Antivirus Schema🔗
Note
Schema docs show the fields available for normalization. For a schema field to be populated in XDR, its corresponding field defined in the parser must exist in the original data. Normalized data shows in the Normalized Data tab of events and is searchable in XDR only if the corresponding field exists in the original data. The Schema Library in Advanced Search shows only searchable fields.
| Normalized Field | Type | Parser Field | Description |
|---|---|---|---|
| resource_id | string | resourceId$ | Full resource string identifying the record |
| tenant_id | string | tenantId$ | The ID of the tenant |
| sensor_type | string | sensorType$ | Type of device that generated this event. Ex: redcloak |
| sensor_event_id | string | sensorEventId$ | Event ID of original_data assigned by the sensor |
| sensor_tenant | string | sensorTenant$ | A customer ID supplied by the application that originated the data. Ex: redloak-domain, ctp-client-id |
| sensor_id | string | sensorId$ | An ID for the data supplied by the application that originated it. Ex: redcloak-agent-id |
| sensor_cpe | string | sensorCpe$ | CPE of the platform producing the alert. Example: cpe:2.3:a:secureworks:redcloak:*:*:*:*:*:*:* |
| original_data | string | originalData$ | Original, unadulterated data prior to any transformation. |
| event_time_usec | uint64 | eventTimeUsec$ | Event time in microseconds (µs) |
| ingest_time_usec | uint64 | ingestTimeUsec$ | Ingest time in microseconds (µs). |
| event_time_fidelity | TimeFidelity | eventTimeFidelity$ | Specifies the original precision of the time used to populate event_time_usec |
| host_id | string | hostId$ | Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address |
| threat_type | Antivirus.ThreatType | threatType$ | |
| action_taken | Antivirus.ActionTaken | actionTaken$ | |
| threat_name | string | threatName$ | Threat name as reported by the antivirus product. |
| agent_priority | string | agentPriority$ | Priority assigned to the threat by the agent/vendor. |
| agent_confidence_score | float | agentConfidenceScore$ | Alert confidence score provided by the agent/vendor. Recommended value range of 0-1, which equates to a percentage. |
| threat_category | Antivirus.ThreatCategory | threatCategory$ | |
| policy_name | string | policyName$ | Name of the policy applied on the reporting agent. |
| process_name | string | procesName$ | Information to identify the offending process, file, or network source/destination. Name of a malicious process found running in memory. |
| file_path | string | filePath$ | File file and path of an infected file. |
| file_hash | FileHash | fileHash$ | File has of an infected file - useful for checking against vendor HASHes in case of an out of date policy. |
| url_string | string | urlString$ | URL of malicious traffic. |
| user_name | string | userName$ | Username of the running process/logged in user/file owner. |
| agent_device_id | string | agentDeviceId$ | Device identifier eg GUID - this id is assigned by the agent, not Secureworks. |
| agent_device_score | int32 | agentDeviceScore$ | Device score for AV products which allow you to add a score to differentiate between mission-critical and low risk hosts. |
| os | OperatingSystem | os\(.os\) | Operating system, architecture on which process executed. |
| agent_alert_url | string | agentAlertUrl$ | URL for documentation of threat (not the threat itself). |
| file_create_time_usec | uint64 | fileCreateTimeUsec$ | Time the file containing the virus was created. |
| file_modified_time_usec | uint64 | fileModifiedTimeUsec$ | Time the file containing the virus was modified. |
| vendor_alert_type | string | vendorAlertType$ | Vendor-provided description of the alert type (ex. Abnormal, Suspicious, Communications Alert, etc.). |
| agent_version | string | agentVersion$ | Version of the agent that reported the event. |
| computer_name | string | computerName$ | Hostname of the affected endpoint |
| vendor_signature_id | uint32 | vendorSignatureId$ | The rule ID provided by the vendor that was used to create the event |
| event_metadata | KeyValuePairsIndexed | event_metadata can be provided by the data source to add context |
Antivirus.ActionTaken🔗
| Name | Number | Description |
|---|---|---|
| UNKNOWN_ACTIONTAKEN | 0 | unused but required for proto3 |
| QUARANTINED | 1 | File is quarantined. |
| ALERT | 2 | Alert but no other action. |
| DELETED | 3 | File is deleted. |
| BLOCKED | 4 | File or traffic blocked from starting. |
| TERMINATED | 5 | Running process terminated. |
| NONE | 6 | No action taken. |
| RESTORED | 7 | File is restored from quarantine. |
Antivirus.ThreatCategory🔗
| Name | Number | Description |
|---|---|---|
| UNKNOWN_THREATCATEGORY | 0 | internal: unused but required for proto3 |
| APPLICATION | 1 | Unwanted application |
| TROJAN | 2 | Files with a trojan payload. |
| VIRUS | 3 | Files infected with a virus. |
| MALWARE | 4 | General malware. |
| MINER | 5 | Cryptocurrency miners. |
| TORRENT | 6 | Torrents. |
| RANSOMWARE | 7 | Ransomware. |
| GENERIC | 8 | Generic/undefined. |
| BACKDOOR | 9 | Backdoor |
| AI_DETECTION | 10 | Unspecified classification detected by ML |
| EXPLOIT | 11 | Exploit |
Antivirus.ThreatType🔗
The detection method used to identify the threat.
| Name | Number | Description |
|---|---|---|
| UNKNOWN_THREATTYPE | 0 | internal: unused but required for proto3 |
| PROCESS | 1 | Threat detected from process execution. |
| FILE | 2 | Threat detected on filesystem. |
| MEMORY | 3 | Threat detected running in memory. |
| SCAN | 4 | Threat detected from scanning. |