ProcessModule Schema
process_module.proto ⫘
ProcessModule ⫘
Base event
| Field | Type | Label | Description |
|---|---|---|---|
| resource_id | string | Full resource string identifying the record | |
| tenant_id | string | The ID of the tenant that owns this specific to CTPX ID | |
| visibility | Visibility | Constraints on visibility of the record | |
| normalizer | string | Name & version of normalizer that created this record | |
| sensor_type | string | Ex: redcloak | |
| sensor_event_id | string | Event ID of original_data assigned by the sensor | |
| sensor_tenant | string | Ex: redloak-domain, ctp-client-id | |
| sensor_id | string | Ex: redcloak-agent-id | |
| sensor_cpe | string | CPE of the platform producing the alert. Ex: cpe:2.3:a:secureworks:redcloak:::::::: | |
| original_data | string | Original, unadulterated data prior to any transformation. | |
| event_time_usec | uint64 | Event time in microseconds (µs) | |
| ingest_time_usec | uint64 | Ingest time in microseconds (µs). | |
| event_time_fidelity | TimeFidelity | Specifies the original precision of the time used to populate event_time_usec | |
| host_id | string | Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address | |
| sensor_version | string | The agent version as string. | |
| normalizer_version | string | The normalizer version (git tag) | |
| normalizer_revision | string | The normalizer revision (git commit hash) | |
| process_id | string | hosting process' ID | |
| base_address | uint64 | memory address where the module is loaded | |
| file | FileInfo | file backing the module, if any | |
| process_create_time_usec | uint64 | Create time of process that modified the file in µs | |
| commandline | string | Full command line of process that made the file modification | |
| process_correlation_id | string | Process correlation ID to protect against rolling IDs redcloak -- host_id:id.pid:id.time_window | |
| module_action | string | Action of the module load | |
| process_username | string | User name of the process | |
| process_account_name | string | Account name of the process | |
| prcess_windows_sid | string | Windows SID, if any | |
| process_file | FileInfo | Process file, if any | |
| parent_process_id | string | Parent process ID | |
| parent_create_time_usec | uint64 | Create time of parent process | |
| parent_process_file | FileInfo | Parent process file, if any | |
| sensor_action | string | Sensor Action | |
| pivot | string | primary hunting pivot point of the data for grouping |