CloudAudit Schema🔗
Note
Schema docs show the fields available for normalization. For a schema field to be populated in XDR, its corresponding field defined in the parser must exist in the original data. Normalized data shows in the Normalized Data tab of events and is searchable in XDR only if the corresponding field exists in the original data. The Schema Library in Advanced Search shows only searchable fields.
| Normalized Field | Type | Parser Field | Description |
|---|---|---|---|
| resource_id | string | resourceId$ | Full resource string identifying the record. |
| tenant_id | string | tenantId$ | The ID of the tenant that owns this specific to CTPX ID |
| sensor_type | string | sensorType$ | Type of device that generated this event. Ex: redcloak |
| sensor_event_id | string | sensorEventId$ | Event ID of original_data assigned by the sensor |
| sensor_tenant | string | sensorTenant$ | A customer ID supplied by the application that originated the data. Ex: redloak-domain, ctp-client-id |
| sensor_id | string | sensorId$ | An ID for the data supplied by the application that originated it. Ex: redcloak-agent-id |
| sensor_cpe | string | sensorCpe$ | CPE of the platform producing the alert. Example: cpe:2.3:a:secureworks:redcloak:*:*:*:*:*:*:* |
| original_data | string | originalData$ | Original, unadulterated data prior to any transformation. |
| event_time_usec | uint64 | eventTimeUsec$ | Event time in microseconds (µs) |
| ingest_time_usec | uint64 | IngestTimeUsec$ | Ingest time in microseconds (µs). |
| event_time_fidelity | TimeFidelity | eventTimeFidelity$ | Specifies the original precision of the time used to populate event_time_usec |
| host_id | string | hostId$ | Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address |
| sensor_version | string | sensorVersion$ | The agent version as string. |
| user_name | string | userName$ | Name of the Cloud user who conducted the audited activity |
| user_type | string | userType$ | Type of the audited user, categoried by Cloud Providers |
| access_key | string | accessKey$ | Access key used by the user during the audited activity |
| mfa_used | bool | mfaUsed$ | Was MFA used when user was authenticated |
| user_id | string | userId$ | Unique ID for the user |
| event_type | string | eventType$ | Audit event type assigned by Cloud Provider, e.g. 'AwsApiCall' |
| event_name | string | eventName$ | Audit event name assigned by Cloud Provider, e.g. 'PutObject' |
| event_source | string | eventSource$ | Audit event source assigned by Cloud Provider, e.g. 's3.amazonaws.com' |
| recipient_account_id | string | recipientAccountId$ | Audit event's receipient account_id assigned by Cloud Provider |
| read_only | bool | readOnly$ | Audit event is read-only |
| management_event | bool | managementEvent$ | Audit event is management event |
| bucket_name | string | bucketName$ | Name for the bucket containing the object, e.g. 'us-bucket01' |
| target_hostname | string | targetHostname$ | The name of the target host, e.g. 'us-bucket01.s3.amazonaws.com' |
| object_key | string | objectKey$ | The key of the object, e.g. 'sample_image.jpg', 'mydatabase/mytable/data-content.snappy.parquet' |
| object_prefix | string | objectPrefix$ | The prefix specified for the object |
| resources | CloudAudit.CloudResource | repeated | Complete list of resources accessed by the audited event. Each resource is decribed by resource_account_id, resource_id, resource_type |
| source_address | string | sourceAddress$ | The Internet IP address from where the user initiated the request which triggered the audited event |
| user_agent | string | userAgent$ | User-Agent used in the request |
| source_ipgeo_summary | GeoSummary | sourceIpgeoSummary$ | The geographic location of the source IP |
| os | OperatingSystem | \(os.\)os | Operating system, architecture of the user's machine |
| logon_application_family | string | logonApplicationFamily$ | The application used by the user to logon, devoid of version information (ex. chrome, firefox) |
| region | string | region$ | The data center region, e.g. 'sa-east-1' |
| status | string | status$ | The result status of the audited event |
| error_code | string | errorCode$ | The result error code if any of the audited event |
| error_message | string | errorMessage$ | The result error message, if any, of the audited event |
| request_parameters | KeyValuePairsIndexed | requestParameters$ | List of parameters in the request in key-value pairs |
| responses | KeyValuePairsIndexed | responses$ | Responses from Cloud services |
| additional_event_data | KeyValuePairsIndexed | additionalEventData$ | Additional metadata of the audited events in key-value pairs |
CloudAudit.CloudResource🔗
CloudResource identifies and describes an audited resource in the cloud
| Normalized Field | Type | Parser Field | Description |
|---|---|---|---|
| resource_id | string | resourceId$ | A unique identifier for a resource assigned by Cloud Provider |
| resource_account_id | string | resourceAccountId$ | Account Id to which the resource belongs in the Cloud |
| resource_type | string | resourceType$ | Resource type assigned by the Cloud Provider |