Script Block Schema🔗
Note
Schema docs show the fields available for normalization. For a schema field to be populated in XDR, its corresponding field defined in the parser must exist in the original data. Normalized data shows in the Normalized Data tab of events and is searchable in XDR only if the corresponding field exists in the original data. The Schema Library in Advanced Search shows only searchable fields.
| Normalized Field | Type | Parser Field | Description |
|---|---|---|---|
| resource_id | string | resoureId$ | Full resource string identifying the record |
| tenant_id | string | tenantId$ | The ID of the tenant that owns this specific to CTPX ID |
| visibility | Visibility | visibility$ | Constraints on visibility of the record |
| normalizer | string | normalizer$ | Name & version of normalizer that created this record |
| sensor_type | string | sensorType$ | Type of device that generated this event. Ex: redcloak |
| sensor_event_id | string | sensorEventId$ | Event ID of original_data assigned by the sensor |
| sensor_tenant | string | sensorTenant$ | A customer ID supplied by the application that originated the data. Ex: redloak-domain, ctp-client-id |
| sensor_id | string | sensorId$ | An ID for the data supplied by the application that originated it. Ex: redcloak-agent-id |
| sensor_cpe | string | sensorCpe$ | CPE of the platform producing the alert. Example: cpe:2.3:a:secureworks:redcloak:*:*:*:*:*:*:* |
| original_data | string | originalData$ | Original, unadulterated data prior to any transformation. |
| event_time_usec | uint64 | eventTimeUsec$ | Event time in microseconds (µs) |
| ingest_time_usec | uint64 | IngestTimeUsec$ | Ingest time in microseconds (µs). |
| event_time_fidelity | TimeFidelity | eventTimeFidelity$ | Specifies the original precision of the time used to populate event_time_usec |
| host_id | string | hostId$ | Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address |
| process_id | string | processId$ | Identifier provided by the OS for the running process |
| process_create_time_usec | uint64 | parentCreateTimeUsec$ | Create time of process in µs |
| process_correlation_id | string | processCorrelationId$ | Process correlation ID to protect against rolling IDs |
| sensor_version | string | sensorVersion$ | The agent version as string. |
| normalizer_version | string | normalizerVersion$ | The normalizer version (git tag) |
| normalizer_revision | string | normalizerRevision$ | The normalizer revision (git commit hash) |
| os | OperatingSystem | \(os.\)os | Operating system, architecture of the user's machine |
| enrichments | Enrichments | enrichments$ | Event enrichments |
| interpreter_name | string | interpreterName$ | Normalized name of interpreter (e.g. python2, python3, bash, powershell, etc.) |
| interpreter_path | string | interpreterArgs$ | Full path to interpreter (e.g. /usr/bin/python) as given by interpreter line if applicable |
| interpreter_args | string | repeated | Set of interpreter args as given by interpreter line if applicable |
| decoders | string | repeated | List of decoders applied to block contents |
| decoded_block_text | string | decodedBlockTest$ | The decoded block text. If no decoding was performed this will be the same as original_script_block |
| original_script_block | string | originalScriptBlock$ | The original script, before any decoding was performed. |
| original_block_hash | string | originalBlockHash$ | The hash of original_script_block |
| decoded_block_hash | string | decodedBlockHash$ | SHA1 hash of decoded_block_hash |
| decoded_block_base64 | bool | decodedBlockBase64$ | Whether or not the script block_text is base64 encoded |
| decoded_block_truncated | bool | decodedBlockTruncated$ | Whether or not the script block_text exceeded our truncation limit and was truncated as a result |
| script_name | string | scriptName$ | The name of the script if it has one |