Field Name |
Mode |
Data Type |
Fields mode |
Fields name |
DATA TYPE |
Description |
Action / Type reminder |
Suffix |
Guid |
---|---|---|---|---|---|---|---|---|---|
action_app_id_transitions |
REPEATED |
STRING |
List of application ID transitions. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
38382968-6b2b-431a-88a6-9647fc415795 |
||||
action_boot_instance_cleanup_required |
NULLABLE |
BOOLEAN |
Indicates whether or not the agent can clean up open instances from a previous computer restart. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
c7b33cbe-fe29-4aeb-8ca1-9f543a815ff5 |
||||
action_boot_time |
NULLABLE |
INTEGER |
Computer boot time in ms since epoch time. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
ca00bf44-a48d-48b3-98da-eb363116f3a0 |
||||
action_country |
NULLABLE |
STRING |
The destination country of network connections, which is based on the remote IP and GeoLocation enrichment. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
1c94d2c7-8073-4e2d-ae46-ab75e4e84630 |
||||
action_device_bus_type |
NULLABLE |
INTEGER |
For the action, the origin of the device bus type (USB). |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
values translation: (1) USB |
d29b5fb3-b60b-4a0e-8d27-3d85d0d4d1c9 |
|||
action_device_class_guid |
NULLABLE |
STRING |
Device setup class GUID. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
4bdff7e3-4039-42b7-ace9-d81a444f1a9b |
||||
action_device_class_name |
NULLABLE |
STRING |
Device setup class internal friendly name. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
f34d38d8-11d2-4a99-a4f7-8b307b97ee8c |
||||
action_device_usb_port_connectable |
NULLABLE |
BOOLEAN |
Indicates whether or not a user can connect to the USB port that the device is connected to. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
1360c3a9-382d-421e-b1d0-5b4c26ebc7db |
||||
action_device_usb_product_id |
NULLABLE |
INTEGER |
USB device product ID. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
b3457b4c-64ee-48c5-a980-431b67ee8686 |
||||
action_device_usb_serial_number |
NULLABLE |
STRING |
USB device serial number. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
b12938d5-a7bb-4373-88ab-d7b17a020310 |
||||
action_device_usb_vendor_id |
NULLABLE |
INTEGER |
USB vendor ID. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
a1cbb3f8-27c4-4e6a-8bb6-c21b570c4fd4 |
||||
action_download |
NULLABLE |
INTEGER |
Number of downloaded bytes in the last window of time. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
af9f77d4-998d-4705-9cb5-5b776363419a |
||||
action_evtlog_data_fields |
NULLABLE |
STRING |
Event log data fields in a JSON array. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
344a2221-e1ba-4d1d-8525-480e25831777 |
||||
action_evtlog_description |
NULLABLE |
STRING |
Event log description. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
b594c217-f586-4dbc-82c3-946e6294b0d6 |
||||
action_evtlog_event_id |
NULLABLE |
INTEGER |
Event log event ID. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
e7478d92-e97f-4336-83e3-dabf89371832 |
||||
action_evtlog_level |
NULLABLE |
INTEGER |
Event log severity level. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
vaues translation: (1)Critical (2)Error (3)Warning (4)Info (5)Verbose |
3ad06750-d6b2-43a0-97f1-3e383da7433c |
|||
action_evtlog_message |
NULLABLE |
STRING |
Event log message field - summary of the event. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
b35fa37f-e99b-40ea-b2b8-88b18cc6f097 |
||||
action_evtlog_opcode |
NULLABLE |
INTEGER |
Event provider specific information, usually similar to "action_evtlog_level". |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
b82f8c21-684b-4cca-ad47-9d9908be8484 |
||||
action_evtlog_pid |
NULLABLE |
INTEGER |
Process ID given in the event-log event. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
236dbc47-f89d-4e11-81d5-0b25a2ff6080 |
||||
action_evtlog_provider_guid |
NULLABLE |
STRING |
Provider GUID |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
d00a3244-068a-4198-acf4-f56c303a1e6d |
||||
action_evtlog_provider_name |
NULLABLE |
STRING |
Windows: Provider name, such as Service Control Manager. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
4008df20-cbbb-4afa-b4fb-4d94e0df46eb |
||||
action_evtlog_raw_params |
NULLABLE |
STRING |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
861d895d-71dd-4a6a-923b-6d4eb315a893 |
|||||
action_evtlog_record_id |
NULLABLE |
STRING |
Unique ID of this event-log record in the computer's event-log. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
fa713be1-923c-4d61-b0ae-8b2ace10bb0d |
||||
action_evtlog_source |
NULLABLE |
INTEGER |
Method used to get the event log. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
81819219-18b7-45a1-a9ea-8662b35d90a8 |
||||
action_evtlog_tid |
NULLABLE |
INTEGER |
Thread ID given in the event-log event. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
d8dc13dd-6129-43e6-b973-16a00cccd195 |
||||
action_evtlog_uid |
NULLABLE |
STRING |
User ID given in the event-log event. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
1cd396f1-937c-4e34-b2c5-273964c2eabe |
||||
action_evtlog_username |
NULLABLE |
STRING |
User ID translation of username. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
eb9cd114-6a75-4a9f-a874-e95cee94ed54 |
||||
action_evtlog_version |
NULLABLE |
INTEGER |
Version of the event log record (private to provider/channel). |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
ce271439-083f-4d43-9150-152c6632487c |
||||
action_external_hostname |
NULLABLE |
