| resource_id |
string |
|
Full resource string identifying the record |
| tenant_id |
string |
|
The ID of the tenant that owns this specific to CTPX ID |
| visibility |
Visibility |
|
Constraints on visibility of the record |
| normalizer |
string |
|
Name & version of normalizer that created this record |
| sensor_type |
string |
|
Ex: redcloak |
| sensor_event_id |
string |
|
Event ID of original_data assigned by the sensor |
| sensor_tenant |
string |
|
Ex: redloak-domain, ctp-client-id |
| sensor_id |
string |
|
Ex: redcloak-agent-id |
| sensor_cpe |
string |
|
CPE of the platform producing the alert. Ex: cpe:2.3:a:secureworks:redcloak:::::::: |
| original_data |
string |
|
Original, unadulterated data prior to any transformation. |
| event_time_usec |
uint64 |
|
Event time in microseconds (µs) |
| ingest_time_usec |
uint64 |
|
Ingest time in microseconds (µs). |
| event_time_fidelity |
TimeFidelity |
|
Specifies the original precision of the time used to populate event_time_usec |
| host_id |
string |
|
Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address |
| protection |
string |
|
memory protections, represented as a string NOTE: Inspector captures this as uint, so we will convert. |
| base_address |
uint64 |
|
address in memory of allocation |
| size |
uint64 |
|
size of allocation |
| executable |
bool |
|
whether allocation is executable |
| file |
FileInfo |
|
file object that backs the allocation, if any |
| captures |
MemoryAllocation.AllocationCaptures |
repeated |
allocation capture requests associated with the allocation, if any |
| os |
OperatingSystem |
|
operating system, architecture on which memory information was captured |
| pivot |
string |
|
primary hunting pivot point of the data for grouping |
