ProcessModule Schema🔗
Note
Schema docs show the fields available for normalization. For a schema field to be populated in XDR, its corresponding field defined in the parser must exist in the original data. Normalized data shows in the Normalized Data tab of events and is searchable in XDR only if the corresponding field exists in the original data. The Schema Library in Advanced Search shows only searchable fields.
process_module.proto🔗
ProcessModule🔗
Base event
| Field | Type | Label | Description |
|---|---|---|---|
| resource_id | string | Full resource string identifying the record | |
| tenant_id | string | The ID of the tenant that owns this specific to CTPX ID | |
| visibility | Visibility | Constraints on visibility of the record | |
| normalizer | string | Name & version of normalizer that created this record | |
| sensor_type | string | Ex: redcloak | |
| sensor_event_id | string | Event ID of original_data assigned by the sensor | |
| sensor_tenant | string | Ex: redloak-domain, ctp-client-id | |
| sensor_id | string | Ex: redcloak-agent-id | |
| sensor_cpe | string | CPE of the platform producing the alert. Example: cpe:2.3:a:secureworks:redcloak:*:*:*:*:*:*:* |
|
| original_data | string | Original, unadulterated data prior to any transformation. | |
| event_time_usec | uint64 | Event time in microseconds (µs) | |
| ingest_time_usec | uint64 | Ingest time in microseconds (µs). | |
| event_time_fidelity | TimeFidelity | Specifies the original precision of the time used to populate event_time_usec | |
| host_id | string | Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address | |
| sensor_version | string | The agent version as string. | |
| normalizer_version | string | The normalizer version (git tag) | |
| normalizer_revision | string | The normalizer revision (git commit hash) | |
| process_id | string | hosting process' ID | |
| base_address | uint64 | memory address where the module is loaded | |
| file | FileInfo | file backing the module, if any | |
| process_create_time_usec | uint64 | Create time of process that modified the file in µs | |
| commandline | string | Full command line of process that made the file modification | |
| process_correlation_id | string | Process correlation ID to protect against rolling IDs redcloak -- host_id:id.pid:id.time_window | |
| module_action | string | Action of the module load | |
| process_username | string | User name of the process | |
| process_account_name | string | Account name of the process | |
| prcess_windows_sid | string | Windows SID, if any | |
| process_file | FileInfo | Process file, if any | |
| parent_process_id | string | Parent process ID | |
| parent_create_time_usec | uint64 | Create time of parent process | |
| parent_process_file | FileInfo | Parent process file, if any | |
| sensor_action | string | Sensor Action | |
| pivot | string | primary hunting pivot point of the data for grouping |