FileMod Schema🔗
Note
Schema docs show the fields available for normalization. For a schema field to be populated in XDR, its corresponding field defined in the parser must exist in the original data. Normalized data shows in the Normalized Data tab of events and is searchable in XDR only if the corresponding field exists in the original data. The Schema Library in Advanced Search shows only searchable fields.
| Normalized Field | Type | ParserField | Description |
|---|---|---|---|
| resource_id | string | resourceId$ | Full resource string identifying the record |
| tenant_id | string | tenantId$ | The ID of the tenant that owns this specific to CTPX ID |
| sensor_type | string | sensorType$ | Ex: redcloak |
| sensor_event_id | string | sensorEventId$ | Event ID of original_data assigned by the sensor |
| sensor_tenant | string | sensorTenant$ | Ex: redloak-domain, ctp-client-id |
| sensor_id | string | sensorId$ | Ex: redcloak-agent-id |
| sensor_cpe | string | sensorCpe$ | CPE of the platform producing the alert. Example: cpe:2.3:a:secureworks:redcloak:*:*:*:*:*:*:* |
| original_data | string | originalData$ | Original, unadulterated data prior to any transformation. |
| event_time_usec | uint64 | eventTimeUsec$ | Event time in microseconds (µs) |
| ingest_time_usec | uint64 | ingestTimeUsec$ | Ingest time in microseconds (µs). |
| event_time_fidelity | TimeFidelity | eventTimeFidelity$ | Specifies the original precision of the time used to populate event_time_usec |
| host_id | string | hostId$ | Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address |
| was_modification_allowed | bool | wasModificationAllowed$ | sensor_action |
| process_id | string | processId$ | Identifier provided by the OS for the running process that modified the file |
| process_create_time_usec | uint64 | processCreateTimeUsec$ | Create time of process that modified the file in µs |
| process_correlation_id | string | processCorrelationId$ | Process correlation ID to protect against rolling IDs redcloak -- host_id:id.pid:id.time_window |
| file_name | string | fileName$ | Name of the file modified |
| file_hash | FileHash | fileHash$ | Hash of the file modified |
| action | string | action$ | Action take on the file. Created, deleted, updated, etc |
| commandline | string | commandline$ | Full command line of process that made the file modification |
| parent_commandline | string | parentCommandline$ | Full command line of the parent process of the process that made the file modification |
| parent_path | string | parentPath$ | Path to binary of the parent process of the process that made the file modification |
| parent_process_file_hash | FileHash | parentProcessFileHash$ | File hashes of the binary file of the parent process of the process that made the file modification |
| parent_process_id | string | parentProcessId$ | Process id of the parent process of the process that made the file modification |
| process_username | string | processUsername$ | Username of the user that ran the process that made the file modification |
| process_file_hash | FileHash | processFileHash$ | File hashes of the binary file of the process that made the file modification |
| process_image_path | string | processImagePath$ | process_path from cb filemod should be considered process_image_path |
| sensor_version | string | sensorVersion$ | The agent version as string. |