Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Process Schema

Normalized Field Type Parser Field Description
resource_id string resourceId$ Full resource string identifying the record
tenant_id string tenantId$ The ID of the tenant that owns this specific to CTPX ID
sensor_type string sensorType$ Type of device that generated this event. Ex: redcloak, iSensor
sensor_event_id string sensorEventId$ Event ID of original_data assigned by the sensor
sensor_tenant string sensorTenant$ A customer ID supplied by the application that originated the data. Ex: redloak-domain, ctp-client-id
sensor_id string sensorId$ An ID for the data supplied by the application that originated it. Ex: redcloak-agent-id, iSensor Dev IP
sensor_cpe string sensorCpe$ CPE of the platform producing the alert. Ex: cpe:2.3:a:secureworks:redcloak::::::::
original_data string originalData$ Original, unadulterated data prior to any transformation.
event_time_usec uint64 eventTimeUsec$ Event time in microseconds (µs)
ingest_time_usec uint64 ingestTimeUsec$ Ingest time in microseconds (µs).
event_time_fidelity TimeFidelity eventTimeFidelity$ Specifies the original precision of the time used to populate event_time_usec
host_id string hostId$ Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address
sensor_version string sensorVersion$ The agent version as string.
process_id string processId$ Identifier provided by the OS for the running process
parent_process_id string parentProcessId$ Process ID of the parent
process_correlation_id string processCorrelationId$ Process correlation ID to protect against rolling IDs redcloak -- host_id:id.pid:id.time_window
parent_process_correlation_id string parentProcessCorrelationId$ Process correlation ID to protect against rolling IDs redcloak -- host_id:parent_id.pid:parent_id.time_window
parent_create_time_usec uint64 parentCreateTimeUsec$ Create time of parent in µs
image_path string imagePath$ Path of the process binary
commandline string commandline$ Full command line executing the binary
commandline_decoded string commandlineDecoded$ If set, the decoded version of the full command line executing the binary
commandline_decoder repeated string commandlineDecoder$ If set, the decoders used to decode the command line
username string username$ User that initiated the application
process string process$ The host where the process is running
program_hash Process.Hash processHash$ Hash of the program binary
user_is_admin bool userIsAdmin$ Is process executed by an admin user
process_is_admin bool processIsAdmin$ Is process running with admin privileges
was_blocked bool wasBlocked$ Did Redcloak endpoint block the process from running?
computer_name string computerName$ The hostname or name of device where the process is running
host_program Process.FileInfo hostProgram$ Information about the host program (e.g. cmd.exe). This will be the details on file identified in the 'image_path' field.
target_program Process.FileInfo targetProgram$ Information about the target file (e.g. foo.bat). This will be present when a host program is identified with a known file target that presents an opportunity for collection of additional file details.
parent_image_path string parentImagePath$ Image path of the parent
process_timewindow uint64 processTimewindow$ truncated timewindow of process
parent_timewindow uint64 parentTimewindow$ truncated timewindow of parent process
os OperatingSystem $os.$os operating system, architecture on which process executed
hidden Process.Hidden hidden$ Whether the process is hidden from "normal" view
process_create_time_usec uint64 processCreateTimeUsec$ time this process was created
pivot string pivot$ primary hunting pivot point of the data for grouping
external_uris repeated ExternalURI externalUris A list of external URIs that may contain additional information such as the event source.


Normalized Field Type Parser Field Description
path string path$
type Process.FileInfo.FileType type$
size uint64 size$
create_time_usec uint64 createTimeUsec$ Times are in microseconds (µs)
access_time_usec uint64 accessTimeUsec$ Times are in microseconds (µs)
mod_time_us uint64 modTimeUs$ Times are in microseconds (µs)
st_ino uint64 stIno$ File status related attributes. Interestingly enough they may also be collected on Windows, backed by POSIX subsystem.
st_mode uint32 stMode$
st_nlink uint32 stNlink$
st_uid uint32 stUid$
st_gid uint32 stGid$
file_hash Process.Hash fileHash$ A hash of the file contents
basename string basename$ Just the filename without the leading directory path
native_path string nativePath$ For Windows, the native system directory used to access the DLL


Normalized Field Type Parser Field Description
md5 string md5$
sha1 string sha1$
sha256 string sha256$
sha512 string sha512$


ProcessRef is a "lightweight" reference to a process running on host at a specific time

Normalized Field Type Parser Field Description
host_id string hostId$ Host ID -- uniquely identifies the host where the event originated.
pid string pid$ PID as reported by the source system
time_window int64 timeWindow$ Process create time rounded to nearest second
process_name string processName$ Name of the process if provided
process_create_time int64 processCreateTime$ Process create time


Name Number Description
UNKNOWN 0 unused but required for proto3
REG 1 regular file
DIR 2 directory
LINK 3 symbolic link
WIN_FILE_TYPE_DISK 101 Inspector uses values from WinBase.h, which collide with above so we will convert The specified Windows file is a disk file
WIN_FILE_TYPE_CHAR 102 The specified Windows file is a character file, typically an LPT device or a console
WIN_FILE_TYPE_PIPE 103 The specified Windows file is a socket, a named pipe, or an anonymous pipe


Whether the process is hidden from "normal" view NOTE: Inspector captures this as bool, so we will convert.

Name Number Description
THREAD_PARENT_MISSING 1 On Windows, process was not found using Process32First/Next but was found using Thread32First/Next.


On this page: