Agent Detection Schema๐
Note
Schema docs show the fields available for normalization. For a schema field to be populated in XDR, its corresponding field defined in the parser must exist in the original data. Normalized data shows in the Normalized Data tab of events and is searchable in XDR only if the corresponding field exists in the original data. The Schema Library in Advanced Search shows only searchable fields.
DetectionCategory๐
The Detection Category is high-level taxonomy of detections based on what subsystem they belong to.
| Name | Number | Description |
|---|---|---|
| CATEGORY_UNSPECIFIED | 0 | |
| GENERIC | 1 | |
| PROCESS | 2 | |
| MEMORY | 3 | |
| KERNEL | 4 | |
| FILESYSTEM | 5 | |
| REGISTRY | 6 | |
| CONTAINER | 7 |
DetectionType๐
DetectionType describes the exact detection that was detected on the agent.
| Name | Number | Description |
|---|---|---|
| DETECTION_UNSPECIFIED | 0 | per protobuf style guide, enums should have UNSPECIFIED suffixed zero |
| KEY_LOGGER | 1 | a keylogger (see event_name) was detected |
| RANSOMWARE_LIKE_BEHAVIOR | 2 | detected ransomware like behavior (mix of encryption & numerous file ops) |
| EXECUTABLE_ENTROPY | 3 | t1027.002 exe may be packed using upx, etc. acting_process populated. |
| LOCAL_PRIVILEGE_ESCALATION | 4 | LPE detected |
| DNS_TAMPERING | 5 | DNS / DNS Cache tampering detected |
| PROTOCOL_HIJACKING | 6 | Detected exfiltration / c2 over trusted protocol such as DNS |
| EVENTLOG_BYPASS | 7 | Logging was bypassed (or attempted) |
| SETTIME | 8 | System clock time changed - potential time stomp? |
| INTEGRITY_DISABLED | 9 | e.g. SIP disabled on macos |
| NAME_RESOLUTION_TAMPERING | 10 | Link-local hostname redirection other network tampering detected |
| EXECUTION_OF_MODIFIED_CODE | 20 | an allocated page or file-backed page was modified and executed |
| EXECUTABLE_PAGE_PROTECTION_CHANGE | 21 | a page was made executable or an executable page was made writable |
| SELF_MODIFYING_CODE | 22 | detected self-modifying (rwx) code |
| WRITE_TO_EXECUTABLE_CODE | 23 | detected acting_process writing to a code (text section) page of target_process (maybe same) |
| THREAD_HIJACKING | 24 | target_thread context changed in target_process by acting_process and acting_thread_id |
| RAW_SYSCALL_IN_ALLOCD_EXEC_MEM | 25 | a raw syscall was detected in allocated executable memory (likely an attempt to bypass api hooks, etc.) |
| NON_SYSTEM_APC_DELIVERED | 26 | an apc was delivered to execute in memory not backed by a system dll |
| PROCESS_OPENED_INTRUSIVE | 27 | acting_process opened target_process with rights allowing state / virtual memory modifications |
| PROCESS_OPENED_NON_INTRUSIVE | 28 | acting_process opened target_process with read-only rights |
| PACKET_CAPTURE | 29 | acting_process started capturing packets |
| HIGH_CPU_USAGE | 30 | acting_process steadily reporting high cpu usage |
| UAC_BYPASS | 31 | Process attempted UAC bypass/explorer impersonation |
| PROCESS_GHOSTING | 32 | Process ghosting detected |
| PROCESS_HOLLOWING | 34 | Process hollowing detected |
| EXECUTION_PROXY | 35 | An execution proxy was detected |
| INVALID_CODE_SIGNATURE | 36 | code signature on the acting_process is invalid |
| DEP_DISABLED | 37 | Data Execution Prevention (NX) was disabled |
| OVERWRITE_OF_IMAGE_BACKED_CODE | 40 | file-backed exectuable memory overwritten, e.g. setting hooks, etc. |
| OVERWRITE_OF_IMAGE_BACKED_RODATA | 41 | file-backed read-only memory overwritten, e.g. setting iat/eat hooks, .pdata, etc. |
| MITIGATION_DISABLED | 42 | a mitigation was disabled |
| LEAKED_WRITABLE_EXECUTABLE_MEMORY | 43 | wx memory was leaked leaving process vulnerable |
| SHELLCODE_SYMBOL_RESOLUTION | 44 | Shellcode attempted to resolve symbols needed for unpacking/decryption/execution |
| AGENT_HOOK_TAMPERING | 45 | An agent hook was tampered with / disabled / bypassed |
| BEACON_ENCRYPTION_OBFUSCATION | 46 | Timer, or encryption, or page protection changes of periodic/polling tasking code detected |
| NAMED_KERNEL_OBJECT_CREATED | 60 | a named kernel object was created (see event_name and kernel_object_type) |
| INVALID_DRIVER_SIGNATURE | 61 | a driver with no or an invalid signature was loaded |
| KNOWN_BAD_DRIVER | 62 | indicates a driver with a known vulnerability (which could be known to be used maliciously) was loaded |
