Process Schema

Normalized Field	Type	Parser Field	Description
resource_id	string	resourceId$	Full resource string identifying the record
tenant_id	string	tenantId$	The ID of the tenant that owns this specific to CTPX ID
sensor_type	string	sensorType$	Type of device that generated this event. Ex: redcloak, iSensor
sensor_event_id	string	sensorEventId$	Event ID of original_data assigned by the sensor
sensor_tenant	string	sensorTenant$	A customer ID supplied by the application that originated the data. Ex: redloak-domain, ctp-client-id
sensor_id	string	sensorId$	An ID for the data supplied by the application that originated it. Ex: redcloak-agent-id, iSensor Dev IP
sensor_cpe	string	sensorCpe$	CPE of the platform producing the alert. Ex: cpe:2.3:a:secureworks:redcloak::::::::
original_data	string	originalData$	Original, unadulterated data prior to any transformation.
event_time_usec	uint64	eventTimeUsec$	Event time in microseconds (µs)
ingest_time_usec	uint64	ingestTimeUsec$	Ingest time in microseconds (µs).
event_time_fidelity	TimeFidelity	eventTimeFidelity$	Specifies the original precision of the time used to populate event_time_usec
host_id	string	hostId$	Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address
sensor_version	string	sensorVersion$	The agent version as string.
process_id	string	processId$	Identifier provided by the OS for the running process
parent_process_id	string	parentProcessId$	Process ID of the parent
process_correlation_id	string	processCorrelationId$	Process correlation ID to protect against rolling IDs redcloak -- host_id:id.pid:id.time_window
parent_process_correlation_id	string	parentProcessCorrelationId$	Process correlation ID to protect against rolling IDs redcloak -- host_id:parent_id.pid:parent_id.time_window
parent_create_time_usec	uint64	parentCreateTimeUsec$	Create time of parent in µs
image_path	string	imagePath$	Path of the process binary
commandline	string	commandline$	Full command line executing the binary
commandline_decoded	string	commandlineDecoded$	If set, the decoded version of the full command line executing the binary
commandline_decoder	repeated string	commandlineDecoder$	If set, the decoders used to decode the command line
username	string	username$	User that initiated the application
process	string	process$	The host where the process is running
program_hash	Process.Hash	processHash$	Hash of the program binary
user_is_admin	bool	userIsAdmin$	Is process executed by an admin user
process_is_admin	bool	processIsAdmin$	Is process running with admin privileges
was_blocked	bool	wasBlocked$	Did Redcloak endpoint block the process from running?
computer_name	string	computerName$	The hostname or name of device where the process is running
host_program	Process.FileInfo	hostProgram$	Information about the host program (e.g. cmd.exe). This will be the details on file identified in the 'image_path' field.
target_program	Process.FileInfo	targetProgram$	Information about the target file (e.g. foo.bat). This will be present when a host program is identified with a known file target that presents an opportunity for collection of additional file details.
parent_image_path	string	parentImagePath$	Image path of the parent
process_timewindow	uint64	processTimewindow$	truncated timewindow of process
parent_timewindow	uint64	parentTimewindow$	truncated timewindow of parent process
os	OperatingSystem	$os.$os	operating system, architecture on which process executed
hidden	Process.Hidden	hidden$	Whether the process is hidden from "normal" view
process_create_time_usec	uint64	processCreateTimeUsec$	time this process was created
pivot	string	pivot$	primary hunting pivot point of the data for grouping
external_uris	repeated ExternalURI	externalUris	A list of external URIs that may contain additional information such as the event source.

Process.FileInfo ⫘

Normalized Field	Type	Parser Field	Description
path	string	path$
type	Process.FileInfo.FileType	type$
size	uint64	size$
create_time_usec	uint64	createTimeUsec$	Times are in microseconds (µs)
access_time_usec	uint64	accessTimeUsec$	Times are in microseconds (µs)
mod_time_us	uint64	modTimeUs$	Times are in microseconds (µs)
st_ino	uint64	stIno$	File status related attributes. Interestingly enough they may also be collected on Windows, backed by POSIX subsystem.
st_mode	uint32	stMode$
st_nlink	uint32	stNlink$
st_uid	uint32	stUid$
st_gid	uint32	stGid$
file_hash	Process.Hash	fileHash$	A hash of the file contents
basename	string	basename$	Just the filename without the leading directory path
native_path	string	nativePath$	For Windows, the native system directory used to access the DLL

Process.Hash ⫘

Normalized Field	Type	Parser Field	Description
md5	string	md5$
sha1	string	sha1$
sha256	string	sha256$
sha512	string	sha512$

ProcessRef ⫘

ProcessRef is a "lightweight" reference to a process running on host at a specific time

Normalized Field	Type	Parser Field	Description
host_id	string	hostId$	Host ID -- uniquely identifies the host where the event originated.
pid	string	pid$	PID as reported by the source system
time_window	int64	timeWindow$	Process create time rounded to nearest second
process_name	string	processName$	Name of the process if provided
process_create_time	int64	processCreateTime$	Process create time

Process.FileInfo.FileType ⫘

Name	Number	Description
UNKNOWN	0	unused but required for proto3
REG	1	regular file
DIR	2	directory
LINK	3	symbolic link
WIN_FILE_TYPE_DISK	101	Inspector uses values from WinBase.h, which collide with above so we will convert The specified Windows file is a disk file
WIN_FILE_TYPE_CHAR	102	The specified Windows file is a character file, typically an LPT device or a console
WIN_FILE_TYPE_PIPE	103	The specified Windows file is a socket, a named pipe, or an anonymous pipe

Process.Hidden ⫘

Whether the process is hidden from "normal" view NOTE: Inspector captures this as bool, so we will convert.

Name	Number	Description
NOT_HIDDEN	0
THREAD_PARENT_MISSING	1	On Windows, process was not found using Process32First/Next but was found using Thread32First/Next.