STRING |
The hostname the endpoint connects to. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
2f2a7b3d-ea91-44aa-977e-e8a4a6cc29d1 |
||||
action_external_port |
NULLABLE |
INTEGER |
The external port of the initiated communication. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
25317085-9507-4c98-a416-8581a8d84301 |
||||
action_file_access_time |
NULLABLE |
INTEGER |
The action file access timestamp. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
0444649c-9625-4d9e-8a31-8c24d866cd1a |
||||
action_file_archive_list |
RECORD |
Only valid if the file is a ZIP file and the event collection is enabled in the policy. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
61609d5a-57af-4e6e-a1d8-f21243569ed5 |
|||||
action_file_attributes |
NULLABLE |
INTEGER |
Windows: Bitmask of FILE_ATTRIBUTE_* attributes, which is only relevant for some subtypes. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
2dbc0285-62db-4426-a133-cd9d933fd18d |
||||
action_file_authenticode_sha1 |
NULLABLE |
STRING |
SHA-1 (Secure Hash Algorithm 1) of the file signature authenticode. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
21901e7a-59f9-4cba-9669-0f8803dd2c07 |
||||
action_file_authenticode_sha2 |
NULLABLE |
STRING |
SHA-2 (Secure Hash Algorithm 2) of the file signature authenticode. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
2402df3f-6d99-4f53-8cf2-8074a8844fda |
||||
action_file_create_time |
NULLABLE |
INTEGER |
The action file create timestamp. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
8e621438-878f-4164-9584-4469ada42070 |
||||
action_file_device_info |
RECORD |
NULLABLE |
storage_device_bus_type |
INTEGER |
Info about the device (volume + HW) including name, class guid, class name, bus type, volume guid, mount point, file system, drive type, vendor id, product id, and serial number. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
use to_json_string prior to filtering/altering this field |
ee843e17-0d31-4305-8d29-c7776971dc97 |
|
action_file_device_type |
NULLABLE |
INTEGER |
Windows: An enum representing the device type for this file. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
bf5e9a77-398e-46df-8be5-0f35e8580053 |
||||
action_file_dir_query |
NULLABLE |
STRING |
The query string given to the "query directory" operation. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
744fd921-6ab1-48d7-882a-7c778de9c63e |
||||
action_file_dirty_reason |
NULLABLE |
INTEGER |
Only valid for sub_type = 6 (write) when a non-null file_size is provided. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
b9d70695-a4c9-45b2-bfe7-1602bd4caec4 |
||||
action_file_entropy |
NULLABLE |
STRING |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
54efba88-80c8-4697-b4e8-20383e3b3419 |
|||||
action_file_extension |
NULLABLE |
STRING |
File extension of action_file_path. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
4c99b491-8eb6-4c09-b759-0b72b9459daf |
||||
action_file_group |
NULLABLE |
STRING |
Linux & MacOS: The new group of the file (user_id). |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
93339647-7bc6-4900-8313-68abf89e772d |
||||
action_file_group_name |
NULLABLE |
STRING |
Name assigned to action_file_group (username). |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
6b41b6b8-91b3-4a37-b40d-eedc14b2f29f |
||||
action_file_hash_control_verdict |
NULLABLE |
STRING |
DEPRECATED |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
75634f3b-5033-4ac2-8909-14bb30e687a9 |
||||
action_file_id |
NULLABLE |
STRING |
DEPRECATED |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
2c5d76b4-b017-458f-82b6-6a7eecee3824 |
||||
action_file_info_company |
NULLABLE |
STRING |
Company listed in the file information section of the file. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
2ebcfcd9-7a14-4d94-b122-c2275f9e39e6 |
||||
action_file_info_description |
NULLABLE |
STRING |
Description listed in the file information section of the file. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
9f215261-572a-4f8d-8fa6-5efb9085c149 |
||||
action_file_info_file_version |
NULLABLE |
STRING |
File version listed in the file information section of the file. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
a53b23ab-308c-48a3-99ba-4217ea251379 |
||||
action_file_info_product_name |
NULLABLE |
STRING |
Product name listed in the file information section of the file. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
9b9be54d-c02a-4e5d-89e2-5cb5687f91da |
||||
action_file_info_product_version |
NULLABLE |
STRING |
Production version listed in the file information section of the file. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
c52fcf88-ada3-4d2a-a712-7683ce164c16 |
||||
action_file_internal_meta_data |
NULLABLE |
STRING |
DEPRECATED |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
be354c4a-f0b9-41d3-9311-61744f4fc10e |
||||
action_file_internal_zipped_files |
NULLABLE |
STRING |
DEPRECATED |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
995c28d7-f52e-4210-abee-ecf4fb0e6b67 |
||||
action_file_md5 |
NULLABLE |
STRING |
The action file hash value in MD5. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
ddf82c47-25c4-4413-b760-839b485c3ece |
||||
action_file_mod_time |
NULLABLE |
INTEGER |
The action file modification timestamp. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
ea8f3e0e-0e56-42e8-b4d8-4a69a16977cd |
||||
action_file_mode |
NULLABLE |
RECORD |
NULLABLE |
group_executable |
BOOLEAN |
A representation of the standard UNIX file permissions mask. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
