MemoryAllocation Schema🔗
Note
Schema docs show the fields available for normalization. For a schema field to be populated in XDR, its corresponding field defined in the parser must exist in the original data. Normalized data shows in the Normalized Data tab of events and is searchable in XDR only if the corresponding field exists in the original data. The Schema Library in Data Lake Search shows only searchable fields.
memory_allocation.proto🔗
MemoryAllocation🔗
| Field | Type | Label | Description |
|---|---|---|---|
| resource_id | string | Full resource string identifying the record | |
| tenant_id | string | The ID of the tenant that owns this specific to CTPX ID | |
| visibility | Visibility | Constraints on visibility of the record | |
| normalizer | string | Name & version of normalizer that created this record | |
| sensor_type | string | Ex: redcloak | |
| sensor_event_id | string | Event ID of original_data assigned by the sensor | |
| sensor_tenant | string | Ex: redloak-domain, ctp-client-id | |
| sensor_id | string | Ex: redcloak-agent-id | |
| sensor_cpe | string | CPE of the platform producing the alert. Example: cpe:2.3:a:secureworks:redcloak:*:*:*:*:*:*:* |
|
| original_data | string | Original, unadulterated data prior to any transformation. | |
| event_time_usec | uint64 | Event time in microseconds (µs) | |
| ingest_time_usec | uint64 | Ingest time in microseconds (µs). | |
| event_time_fidelity | TimeFidelity | Specifies the original precision of the time used to populate event_time_usec | |
| host_id | string | Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address | |
| protection | string | memory protections, represented as a string NOTE: Inspector captures this as uint, so we will convert. | |
| base_address | uint64 | address in memory of allocation | |
| size | uint64 | size of allocation | |
| executable | bool | whether allocation is executable | |
| file | FileInfo | file object that backs the allocation, if any | |
| captures | MemoryAllocation.AllocationCaptures | repeated | allocation capture requests associated with the allocation, if any |
| os | OperatingSystem | operating system, architecture on which memory information was captured | |
| pivot | string | primary hunting pivot point of the data for grouping |
MemoryAllocation.AllocationCaptures🔗
| Field | Type | Label | Description |
|---|---|---|---|
| content | string | compressed, base64 encoded contents of memory captured inside this allocation | |
| requested_size | int32 | size of memory we wanted to capture (may not be the same as what was actually captured) | |
| captured_size | int32 | size of what was actually captured | |
| sha1 | string | sha1 of the original captured memory (should match after decompression/decoding) |