| resource_id |
string |
resourceId$ |
Full resource string identifying the record |
| tenant_id |
string |
tenantId$ |
The ID of the tenant that owns this specific to CTPX ID |
| sensor_type |
string |
sensorType$ |
Type of device that generated this event. Ex: redcloak |
| sensor_event_id |
string |
sensorEventId$ |
Event ID of original_data assigned by the sensor |
| sensor_tenant |
string |
sensorTenant$ |
A customer ID supplied by the application that originated the data. Ex: redloak-domain, ctp-client-id |
| sensor_id |
string |
sensorId$ |
An ID for the data supplied by the application that originated it. Ex: redcloak-agent-id |
| sensor_cpe |
string |
sensorCpe$ |
CPE of the platform producing the alert.
Example: cpe:2.3:a:secureworks:redcloak:*:*:*:*:*:*:* |
| original_data |
string |
originalData$ |
Original, unadulterated data prior to any transformation. |
| event_time_usec |
uint64 |
eventTimeUsec$ |
Event time in microseconds (µs) |
| ingest_time_usec |
uint64 |
ingestTimeUsec$ |
Ingest time in microseconds (µs). |
| event_time_fidelity |
TimeFidelity |
eventTimeFidelity$ |
Specifies the original precision of the time used to populate event_time_usec |
| host_id |
string |
hostId$ |
Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address |
| sensor_version |
string |
sensorVersion$ |
The agent version as string. |
| process_id |
string |
processId$ |
Identifier provided by the OS for the running process |
| parent_process_id |
string |
parentProcessId$ |
Process ID of the parent |
| process_correlation_id |
string |
processCorrelationId$ |
Process correlation ID to protect against rolling IDs redcloak -- host_id:id.pid:id.time_window |
| parent_process_correlation_id |
string |
parentProcessCorrelationId$ |
Process correlation ID to protect against rolling IDs redcloak -- host_id:parent_id.pid:parent_id.time_window |
| parent_create_time_usec |
uint64 |
parentCreateTimeUsec$ |
Create time of parent in µs |
| image_path |
string |
imagePath$ |
Path of the process binary |
| commandline |
string |
commandline$ |
Full command line executing the binary |
| commandline_decoded |
string |
commandlineDecoded$ |
If set, the decoded version of the full command line executing the binary |
| commandline_decoder |
repeated string |
commandlineDecoder$ |
If set, the decoders used to decode the command line |
| username |
string |
username$ |
User that initiated the application |
| process |
string |
process$ |
The host where the process is running |
| program_hash |
Process.Hash |
processHash$ |
Hash of the program binary |
| user_is_admin |
bool |
userIsAdmin$ |
Is process executed by an admin user |
| process_is_admin |
bool |
processIsAdmin$ |
Is process running with admin privileges |
| was_blocked |
bool |
wasBlocked$ |
Did Redcloak endpoint block the process from running? |
| computer_name |
string |
computerName$ |
The hostname or name of device where the process is running |
| host_program |
Process.FileInfo |
hostProgram$ |
Information about the host program (e.g. cmd.exe). This will be the details on file identified in the 'image_path' field. |
| target_program |
Process.FileInfo |
targetProgram$ |
Information about the target file (e.g. foo.bat). This will be present when a host program is identified with a known file target that presents an opportunity for collection of additional file details. |
| parent_image_path |
string |
parentImagePath$ |
Image path of the parent |
| process_timewindow |
uint64 |
processTimewindow$ |
truncated timewindow of process |
| parent_timewindow |
uint64 |
parentTimewindow$ |
truncated timewindow of parent process |
| os |
OperatingSystem |
\(os.\)os |
operating system, architecture on which process executed |
| hidden |
Process.Hidden |
hidden$ |
Whether the process is hidden from "normal" view |
| process_create_time_usec |
uint64 |
processCreateTimeUsec$ |
time this process was created |
| pivot |
string |
pivot$ |
primary hunting pivot point of the data for grouping |
| external_uris |
repeated ExternalURI |
externalUris |
A list of external URIs that may contain additional information such as the event source. |