FileMod Schema🔗
| Normalized Field | Type | ParserField | Description |
|---|---|---|---|
| resource_id | string | resourceId$ | Full resource string identifying the record |
| tenant_id | string | tenantId$ | The ID of the tenant that owns this specific to CTPX ID |
| sensor_type | string | sensorType$ | Ex: redcloak |
| sensor_event_id | string | sensorEventId$ | Event ID of original_data assigned by the sensor |
| sensor_tenant | string | sensorTenant$ | Ex: redloak-domain, ctp-client-id |
| sensor_id | string | sensorId$ | Ex: redcloak-agent-id |
| sensor_cpe | string | sensorCpe$ | CPE of the platform producing the alert. Example: cpe:2.3:a:secureworks:redcloak:*:*:*:*:*:*:* |
| original_data | string | originalData$ | Original, unadulterated data prior to any transformation. |
| event_time_usec | uint64 | eventTimeUsec$ | Event time in microseconds (µs) |
| ingest_time_usec | uint64 | ingestTimeUsec$ | Ingest time in microseconds (µs). |
| event_time_fidelity | TimeFidelity | eventTimeFidelity$ | Specifies the original precision of the time used to populate event_time_usec |
| host_id | string | hostId$ | Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address |
| was_modification_allowed | bool | wasModificationAllowed$ | sensor_action |
| process_id | string | processId$ | Identifier provided by the OS for the running process that modified the file |
| process_create_time_usec | uint64 | processCreateTimeUsec$ | Create time of process that modified the file in µs |
| process_correlation_id | string | processCorrelationId$ | Process correlation ID to protect against rolling IDs redcloak -- host_id:id.pid:id.time_window |
| file_name | string | fileName$ | Name of the file modified |
| file_hash | FileHash | fileHash$ | Hash of the file modified |
| action | string | action$ | Action take on the file. Created, deleted, updated, etc |
| commandline | string | commandline$ | Full command line of process that made the file modification |
| parent_commandline | string | parentCommandline$ | Full command line of the parent process of the process that made the file modification |
| parent_path | string | parentPath$ | Path to binary of the parent process of the process that made the file modification |
| parent_process_file_hash | FileHash | parentProcessFileHash$ | File hashes of the binary file of the parent process of the process that made the file modification |
| parent_process_id | string | parentProcessId$ | Process id of the parent process of the process that made the file modification |
| process_username | string | processUsername$ | Username of the user that ran the process that made the file modification |
| process_file_hash | FileHash | processFileHash$ | File hashes of the binary file of the process that made the file modification |
| process_image_path | string | processImagePath$ | process_path from cb filemod should be considered process_image_path |
| sensor_version | string | sensorVersion$ | The agent version as string. |