| KERNEL_CALLBACKS_DISABLED | 63 | A rootkit/exploit disabled kernel callbacks (e.g. nt!PspNotifyEnableMask) |
| MASTER_BOOT_RECORD_MODIFIED | 80 | the mbr was modified, check memory for new record |
| VOLUME_BOOT_RECORD_MODIFIED | 81 | the vbr was modified, check memory for new record |
| ATTEMPT_TO_MODIFY_PROTECTED_FILE | 82 | an attempt to modify a protected file |
| ATTEMPT_TO_MODIFY_PROTECTED_REG_OBJ | 100 | an attempt to modify a protected registry key or value |
| HKCU_COM_OBJECT_BYPASS | 101 | A COM object was instanciated from HKCU (current user) instead of HKLM (local machine) |
| CONTAINER_TYPE | 1000 | Suspicious event inside a container detected by linux agent |
KernelContext๐
| Field | Type | Parser Field | Description |
|---|---|---|---|
| kernel_object_type | KernelObjectType | if present, the type of kernel named object created | |
| kernel_object_name | string | kernelObjectName$ | if present, the name of kernel object created |
KernelObjectType๐
The type of kernel named object.
| Name | Number | Description |
|---|---|---|
| KERNEL_OBJ_UNSPECIFIED | 0 | |
| EVENT | 1 | |
| JOB | 2 | |
| MUTEX | 3 | |
| SECTION | 4 | |
| SEMAPHORE | 5 | |
| WAITABLE_TIMER | 6 |
ExecutionContext๐
Details about the current state of processor and memory at the time the detection was detected.
| Field | Type | Parser Field | Description |
|---|---|---|---|
| acting_thread_id | uint64 | actingThreadId$ | if present, the thread_id of the acting thread |
| target_process_correlation_id | string | targetProcessCorrelationId$ | if present, the 'other' process being acted upon |
| target_thread_id | uint64 | targetThreadId$ | if present, the thread_id of the impacted thread |
| cpu_context | CPUContext | if present the cpu context in question (e.g. threadhijacking) | |
| target_memory_address | uint64 | targetMemoryAddress$ | if present the address of the occurence (e.g. selfmodifyingcodepage, remotecodewrite) |
| symbol | string | symbol$ | if present, the symbol + offset of the target_address |
| memory | bytes | if present, scannable memory of the event (e.g. selfmodifyingcodepage, remotecodewrite) | |
| return_memory_address | ReturnMemoryAddress | if present, image-backed return location | |
| stack_backtrace | string | if present, the stack backtrace dump | |
| execution_offset | uint64 | executionOffset$ | if present, offset address of the executable |
| page_protection | uint32 | pageProtection$ | if present, the protection bits for target_address (r/w/x etc.) |
| access_rights | uint32 | accessRights$ | if present, requested object access rights |
| target_image_path | string | targetImagePath$ | Path of the process binary |
| memory_hash_sha256 | string | memoryHashSha256$ | SHA256 hash of the memory |
CPUContext๐
| Field | Type | Parser Field | Description |
|---|---|---|---|
| architecture | string | architecture$ | |
| registers | Register[] | the register state where possible |
Register๐
| Field | Type | Parser Field | Description |
|---|---|---|---|
| name | string | name$ | |
| value | int64 | value$ | |
| file_object_attrs | FileObjectAttrs | If the address points to mapped file, the unique id of that file | |
| memory | bytes | If the register value is a valid address, 256 bytes of data at that address | |
| file_base | uint64 | fileBase$ | Base address of the file mapping |
| file_path | string | filePath$ | Path of the file from memory |
| symbol | string | symbol$ | If available, the symbol the address points to (function name, public variable symbol etc.) |
| page_protection | uint32 | pageProtection$ | Page protections of the memory page at value |
ReturnMemoryAddress๐
| Field | Type | Parser Field | Description |
|---|---|---|---|
| memory_address | uint64 | memoryAddress$ | |
| file_object_attrs | FileObjectAttrs | ||
| file_base | uint64 | fileBase$ | |
| file_path | string | filePath$ | |
| symbol | string | symbol$ |
FileObjectAttrs๐
| Field | Type | Parser Field | Description |
|---|---|---|---|
| device_id | uint64 | deviceId$ | Present for MacOS and Unix |
| inode | uint64 | inode$ | Present for MacOS and Unix |
| volume_guid | bytes | Present for Windows | |
| file_guid | bytes | Present for Windows |
RegistryContext๐
Registry details for detections involving specific registry objects.
