Taegis Endpoint Agent Detection Schema🔗
Note
Schema docs show the fields available for normalization. For a schema field to be populated in XDR, its corresponding field defined in the parser must exist in the original data. Normalized data shows in the Normalized Data tab of events and is searchable in XDR only if the corresponding field exists in the original data. The Schema Library in Advanced Search shows only searchable fields.
| Normalized Field | Type | Parser Field | Description |
|---|---|---|---|
| resource_id | string | resoureId$ | Full resource string identifying the record |
| tenant_id | string | tenantId$ | The ID of the tenant that owns this specific to CTPX ID |
| visibility | Visibility | visibility$ | Constraints on visibility of the record |
| normalizer | string | normalizer$ | Name & version of normalizer that created this record |
| sensor_type | string | sensorType$ | Type of device that generated this event. Ex: redcloak |
| sensor_event_id | string | sensorEventId$ | Event ID of original_data assigned by the sensor |
| sensor_tenant | string | sensorTenant$ | A customer ID supplied by the application that originated the data. Ex: redloak-domain, ctp-client-id |
| sensor_id | string | sensorId$ | An ID for the data supplied by the application that originated it. Ex: redcloak-agent-id |
| sensor_cpe | string | sensorCpe$ | CPE of the platform producing the alert. Example: cpe:2.3:a:secureworks:redcloak:*:*:*:*:*:*:* |
| original_data | string | originalData$ | Original, unadulterated data prior to any transformation. |
| event_time_usec | uint64 | eventTimeUsec$ | Event time in microseconds (µs) |
| ingest_time_usec | uint64 | IngestTimeUsec$ | Ingest time in microseconds (µs). |
| event_time_fidelity | TimeFidelity | eventTimeFidelity$ | Specifies the original precision of the time used to populate event_time_usec |
| host_id | string | hostId$ | Host ID -- uniquely identifies the host where the event originated. e.g. IPv(4/6) address; Device Mac Address |
| process_id | string | processId$ | Identifier provided by the OS for the running process |
| process_create_time_usec | uint64 | parentCreateTimeUsec$ | Create time of process in µs |
| process_correlation_id | string | processCorrelationId$ | Process correlation ID to protect against rolling IDs |
| image_path | string | imagePath$ | Path of the process binary |
| sensor_version | string | sensorVersion$ | The agent version as string. |
| normalizer_version | string | normalizerVersion$ | The normalizer version (git tag) |
| normalizer_revision | string | normalizerRevision$ | The normalizer revision (git commit hash) |
| os | OperatingSystem | \(os.\)os | Operating system, architecture of the user's machine |
| enrichments | Enrichments | enrichments$ | Event enrichments |
| detection_category | DetectionCategory | High-level detection category | |
| detection_type | DetectionType | Specific detection observed | |
| summary | string | summary$ | Concise one-line summary of detection |
| kernel_context | KernelContext | Kernel details | |
| execution_context | ExecutionContext | Process execution/memory details | |
| registry_context | RegistryContext | Registry details | |
| file_system_context | FileSystemContext | File system/volume details if applicable | |
| container_context | ContainerContext | Container context if applicable | |
| redirection_context | RedirectionContext | Redirection context if applicable |