cd8bc309-e749-4a1f-8131-30da7b7e828a |
|
action_file_name |
NULLABLE |
STRING |
The file name of action_file_path, which is an empty string for directory operations. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
56cf4b60-6b88-4f9b-907a-41b79c472ad8 |
||||
action_file_new_file_for_loaded_dll |
NULLABLE |
STRING |
DEPRECATED |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
377e8903-4b23-4b6e-9ec7-3a60b981b4b2 |
||||
action_file_original_event_id |
NULLABLE |
STRING |
DEPRECATED |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
b2fcf2a5-f648-40d1-9863-96552500e1b5 |
||||
action_file_owner |
NULLABLE |
STRING |
The new owner of the file according to the user_id. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
48ed6423-0c0e-4238-94c2-bb5c418b4371 |
||||
action_file_owner_name |
NULLABLE |
STRING |
The new owner of the file according to the username. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
b40d7699-73e0-4909-9991-cc212d7c1825 |
||||
action_file_path |
NULLABLE |
STRING |
The path of the file in use. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
ccde8c94-b582-4338-85a2-cc02f667e988 |
||||
action_file_prev_type |
INTEGER |
Before the current write, the previous file type, which is based only on the content of the file. This information can be used to detect header changes. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
32c5f76c-16e5-4cfc-bcd3-0b69ec476eae |
|||||
action_file_previous_device_info |
RECORD |
NULLABLE |
storage_device_bus_type |
INTEGER |
Info about the device (volume + HW) including name, class guid, class name, bus type, volume guid, mount point, file system, drive type, vendor id, product id, and serial number. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
c6a6b025-bbe8-4886-a7e5-00da71e11b51 |
||
action_file_previous_file_extension |
NULLABLE |
STRING |
File extension of 'action_file_previous_file_path'. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
0fc41c6f-fbb3-4111-9916-51bb1d11dd1a |
||||
action_file_previous_file_name |
NULLABLE |
STRING |
File name of 'action_file_previous_file_path', which is an empty string for directory operations. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
352cff45-955c-4ce9-960f-4f978f8834b9 |
||||
action_file_previous_file_path |
NULLABLE |
STRING |
The previous path of the file in use. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
28bf57a1-6496-48c5-ba31-b5d19d1cd2cb |
||||
action_file_remote_file_host |
NULLABLE |
STRING |
This is valid when Cortex XDR/XSIAM accesses a file on a remote computer. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
749af0c2-682e-4044-aba8-76a67dfe7e7b |
||||
action_file_remote_file_ip |
NULLABLE |
STRING |
This is valid when a remote computer accesses a file on this endpoint. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
8d6ee4a4-1120-4414-9841-0da538e04405 |
||||
action_file_remote_ip |
NULLABLE |
STRING |
Relevant when the actor is a remote actor, where the type is not local and the IP was resolved successfully. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
60820ae6-16bc-4b0e-8470-6f3686082a7c |
||||
action_file_remote_port |
NULLABLE |
INTEGER |
Relevant when the actor is a remote actor, where the type is RemoteRpcTcp. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
0e015b49-2757-4317-9043-464125428d36 |
||||
action_file_reparse_path |
STRING |
Only valid for sub_type = 1/2 (create_new/open). Provides the reparse path if the file was opened through a reparse point. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
60f1da98-656d-4f14-aef1-9373329e1703 |
|||||
action_file_sec_desc |
NULLABLE |
STRING |
Windows: Security descriptor of the file in SDDL. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
bd1ec627-0e52-4fd4-95fe-97059bd7d8a2 |
||||
action_file_sha256 |
NULLABLE |
STRING |
SHA256 of the binary. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
a6968a0f-28c8-406e-a49b-d0072f9c9946 |
||||
action_file_signature_product |
NULLABLE |
STRING |
Signature product - The product family part of the signature. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
8e37edb9-12e0-4d7d-b262-68fa9f7c2cd8 |
||||
action_file_signature_status |
NULLABLE |
INTEGER |
The signature status of the file in use. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
491293fe-b887-4170-b9a4-535e073d2698 |
||||
action_file_signature_vendor |
NULLABLE |
STRING |
Signature vendor - The vendor part of the signature. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
61f6beb2-37d6-4f29-b6d2-33cdd00ecb30 |
||||
action_file_size |
NULLABLE |
INTEGER |
Size of the file undergoing the process in bytes. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
6aab5750-b2d3-4ee5-817d-64399b6300f0 |
||||
action_file_suspicious_strings_bitmap |
NULLABLE |
INTEGER |
Bitmap of suspicious strings found in file content. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
5f624b7e-27f2-4643-9635-3b1bcda9b389 |
||||
action_file_type |
NULLABLE |
INTEGER |
Partial file type recognizer. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
775c8784-5006-4193-83d8-4033c2d7d37b |
||||
action_file_type_changedaction_file_id |
NULLABLE |
INTEGER |
DEPRECATED |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
bdafdbec-1300-4602-a813-6df645c66086 |
||||
action_file_type_prev |
NULLABLE |
INTEGER |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
e6ab8f0d-790f-4b9e-97f3-3124053bcd67 |
|||||
action_file_wildfire_verdict |
NULLABLE |
STRING |
DEPRECATED |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
6fe27008-d2a6-4858-932d-78e58475079f |
