Taegis Endpoint Agent Detection Schema🔗
| Normalized Field | Type | Parser Field | Description |
|---|---|---|---|
| resource_id | string | resoureId$ | Full resource string identifying the record |
| tenant_id | string | tenantId$ | The ID of the tenant that owns this specific to CTPX ID |
| visibility | Visibility | visibility$ | Constraints on visibility of the record |
| normalizer | string | normalizer$ | Name & version of normalizer that created this record |
| sensor_type | string | sensorType$ | Type of device that generated this event. Ex: redcloak |
| sensor_event_id | string | sensorEventId$ | Event ID of original_data assigned by the sensor |
| sensor_tenant | string | sensorTenant$ | A customer ID supplied by the application that originated the data. Ex: redloak-domain, ctp-client-id |
| sensor_id | string | sensorId$ | An ID for the data supplied by the application that originated it. Ex: redcloak-agent-id |
| sensor_cpe | string | sensorCpe$ | CPE of the platform producing the alert. Example: cpe:2.3:a:secureworks:redcloak:*:*:*:*:*:*:* |
| original_data | string | originalData$ | Original, unadulterated data prior to any transformation. |
| event_time_usec | uint64 | eventTimeUsec$ | Event time in microseconds (µs) |
| ingest_time_usec | uint64 | IngestTimeUsec$ | Ingest time in microseconds (µs). |
| event_time_fidelity | TimeFidelity | eventTimeFidelity$ | Specifies the original precision of the time used to populate event_time_usec |
| host_id | string | hostId$ | Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address |
| process_id | string | processId$ | Identifier provided by the OS for the running process |
| process_create_time_usec | uint64 | parentCreateTimeUsec$ | Create time of process in µs |
| process_correlation_id | string | processCorrelationId$ | Process correlation ID to protect against rolling IDs |
| image_path | string | imagePath$ | Path of the process binary |
| sensor_version | string | sensorVersion$ | The agent version as string. |
| normalizer_version | string | normalizerVersion$ | The normalizer version (git tag) |
| normalizer_revision | string | normalizerRevision$ | The normalizer revision (git commit hash) |
| os | OperatingSystem | \(os.\)os | Operating system, architecture of the user's machine |
| enrichments | Enrichments | enrichments$ | Event enrichments |
| detection_category | DetectionCategory | High-level detection category | |
| detection_type | DetectionType | Specific detection observed | |
| summary | string | summary$ | Concise one-line summary of detection |
| kernel_context | KernelContext | Kernel details | |
| execution_context | ExecutionContext | Process execution/memory details | |
| registry_context | RegistryContext | Registry details | |
| file_system_context | FileSystemContext | File system/volume details if applicable | |
| container_context | ContainerContext | Container context if applicable | |
| redirection_context | RedirectionContext | Redirection context if applicable |