Normalized Field | Type | Parser Field | Description |
---|---|---|---|
resource_id | string | resourceId$ | Full resource string identifying the record |
tenant_id | string | tenantId$ | The ID of the tenant that owns this specific to CTPX ID |
sensor_type | string | sensorType$ | Ex: redcloak |
sensor_event_id | string | sensorEventId$ | Event ID of original_data assigned by the sensor |
sensor_tenant | string | sensorTenant$ | Ex: redloak-domain, ctp-client-id |
sensor_id | string | sensorId$ | Ex: redcloak-agent-id |
sensor_cpe | string | sensorCpe$ | CPE of the platform producing the alert. Ex: cpe:2.3:a:secureworks:redcloak:::::::: |
original_data | string | originalData$ | Original, unadulterated data prior to any transformation. |
event_time_usec | uint64 | eventTimeUsec$ | Event time in microseconds (µs) |
ingest_time_usec | uint64 | ingestTimeUsec$ | Ingest time in microseconds (µs). |
event_time_fidelity | TimeFidelity | eventTimeFidelity$ | Specifies the original precision of the time used to populate event_time_usec |
host_id | string | hostId$ | Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address |
process_id | string | processId$ | Identifier provided by the OS for the running process that modified the file |
process_create_time_usec | uint64 | processCreateTimeUsec$ | Create time of process that modified the file in µs |
commandline | string | commandline$ | Full command line of process that made the file modification |
process_correlation_id | string | processCorrelationId$ | Process correlation ID to protect against rolling IDs redcloak -- host_id:id.pid:id.time_window |
sensor_version | string | sensorVersion$ | The agent version as string. |
name | string | name$ | name of the registry key/value (subset of key) |
path | string | path$ | full path of registry key/value |
key | Registry.RegistryKey | key$ | |
value | Registry.RegistryValue | value$ | |
pivot | string | pivot$ | primary hunting pivot point of the data for grouping |
rule_context | repeated Registry.RuleContextEntry | ruleContext$ | some rules add additonal strings to hits to help analysts interpret results |
Registry.RegistryKey ⫘
Normalized Field | Type | Parser Field | Description |
---|---|---|---|
acl32 | string | acl32$ | permissions if 32 bit app writes redirected key on x64 |
acl64 | string | acl64$ | permissions if native app wrote on x64 |
last_write_time32_usec | uint64 | lastWriteTime32Usec$ | if 32 bit app writes redirected key on x64 |
last_write_time64_usec | uint64 | lastWriteTime64Usec$ | if native app on x64 stores data |
pivot | string | pivot$ |
Registry.RegistryValue ⫘
Normalized Field | Type | Parser Field | Description |
---|---|---|---|
type32 | Registry.RegistryValue.ValueType | type32$ | type of data stored if 32 bit app writes redirected key on x64 |
type64 | Registry.RegistryValue.ValueType | type64$ | type of data stored if native app on x64 stores data |
data32 | string | data32$ | data stored at value if 32 bit app writes redirected key on x64 |
data64 | string | data64$ | data stored at value if native app on x64 stores data |
name | string | name$ | valueName from taegis agent, used for both 32 and 64 bit variants |
pivot | string | pivot$ |
Registry.RuleContextEntry ⫘
Normalized Field | Type | Parser Field | Description |
---|---|---|---|
key | string | ||
value | string |
Registry.RegistryValue.ValueType ⫘
Name | Number | Description |
---|---|---|
REG_NONE | 0 | No defined value type. |
REG_SZ | 1 | A null-terminated string. This will be either a Unicode or an ANSI string, depending on whether you use the Unicode or ANSI functions. |
REG_EXPAND_SZ | 2 | A null-terminated string that contains unexpanded references to environment variables (for example, "%PATH%"). It will be a Unicode or ANSI string depending on whether you use the Unicode or ANSI functions. To expand the environment variable references, use the ExpandEnvironmentStrings function. |
REG_BINARY | 3 | Binary data in any form. |
REG_DWORD | 4 | A 32-bit number |
REG_MULTI_SZ | 7 | A sequence of null-terminated strings, terminated by an empty string (\0). |
REG_QWORD | 11 | A 64-bit number. |
REG_DWORD_LITTLE_ENDIAN | 12 | A 32-bit number in little-endian format. Windows is designed to run on little-endian computer architectures. Therefore, this value is defined as REG_DWORD in the Windows header files. |
REG_DWORD_BIG_ENDIAN | 13 | A 32-bit number in big-endian format. Some UNIX systems support big-endian architectures. |
REG_LINK | 14 | A null-terminated Unicode string that contains the target path of a symbolic link that was created by calling the RegCreateKeyEx function with REG_OPTION_CREATE_LINK. |
REG_QWORD_LITTLE_ENDIAN | 15 | A 64-bit number in little-endian format. Windows is designed to run on little-endian computer architectures. Therefore, this value is defined as REG_QWORD in the Windows header files. |