||||
action_firewall_direction |
NULLABLE |
STRING |
Outbound (1) |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
693e80ea-8315-4bbd-a079-b11f143af25d |
||||
action_firewall_local_ip |
NULLABLE |
STRING |
The local IP address in the communication. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
4a82c514-906a-4c8f-8c14-c42755812120 |
||||
action_firewall_local_port |
NULLABLE |
INTEGER |
The local port in the communication. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
28b8ba01-e149-451e-bf85-7b2fadba641c |
||||
action_firewall_protocol |
NULLABLE |
INTEGER |
The IP protocol number as specified in RFC 1700. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
f1cb71b2-f282-4602-b462-aac43780a1b0 |
||||
action_firewall_remote_ip |
NULLABLE |
STRING |
Relevant when the actor is a remote actor, where the type is not local and the IP was resolved successfully. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
b6b4f11d-4660-4bc3-954b-95e5056603eb |
||||
action_firewall_remote_port |
NULLABLE |
INTEGER |
Relevant when the actor is a remote actor, where the type is RemoteRpcTcp. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
708cc25e-e439-41f5-8644-9ab1cb9d0cfe |
||||
action_firewall_rule_guid |
NULLABLE |
STRING |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
4fb889c2-7a22-4ece-b2f0-d747b1750780 |
|||||
action_is_dll_injection |
NULLABLE |
BOOLEAN |
Indicates whether or not the action is a DLL Injection. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
cda5c351-38c8-498e-aaa1-1fe37c5f0c44 |
||||
action_is_injected_thread |
NULLABLE |
BOOLEAN |
Indicates whether or not the action was performed by an injected thread. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
f04e9ba6-c54d-43fc-ae22-1168bbd904d6 |
||||
action_local_ip |
NULLABLE |
STRING |
Source IP address. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
0bf07bce-7c87-4bbf-b793-4fa64fc59e16 |
||||
action_local_ip_int |
NULLABLE |
INTEGER |
Source IP in integer format. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
a682ce32-8637-400f-ad72-ebfb9854f947 |
||||
action_module_base_address |
NULLABLE |
STRING |
The base address where the library was loaded. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
a9a71bbd-9802-46d5-8aff-afd153c7d193 |
||||
action_module_device_info |
RECORD |
NULLABLE |
storage_device_bus_type |
INTEGER |
Info about the device (volume + HW) including name, class guid, class name, bus type, volume guid, mount point, file system, drive type, vendor id, product id, and serial number. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
bd95f9a9-dbfd-4d2c-9c1b-6e825b4b6a85 |
||
action_module_file_access_time |
NULLABLE |
INTEGER |
Program Executable (PE) metadata collection from the image itself |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
bf575535-869c-4a2e-a34e-825f3cf3efdb |
||||
action_module_file_create_time |
NULLABLE |
INTEGER |
Program Executable (PE) metadata collection from the image itself |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
9482cbcd-aef3-4300-8358-5b01ec3f51d7 |
||||
action_module_file_info |
NULLABLE |
STRING |
Program Executable (PE) metadata collection from the image itself |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
fbe4ed48-0c39-4dc9-88c1-4fdff1099032 |
||||
action_module_file_mod_time |
NULLABLE |
INTEGER |
Modified time of the file in the module. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
a50f488b-5806-4942-8a3d-f6572c2a1747 |
||||
action_module_file_size |
NULLABLE |
INTEGER |
Size of the file of the process in bytes. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
b5e979aa-5057-4502-b58a-77ef58d8d879 |
||||
action_module_image_size |
NULLABLE |
INTEGER |
Size of the file in virtual memory. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
47bcee50-d1bd-446f-9ff8-b7fcc550e05b |
||||
action_module_is_remote |
NULLABLE |
BOOLEAN |
Indicates whether or not the module is loaded from a remote process. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
24fd1899-eb92-4847-a051-52af317afb0a |
||||
action_module_is_replay |
NULLABLE |
BOOLEAN |
All existing loaded images are replayed, when the agent starts. This is set to true for images loaded when the agent is not started yet. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
3e9ae508-9ae2-4bad-832f-2e6b23f59819 |
||||
action_module_md5 |
NULLABLE |
STRING |
The module md5 value. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
a664cc13-56e0-4138-bdf2-be02e090c570 |
||||
action_module_other_load_location |
NULLABLE |
STRING |
This module was already loaded before from a different location. This is the other location. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
a3daa896-067e-4aca-a8e7-b5189c9071dd |
||||
action_module_path |
NULLABLE |
STRING |
The path of the module in use. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
55a457aa-0a7d-4a9e-86dd-57a96112d237 |
||||
action_module_process_instance_id |
NULLABLE |
STRING |
Cortex instance ID of the process loading the module. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
dd5fe723-c614-4c2e-bb0a-9bde66685c23 |
||||
action_module_process_os_pid |
NULLABLE |
INTEGER |
The Operating System (OS) Process Identifier (PID) of the loaded module. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
4cbac433-8185-4d24-856b-1f50c336775a |
||||
action_module_sha256 |
NULLABLE |
STRING |
SHA256 of the binary. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
c33a5ec7-e223-448f-b83b-748d05bdb82e |
||||
action_module_signature_product |
NULLABLE |
STRING |
