🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

MemoryAllocation Schema

memory_allocation.proto

MemoryAllocation

Field Type Label Description
resource_id string Full resource string identifying the record
tenant_id string The ID of the tenant that owns this specific to CTPX ID
visibility Visibility Constraints on visibility of the record
normalizer string Name & version of normalizer that created this record
sensor_type string Ex: redcloak,iSensor
sensor_event_id string Event ID of original_data assigned by the sensor
sensor_tenant string Ex: redloak-domain, ctp-client-id
sensor_id string Ex: redcloak-agent-id, iSensor Dev IP
sensor_cpe string CPE of the platform producing the alert. Ex: cpe:2.3:a:secureworks:redcloak::::::::
original_data string Original, unadulterated data prior to any transformation.
event_time_usec uint64 Event time in microseconds (µs)
ingest_time_usec uint64 Ingest time in microseconds (µs).
event_time_fidelity TimeFidelity Specifies the original precision of the time used to populate event_time_usec
host_id string Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address
protection string memory protections, represented as a string NOTE: Inspector captures this as uint, so we will convert.
base_address uint64 address in memory of allocation
size uint64 size of allocation
executable bool whether allocation is executable
file FileInfo file object that backs the allocation, if any
captures MemoryAllocation.AllocationCaptures repeated allocation capture requests associated with the allocation, if any
os OperatingSystem operating system, architecture on which memory information was captured
pivot string primary hunting pivot point of the data for grouping

MemoryAllocation.AllocationCaptures

Field Type Label Description
content string compressed, base64 encoded contents of memory captured inside this allocation
requested_size int32 size of memory we wanted to capture (may not be the same as what was actually captured)
captured_size int32 size of what was actually captured
sha1 string sha1 of the original captured memory (should match after decompression/decoding)

 

On this page: