ManagementEvent Schema🔗
Note
Schema docs show the fields available for normalization. For a schema field to be populated in XDR, its corresponding field defined in the parser must exist in the original data. Normalized data shows in the Normalized Data tab of events and is searchable in XDR only if the corresponding field exists in the original data. The Schema Library in Advanced Search shows only searchable fields.
| Normalized Field | Type | Parser Field | Description |
|---|---|---|---|
| resource_id | string | resourceId$ | Full resource string identifying the record |
| tenant_id | string | tenantId$ | The ID of the tenant that owns this specific to CTPX ID |
| sensor_type | string | sensorType$ | Ex: redcloak |
| sensor_event_id | string | sensorEventId$ | Event ID of original_data assigned by the sensor |
| sensor_tenant | string | sensorTenant$ | Ex: redloak-domain, ctp-client-id |
| sensor_id | string | sensorId$ | Ex: redcloak-agent-id |
| sensor_cpe | string | sensorCpe$ | CPE of the platform producing the alert. Example: cpe:2.3:a:secureworks:redcloak:*:*:*:*:*:*:* |
| original_data | string | originalData$ | Original, unadulterated data prior to any transformation. |
| event_time_usec | uint64 | eventTimeUsec$ | Event time in microseconds ( µs) |
| ingest_time_usec | uint64 | ingestTimeUsec$ | Ingest time in microseconds ( µs) |
| event_time_fidelity | TimeFidelity | eventTimeFidelity$ | Specifies the original precision of the time used to populate event_time_usec |
| host_id | string | hostId$ | Host ID -- uniquely identifies the host where the event originated; e.g., IPv(4/6) address; Device Mac Address |
| sensor_version | string | sensorVersion$ | The agent version as string. |
| type | ManagementEvent.ManagementInterface | type$ | Defines the source the type of management system that produced this event. |
| remote_operation | bool | remoteOperation$ | Indicates if this management event was triggered by a remote host. |
| operation_id | uint64 | operationId$ | Provides an ID to identify the specific type of operation being performed. This ID is not unique to specific events within a provider but is unique. |
| operation_group_id | uint64 | operationGroupId$ | Used to group and connect multiple events together. |
| operation_name | string | operationName$ | A name identifying the operation being performed. |
| operation | string | operation$ | The operation being performed. This may be a summary or other human readable information that should provide more insights beyond what operation_name or operation_id may contain. |
| query | string | query$ | The query run by the management event. |
| query_language | string | queryLanguage$ | The language in which the query is being run. |
| command | string | command$ | The command being run as part of the operation. |
| result | string | result$ | The code or message that conveys information about the final result of the operation. |
| namespace | string | namespace$ | The definition of a namespace is dependent on the type of management interface in use. For WMI, this refers to a Windows namespace. |
| filters | repeated string | filters$ | The names of any filters that were applied to or that allowed this event to be emitted. |
| consumers | repeated string | consumers$ | The names of any known downstream consumers of this event. |
| possible_cause | string | possibleCause$ | Contains information about the potential cause of a given management event. Not all management events will have this populated but it may be populated when command/query/operation/etc do not provide enough sufficient information by themselves. |
| channel | string | channel$ | The channel in which the event was emitted. This will be provider specific, ETW for example will have channels that describe the WMI activity being performed. |
| event_id | uint64 | eventId$ | Contains an event ID which is provider specific. This is likely more general than operation_id and may be useful for filtering purposes. |
| script | string | script$ | If a script was run as part of a management event this field will contain the script's contents if available. |
| script_language | string | scriptLanguage$ | If a script was run as part of a management event this field will contain the script's language if available. |
| script_file_path | string | scriptFilePath$ | If a script was run as part of a management event this field will contain the script's file path if available. |
| username | string | username$ | The name of the user the operation was run under. |
| client_hostname | string | clientHostname$ | The host which ran the tool which triggered the management event. If the operation is being performed remotely these values will be identical to the target host. |
| client_hostname_fqdn | string | clientHostnameFqdn$ | |
| target_hostname | string | targetHostname$ | The host on which the management command/modification/etc was performed. If the operation is being performed remotely these values will be different from the client host fields. |
| target_hostname_fqdn | string | targetHostnameFqdn$ | |
| client_process_correlation_id | ProcessCorrelationID | clientProcessCorrelationId | Contains a reference to a process linked with this event. If remote_operation is true then this process will be a process create time on another host. |
| created_process_correlation_id | ProcessCorrelationID | createdProcessCorrelationId$ | Contains a reference to a process linked with this event. |
| client_process_create_time_usec | uint64 | clientProcessCreateTimeUsec$ | Create time of the client process. If remote_operation is true then this will be the process create time on a remote machine. |
| client_process_id | uint64 | clientProcessId$ | Process ID of the client process. If remote_operation is true then this will be the process create time on a remote machine. |
| created_process_create_time_usec | uint64 | createdProcessCreateTimeUsec$ | Create time of a process created by the management command. |
| created_process_id | uint64 | creaetedProcessId$ | Process ID of a process created by the management command. |
ManagementEvent.ManagementInterface🔗
Represents an enum that identifies different management providers.
| Name | Number | Description |
|---|---|---|
| UNKNOWN | 0 | |
| WMI | 1 | "Windows Management Instrumentation" |
| SUDO | 2 | "SUDO" |