Signature product - The product family part of the signature. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
d570087f-b3e3-41cb-8cfe-60f44d044e35 |
||||
action_module_signature_status |
NULLABLE |
INTEGER |
The signature status of the module in action. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
7ece7a11-fe1b-4e47-ac7f-6c2229990959 |
||||
action_module_signature_vendor |
NULLABLE |
STRING |
Signature vendor - The vendor part of the signature. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
1bc76377-2d54-4353-89bb-209fc2d48a1a |
||||
action_network_connection_id |
NULLABLE |
STRING |
The ID of the network connection. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
1b89c6f8-9596-420d-8142-300a2365f42e |
||||
action_network_creation_time |
NULLABLE |
INTEGER |
The start time of the network session. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
7e79deb4-4aed-457c-b486-f37cb6989424 |
||||
action_network_http |
NULLABLE |
STRING |
HTTP headers |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
5d961057-bd2e-4f28-b8cb-f85abe7e6b30 |
||||
action_network_is_ipv6 |
NULLABLE |
BOOLEAN |
Indicates whether or not action_remote_ip is an IPv6 endpoint. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
4ba258b3-024a-4c79-b5f9-35652698eed4 |
||||
action_network_is_npcap |
NULLABLE |
BOOLEAN |
Indicates whether or not this action is an npcap event. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
35d85411-e055-4bd7-b397-c79771dc2bf5 |
||||
action_network_is_server |
NULLABLE |
BOOLEAN |
True for incoming connections. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
62482bf0-ff67-4193-907c-8c99e5978282 |
||||
action_network_packet_data |
NULLABLE |
STRING |
The data is converted to hexadecimal. Each byte is converted to 2 characters representing the character value of the byte. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
27b3d072-83b0-41d2-b38f-2687cf1772ef |
||||
action_network_protocol |
NULLABLE |
INTEGER |
Internet protocol number based on IPPROTO or normalized to IPPROTO (same as Java). |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
52b21ea4-0a59-4631-a7ae-ee5dd81f8d9f |
||||
action_network_stats_is_last |
NULLABLE |
BOOLEAN |
True, if the connection was terminated, and false otherwise. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
3e943f2b-d69b-40ac-9625-cde7dbd89dbc |
||||
action_network_stats_seq |
NULLABLE |
INTEGER |
Sequence number of the statistics "packet". |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
3800a9ee-5265-415c-8762-8105bf99fd76 |
||||
action_network_success |
NULLABLE |
BOOLEAN |
Indicates whether or not the session was successful. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
89aed345-7ffb-4817-b410-42b988419cf0 |
||||
action_pkts_received |
NULLABLE |
INTEGER |
Total number of packets received so far from the destination to the source. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
9846a98f-2f4c-447e-88f3-e8c3140bf353 |
||||
action_pkts_sent |
NULLABLE |
INTEGER |
Total number of packets sent so far from the source to the destination. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
1553d541-185e-4729-b777-c326456b77d8 |
||||
action_powered_off |
NULLABLE |
BOOLEAN |
True, if the computer is powered off, such as suspended or hibernated, and false otherwise. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
817d3d7f-ae77-4f7d-ad87-8d6cca8c2659 |
||||
action_process_causality_id |
NULLABLE |
STRING |
Causality ID of the terminated process. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
2bb0b2ee-3ca9-493c-affd-5a238d0415b9 |
||||
action_process_device_info |
RECORD |
NULLABLE |
storage_device_bus_type |
INTEGER |
Info about the device (volume + HW) from which this process started. including name, class guid, class name, bus type, volume guid, mount point, file system, drive type, vendor id, product id, and serial number. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
use to_json_string prior to filtering/altering this field |
179385ab-d2e5-4087-9ba1-38fc8e370a49 |
|
action_process_file_create_time |
NULLABLE |
INTEGER |
Creation time of the file that created the process. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
498a7595-77fb-43c3-8784-120aec9e24ae |
||||
action_process_file_info |
NULLABLE |
STRING |
Metadata from the exe file of the process. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
4dc1bf77-dfca-4b4a-a491-770fe45a1743 |
||||
action_process_file_mod_time |
NULLABLE |
INTEGER |
Modification time of the file that created the process. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
e88e939d-f6c5-4389-925f-70201745d43f |
||||
action_process_file_size |
NULLABLE |
INTEGER |
Size of the file involved in the process in bytes. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
48f797fe-28cc-4861-8f44-800a7075230e |
||||
action_process_image_command_line |
NULLABLE |
STRING |
Process command line - The command used to execute the process. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
90021ac3-f28b-4b01-a8c3-886f0ae169d7 |
||||
action_process_image_command_line_indices |
NULLABLE |
STRING |
Process command line - The command used to execute the process. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
53e22473-cdac-4437-a00c-49301eef7052 |
||||
action_process_image_extension |
NULLABLE |
STRING |
Process image extension - File extension |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
1d402897-7281-4d9a-b25d-c8b419f98cd9 |
||||
action_process_image_md5 |
NULLABLE |
STRING |
MD5 of the binary. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
