resource_id |
string |
resourceId$ |
Full resource string identifying the record |
tenant_id |
string |
tenantId$ |
The ID of the tenant that owns this specific to CTPX ID |
sensor_type |
string |
sensorType$ |
Type of device that generated this event. Ex: redcloak |
sensor_event_id |
string |
sensorEventId$ |
Event ID of original_data assigned by the sensor |
sensor_tenant |
string |
sensorTenant$ |
A customer ID supplied by the application that originated the data. Ex: redloak-domain, ctp-client-id |
sensor_id |
string |
sensorId$ |
An ID for the data supplied by the application that originated it. Ex: redcloak-agent-id |
sensor_cpe |
string |
sensorCpe$ |
CPE of the platform producing the alert. Ex: cpe:2.3:a:secureworks:redcloak:::::::: |
original_data |
string |
originalData$ |
Original, unadulterated data prior to any transformation. |
event_time_usec |
uint64 |
eventTimeUsec$ |
Event time in microseconds (µs) |
ingest_time_usec |
uint64 |
ingestTimeUsec$ |
Ingest time in microseconds (µs). |
event_time_fidelity |
TimeFidelity |
eventTimeFidelity$ |
Specifies the original precision of the time used to populate event_time_usec |
host_id |
string |
hostId$ |
Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address |
sensor_version |
string |
sensorVersion$ |
The agent version as string. |
process_id |
string |
processId$ |
Identifier provided by the OS for the running process |
parent_process_id |
string |
parentProcessId$ |
Process ID of the parent |
process_correlation_id |
string |
processCorrelationId$ |
Process correlation ID to protect against rolling IDs redcloak -- host_id:id.pid:id.time_window |
parent_process_correlation_id |
string |
parentProcessCorrelationId$ |
Process correlation ID to protect against rolling IDs redcloak -- host_id:parent_id.pid:parent_id.time_window |
parent_create_time_usec |
uint64 |
parentCreateTimeUsec$ |
Create time of parent in µs |
image_path |
string |
imagePath$ |
Path of the process binary |
commandline |
string |
commandline$ |
Full command line executing the binary |
commandline_decoded |
string |
commandlineDecoded$ |
If set, the decoded version of the full command line executing the binary |
commandline_decoder |
repeated string |
commandlineDecoder$ |
If set, the decoders used to decode the command line |
username |
string |
username$ |
User that initiated the application |
process |
string |
process$ |
The host where the process is running |
program_hash |
Process.Hash |
processHash$ |
Hash of the program binary |
user_is_admin |
bool |
userIsAdmin$ |
Is process executed by an admin user |
process_is_admin |
bool |
processIsAdmin$ |
Is process running with admin privileges |
was_blocked |
bool |
wasBlocked$ |
Did Redcloak endpoint block the process from running? |
computer_name |
string |
computerName$ |
The hostname or name of device where the process is running |
host_program |
Process.FileInfo |
hostProgram$ |
Information about the host program (e.g. cmd.exe). This will be the details on file identified in the 'image_path' field. |
target_program |
Process.FileInfo |
targetProgram$ |
Information about the target file (e.g. foo.bat). This will be present when a host program is identified with a known file target that presents an opportunity for collection of additional file details. |
parent_image_path |
string |
parentImagePath$ |
Image path of the parent |
process_timewindow |
uint64 |
processTimewindow$ |
truncated timewindow of process |
parent_timewindow |
uint64 |
parentTimewindow$ |
truncated timewindow of parent process |
os |
OperatingSystem |
$os.$os |
operating system, architecture on which process executed |
hidden |
Process.Hidden |
hidden$ |
Whether the process is hidden from "normal" view |
process_create_time_usec |
uint64 |
processCreateTimeUsec$ |
time this process was created |
pivot |
string |
pivot$ |
primary hunting pivot point of the data for grouping |
external_uris |
repeated ExternalURI |
externalUris |
A list of external URIs that may contain additional information such as the event source. |