APIcall Schema🔗
| Normalized Field | Type | Parser Field | Description |
|---|---|---|---|
| resource_id | string | resoureId$ | Full resource string identifying the record |
| tenant_id | string | tenantId$ | The ID of the tenant that owns this specific to CTPX ID |
| visibility | Visibility | visibility$ | Constraints on visibility of the record |
| normalizer | string | normalizer$ | Name & version of normalizer that created this record |
| sensor_type | string | sensorType$ | Type of device that generated this event. Ex: redcloak |
| sensor_event_id | string | sensorEventId$ | Event ID of original_data assigned by the sensor |
| sensor_tenant | string | sensorTenant$ | A customer ID supplied by the application that originated the data. Ex: redloak-domain, ctp-client-id |
| sensor_id | string | sensorId$ | An ID for the data supplied by the application that originated it. Ex: redcloak-agent-id |
| sensor_cpe | string | sensorCpe$ | CPE of the platform producing the alert. Example: cpe:2.3:a:secureworks:redcloak:*:*:*:*:*:*:* |
| original_data | string | originalData$ | Original, unadulterated data prior to any transformation. |
| event_time_usec | uint64 | eventTimeUsec$ | Event time in microseconds (µs) |
| ingest_time_usec | uint64 | IngestTimeUsec$ | Ingest time in microseconds (µs). |
| event_time_fidelity | TimeFidelity | eventTimeFidelity$ | Specifies the original precision of the time used to populate event_time_usec |
| host_id | string | hostId$ | Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address |
| was_modification_allowed | bool | wasModificationAllowed$ | |
| process_id | string | processId$ | Identifier provided by the OS for the running process |
| process_create_time_usec | uint64 | parentCreateTimeUsec$ | Create time of process in µs |
| process_correlation_id | string | processCorrelationId$ | Process correlation ID to protect against rolling IDs |
| action | string | action$ | Action taken on the file. Created, deleted, updated, etc |
| commandline | string | commandline$ | Full command line of process that made the file modification |
| function_called | string | functionCalled$ | The function that the process attempted to call |
| was_operation_successful | bool | wasOperationSuccessful$ | Was the call to the function called successful |
| sensor_version | string | sensorVersion$ | The agent version as string. |
| normalizer_version | string | normalizerVersion$ | The normalizer version (git tag) |
| normalizer_revision | string | normalizerRevision$ | The normalizer revision (git commit hash) |
| os | OperatingSystem | \(os.\)os | Operating system, architecture of the user's machine |
| enrichments | Enrichments | enrichments$ | Event enrichments |
| win_rpc | WinRPCInfo | Set when this ApiCall event was part of a Windows RPC call |