ea957086-9c52-4201-bb73-f33ebe38f6e8 |
||||
action_process_image_name |
NULLABLE |
STRING |
File name of the 'action_process_image_path'. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
43440172-61e7-475e-93ac-743cb17eb9ba |
||||
action_process_image_path |
NULLABLE |
STRING |
Process image path - A string identifying the location of the process execution. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
e70397ac-6fa8-476c-8a79-3dd51695b72a |
||||
action_process_image_sha256 |
NULLABLE |
STRING |
SHA256 of the binary. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
4fc2e74a-8275-4c94-8707-54c591dc60af |
||||
action_process_instance_execution_time |
NULLABLE |
INTEGER |
Instance execution time. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
24cf48c3-0a9f-410a-b631-19bf7f459e00 |
||||
action_process_instance_id |
NULLABLE |
STRING |
Cortex instance ID of the process. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
03edef91-7ef0-4815-b115-8acbb0030a6c |
||||
action_process_integrity_level |
NULLABLE |
INTEGER |
Integrity level of the process created. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
000908fd-9eaf-4264-b44c-42165c30d076 |
||||
action_process_is_causality_root |
NULLABLE |
BOOLEAN |
Indicates whether or not the created process is a new causality root process. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
7176af9c-6e0d-453c-87f7-563c97a9449b |
||||
action_process_is_replay |
NULLABLE |
BOOLEAN |
Windows: The following events are replayed: Processes started before the agent is started. Module load events for modules loaded in replayed processes. Drivers loaded using module load before the agent is started. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
f2f72ae4-242b-4909-bf4a-b8620deaa389 |
||||
action_process_is_special |
NULLABLE |
INTEGER |
Indicates special system processes: |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
1d9c5c1e-85db-41a7-8a84-cb09d39551cf |
||||
action_process_is_txn |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
9dcee7e3-8f91-4200-974a-6fda075c9a12 |
|||||||
action_process_os_pid |
NULLABLE |
INTEGER |
The Operating System (OS) Process Identifier (PID) of the new process |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
23759e21-777a-45e6-be96-a21638807c13 |
||||
action_process_remote_session_ip |
NULLABLE |
STRING |
Windows: When the process was started from a remote Terminal Services session, the IP address of the remote client connected to the session. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
8818f408-9a6f-4eef-a305-1a2863d453e4 |
||||
action_process_requested_parent_iid |
NULLABLE |
STRING |
Windows: Same as the "action_process_requested_parent_pid", but the instance ID. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
ec68cde0-d438-4d31-a500-8b8aa5263e08 |
||||
action_process_requested_parent_pid |
NULLABLE |
INTEGER |
Windows: A parent process can request to set the parent-pid of the child process to something other than their own. This is used for a "runas" scenario where the os_actor is different from the actor. Yet, it can also be used by malware to fake the parent pid. This field gives the requested parent pid, while giving the true actor/os_actor for the operation. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
e8a4082d-4893-4136-8b47-e23bd4d59661 |
||||
action_process_signature_product |
NULLABLE |
STRING |
Signature product - The product family part of the signature. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
ba432778-783d-4736-b2f5-a87e553dc8b6 |
||||
action_process_signature_status |
NULLABLE |
INTEGER |
Signature status of the process: |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
e90125bb-cf22-43a1-8ee7-2befaeff56fe |
||||
action_process_signature_vendor |
NULLABLE |
STRING |
Signature vendor - The vendor part of the signature. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
b10c4b16-f57a-4f4c-a06e-cd25961c99a1 |
||||
action_process_termination_code |
NULLABLE |
INTEGER |
Process exit code. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
b818fcfe-4cfd-451b-a4f6-a6277cf02ba2 |
||||
action_process_termination_date |
NULLABLE |
INTEGER |
Instance termination time. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
2043afe2-9449-4823-9e85-1e4207031478 |
||||
action_process_user_sid |
NULLABLE |
STRING |
Win: Primary user token of the executed binary. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
ac2779df-0199-4f50-8a3b-ce6de730f94c |
||||
action_process_username |
NULLABLE |
STRING |
Name assigned to the 'action_process_user_sid'. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
87aff9c0-f255-4169-950c-a2a86fd29e5b |
||||
action_protocol |
INTEGER |
IP protocol of the network event. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
||||||
action_proxy |
NULLABLE |
BOOLEAN |
Indicates whether or not Cortex XDR/XSIAM performed an HTTP proxy resolution to get these fields: |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
b30b6d6c-893d-46cd-ad5c-0c1ecd1a331a |
||||
action_registry_data |
NULLABLE |
STRING |
Registry data being written to the specific key. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
ca8dcdae-d025-4d7e-a8fb-b20d3ddf1a38 |
||||
action_registry_file_path |
NULLABLE |
STRING |
Four operations: |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
fbbd2f35-12b9-4444-a8cf-27ec1d394d88 |
||||
action_registry_key_name |
NULLABLE |
STRING |
Registry key name being accessed. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
9e7d683e-776a-46da-a4d9-21d2858b572a |
