ex: redloak-domain, ctp-client-id |
sensor_id |
string |
|
Ex: redcloak-agent-id |
sensor_cpe |
string |
|
CPE of the platform producing the alert. Ex: cpe:2.3:a:secureworks:redcloak:::::::: |
original_data |
string |
|
Original, unadulterated data prior to any transformation. |
event_time_usec |
uint64 |
|
Event time in microseconds (µs) |
ingest_time_usec |
uint64 |
|
Ingest time in microseconds (µs). |
event_time_fidelity |
TimeFidelity |
|
Specifies the original precision of the time used to populate event_time_usec |
host_id |
string |
|
Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address |
protection |
string |
|
memory protections, represented as a string NOTE: Inspector captures this as uint, so we will convert. |
base_address |
uint64 |
|
address in memory of allocation |
size |
uint64 |
|
size of allocation |
executable |
bool |
|
whether allocation is executable |
file |
FileInfo |
|
file object that backs the allocation, if any |
captures |
MemoryAllocation.AllocationCaptures |
repeated |
allocation capture requests associated with the allocation, if any |
os |
OperatingSystem |
|
operating system, architecture on which memory information was captured |
pivot |
string |
|
primary hunting pivot point of the data for grouping |