| Field | Type | Parser Field | Description |
|---|---|---|---|
| key | Registry.RegistryKey | ||
| value | Registry.RegistryValue | ||
| event_type | Registry.RegEventType |
FileSystemContext๐
| Field | Type | Parser Field | Description |
|---|---|---|---|
| impacted_file | FileInfo | if present, the impacted file (e.g. overwriteofimagebackedcode, overwriteofimagebackedrodata) |
ContainerContext๐
| Field | Type | Parser Field | Description |
|---|---|---|---|
| mounts | ContainerMountInfo | Mounts from host to container | |
| ports | ContainerPortMapping | Ports mapped from host to container | |
| id | string | id$ | Container ID |
| name | string | name$ | Container name |
| image | string | image$ | Image name |
| image_id | string | imageId$ | Image ID |
| image_repo | string | imageRepo$ | Image repository |
| image_tag | string | imageTag$ | Image tag |
| image_digest | string | imageDigest$ | Image digest |
| command | string | command$ | Command run in the container |
| container_ip | string | containerIp$ | Container IP address |
| privileged | bool | privileged$ | Whether the container is privileged |
| env | string[] | env$ | Environment variables in the container |
| is_pod_sandbox | bool | isPodSandbox$ | Whether the container is in a pod sandbox |
| full_id | string | fullId$ | Full container ID |
| type | ContainerType | type$ | Container type |
| labels | map |
labels$ | Labels on the container |
| container_state | ContainerState | containerState$ | State of the container |
| created_time | uint64 | createdTime$ | Time the container was created in nanoseconds since epoch |
| user | string | user$ | User that the container is running as |
| cni_json | string | cniJson$ | Container Network Interface. Not sure what it looks like, possibly exists in k8s pods |
| action | ContainerAction | action$ | Container Action |
ContainerMountInfo๐
| Field | Type | Parser Field | Description |
|---|---|---|---|
| source | string | source$ | Host path |
| destination | string | destination$ | Mount path inside the container |
| mode | string | mode$ | Mount mode |
| is_read_write | bool | isReadWrite$ | Whether the container can write to the mount |
| propagation | string | propagation$ | Whether to share bind mounts between container and host. Possible values: "private", "shared", or "slave" |
ContainerPortMapping๐
| Field | Type | Parser Field | Description |
|---|---|---|---|
| host_port | uint32 | hostPort$ | Host port |
| container_port | uint32 | containerPort$ | Container port |
| host_ip_addr | string | hostIpAddr$ | Host IP address |
ContainerType๐
Container runtime type.
| Name | Number | Description |
|---|---|---|
| CONTAINER_TYPE_UNSPECIFIED | 0 | |
| CONTAINER_TYPE_DOCKER | 1 | |
| CONTAINER_TYPE_LXC | 2 | |
| CONTAINER_TYPE_LIBVIRT_LXC | 3 | |
| CONTAINER_TYPE_MESOS | 4 | |
| CONTAINER_TYPE_RKT | 5 | |
| CONTAINER_TYPE_CUSTOM | 6 | |
| CONTAINER_TYPE_CRI | 7 | |
| CONTAINER_TYPE_CONTAINERD | 8 | |
| CONTAINER_TYPE_CRIO | 9 | |
| CONTAINER_TYPE_BPM | 10 | |
| CONTAINER_TYPE_STATIC | 11 | |
| CONTAINER_TYPE_PODMAN | 12 |
ContainerState๐
State of the container.
| Name | Number | Description |
|---|---|---|
| CONTAINER_STATE_STARTED | 1 | |
| CONTAINER_STATE_SUCCESSFUL | 2 | |
| CONTAINER_STATE_FAILED | 3 |
ContainerAction๐
Action on the container that triggered the event.
| Name | Number | Description |
|---|---|---|
| CONTAINER_ACTION_UNSPECIFIED | 0 | |
| CONTAINER_ACTION_SEEN | 1 | |
| CONTAINER_ACTION_CREATED | 2 | |
| CONTAINER_ACTION_STARTED | 3 | |
| CONTAINER_ACTION_STOPPED | 4 | |
| CONTAINER_ACTION_DELETED | 5 |
RedirectionContext๐
| Field | Type | Parser Field | Description |
|---|---|---|---|
| raddr | bytes | The resolved remote address (bytes) | |
| raddr_str | string | raddrStr$ | The resolved remote address (string) |
| ip_version | int32 | ipVersion$ | (4=IPV4 6=IPV6 0=unspecified) |
| hostname | string | hostname$ | The randomized hostname that was queried |