||||
action_registry_old_data |
NULLABLE |
STRING |
Registry data being replaced by a new value. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
dc00523f-5c04-4e6a-84ad-f64d0ea50758 |
||||
action_registry_old_key_name |
NULLABLE |
STRING |
Old registry key name that is being renamed. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
991a3f3c-8054-490c-90e7-2cdb42f41984 |
||||
action_registry_return_val |
NULLABLE |
INTEGER |
Return value from the registry operation. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
503bb4c4-4706-4093-ad3d-98946c926698 |
||||
action_registry_value_name |
NULLABLE |
STRING |
Registry value name being accessed. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
682804f7-e3f4-4eea-8fba-b735e7102f3c |
||||
action_registry_value_type |
NULLABLE |
INTEGER |
Regular types: |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
c2fc0320-49ff-4564-9ff5-e246e0ad21ea |
||||
action_remote_ip |
NULLABLE |
STRING |
Relevant when the actor is a remote actor, where the type is not local and the IP was resolved successfully. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
2e70bdaf-0817-4126-a161-74aa37a3d197 |
||||
action_remote_ip_int |
NULLABLE |
INTEGER |
Relevant when the actor is a remote actor, where the type is not local and the IP was resolved successfully. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
5b26b69f-419e-4f09-85ff-b00b97bd475e |
||||
action_remote_port |
NULLABLE |
INTEGER |
Relevant when the actor is a remote actor, where the type is RemoteRpcTcp. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
cfb1c4f3-b571-427b-be84-9f5d61940c6d |
||||
action_remote_process_causality_id |
NULLABLE |
STRING |
Causality ID of the remote injected process. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
a532d933-3f62-4fc4-bbc9-0dbaa13a3a02 |
||||
action_remote_process_file_access_time |
INTEGER |
Access time of the file that created the process. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
4af7c0da-c799-4048-b60f-7b301f11d727 |
|||||
action_remote_process_image_command_line |
NULLABLE |
STRING |
Process command line - The command used to execute the process. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
11a01d76-7b1d-4640-b175-ad2b7e6bc390 |
||||
action_remote_process_image_extension |
NULLABLE |
STRING |
Process image extension - File extension. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
03daa349-4f0a-4ae9-9578-75130b79c0af |
||||
action_remote_process_image_md5 |
NULLABLE |
STRING |
MD5 of the binary. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
91e4afb6-e812-487a-8931-58b4f0c9b3e8 |
||||
action_remote_process_image_name |
NULLABLE |
STRING |
Image name of the remote injected process. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
3e1b4a1e-fdc4-4f5d-a7c4-29cf464a1dd9 |
||||
action_remote_process_image_path |
NULLABLE |
STRING |
Process image path - A string identifying the location of the execution. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
8d417bcb-6cfa-4405-b64b-cbba5ec3147c |
||||
action_remote_process_image_sha256 |
NULLABLE |
STRING |
SHA256 of the binary. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
6758b5e4-8be9-47d5-a648-dbc280d93371 |
||||
action_remote_process_instance_id |
NULLABLE |
STRING |
Instance ID of the remote injected process. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
c5468ef9-52ea-4224-909c-d72cbb86a147 |
||||
action_remote_process_integrity_level |
NULLABLE |
INTEGER |
Integrity level of the remote injected process. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
76304bd4-77ff-4c87-8ffc-b3cb5b3d34a7 |
||||
action_remote_process_is_causality_root |
NULLABLE |
BOOLEAN |
Indicates whether or not the remote process being injected into is a causality root. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
b69cb02d-2844-4515-9002-ef00794a2553 |
||||
action_remote_process_os_pid |
NULLABLE |
INTEGER |
The Operating System (OS) Process Identifier (PID) of the remote process |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
2410861d-b020-4a54-9254-1ee4184bee78 |
||||
action_remote_process_signature_product |
NULLABLE |
STRING |
Signature product - The product family part of the signature. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
76a8a2ee-185d-46de-b909-ce6157f13e1d |
||||
action_remote_process_signature_status |
NULLABLE |
INTEGER |
Signature status of the process: |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
ca13e774-32b8-4ab6-9e2b-a830180f6144 |
||||
action_remote_process_signature_vendor |
NULLABLE |
STRING |
Signature vendor - The vendor part of the signature. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
b09dd678-812e-47c6-b5af-0f8539d665f7 |
||||
action_remote_process_thread_id |
NULLABLE |
INTEGER |
Target thread of remote execution. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
6f4c06fd-3e86-4d24-867d-042047018906 |
||||
action_remote_process_thread_start_address |
NULLABLE |
STRING |
Memory address of the thread being injected into a remote process. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
5e978a60-5730-4868-8f5f-660a66e25c11 |
||||
action_remote_process_user_sid |
NULLABLE |
STRING |
Win: Primary user token of the executed binary. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
310a6d61-c57e-4950-8347-2dc2c8ad19f8 |
||||
action_remote_process_username |
NULLABLE |
STRING |
Name assigned to the action_process_user_sid field. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
614a4f91-8452-4588-a8ee-1d84e313c9e6 |
||||
action_rpc_func_opnum |
NULLABLE |
INTEGER |
Integer identifying the function called. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
5f777a9c-bc89-478b-8090-7a1ce2fd7540 |
||||
action_rpc_interface_uuid |
NULLABLE |
STRING |
Universally Unique IDentifier (UUID) identifying the interface. An interface is only uniquely identified by the UUID + Major version + Minor version. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
51679e21-eda9-46a2-bc02-250bdc90beb9 |
||||
action_rpc_interface_version_major |
NULLABLE |
INTEGER |
Major version of the Remote Procedure Call (RPC) interface. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
21e97140-46f7-4014-974d-e53671a53bbe |
||||
action_rpc_interface_version_minor |
NULLABLE |
INTEGER |
Minor version of the Remote Procedure Call (RPC) interface. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
d004cae7-3bd4-4a7b-9a15-ce821ddb34fa |
||||
action_session_duration |
NULLABLE |
INTEGER |
Number of milliseconds (ms) since the session started. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
8eda0417-05c2-4a76-9188-c4ff8fa53fac |
||||
action_syscall_etw_based |
NULLABLE |
BOOLEAN |
Indicates whether or not the system call based on Event Tracing for Windows (ETW) or on native hooking. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
455856de-94aa-40da-9e42-fbc5d0be8cb3 |
||||
action_syscall_int_params |
NULLABLE |
STRING |
Action parameters where the value is an integer in the system call invocation. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
a1585706-ed50-48b2-8c42-4600d40631e1 |
||||
action_syscall_stack_ptr |
NULLABLE |
STRING |
Stack pointer creating the captured syscall. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
528f921b-bc16-4ac5-b833-cdbcd60f89a9 |
||||
action_syscall_string_params |
NULLABLE |
STRING |
Action parameters where the value is a string in the system call invocation. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
58c88062-15e8-4f1c-8f83-fe493ef950cf |
||||
action_syscall_target_image_name |
NULLABLE |
STRING |
Base image name of the target process, such as lsass.exe. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
cc212646-c310-43b0-b99a-909740dfe3a4 |
||||
action_syscall_target_image_path |
NULLABLE |
STRING |
Process image path - A string identifying the location of the execution. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
cfd73a32-7ef8-4d19-8f0e-a5809f190eab |
||||
action_syscall_target_instance_id |
NULLABLE |
STRING |
Instance ID of the target process, when one exists. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
4332f3ec-9bdc-415e-94dc-0ca1920b1a68 |
||||
action_syscall_target_os_pid |
NULLABLE |
INTEGER |
The Operating System (OS) Process Identifier (PID) of the syscall target process |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
1cfc769f-2cdd-4c9e-8c16-3ec8abc77a96 |
||||
action_syscall_target_thread_id |
NULLABLE |
INTEGER |
Target thread ID of the captured syscall. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
6fe85d17-b166-47e6-bdbe-7789e26e17a9 |
||||
action_thread_thread_id |
NULLABLE |
INTEGER |
Thread ID creating the captured syscall. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
dd617531-2729-4fc4-a2bc-b19e2f9a4eec |
||||
action_total_download |
NULLABLE |
INTEGER |
Total number of payload bytes from the destination to the source so far. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
662e8b5c-3e3c-4a4d-ae5c-ecec2f050c15 |
||||
action_total_upload |
NULLABLE |
INTEGER |
Total number of payload bytes from the source to the destination so far. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
3f9dd8bc-d599-4b4b-b036-509027fff9f1 |
||||
action_upload |
NULLABLE |
INTEGER |
Number of uploaded bytes in the last time window. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
ea2c1242-35ba-4ec3-a4b7-72fe33afef10 |
||||
action_user_agent |
NULLABLE |
STRING |
The user agent used by an actor to perform an action. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
09998692-1986-47c2-a139-4c15f513dd71 |
||||
action_user_is_local_session |
NULLABLE |
BOOLEAN |
Indicates whether or not the user log in from a remote computer or locally. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
ed08d2dd-fc1b-4235-9cca-be92b1866b48 |
||||
action_user_status |
NULLABLE |
INTEGER |
Agent user status change event. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
c6ef7161-3aa9-44c5-a0b3-39f61ee16d0e |
||||
action_user_status_sid |
NULLABLE |
STRING |
Security identifier (SID) of the user. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
b03dc09d-809b-4363-87c9-5779f47b9f97 |
||||
action_username |
NULLABLE |
STRING |
Name of the user. |
Action Actor: The Action actor is an activity that took place and was recorded by the agent. |
0df9044b-2a94-4a82-9bab-e4b7ab793a90 |
||||
action_local_nat_port |
INTEGER |
Source NAT port. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_remote_nat_port |
INTEGER |
Destination NAT port. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_local_nat_ip |
STRING |
Source NAT IP address. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_remote_nat_ip |
STRING |
Destination NAT IP address. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_nat |
BOOLEAN |
Indicates whether or not the connection is NAT. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_rpc_items |
RECORD |
EAL remote procedure call (RPC) data items. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_category_of_app_id |
STRING |
App-ID category. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_sub_category_of_app_id |
STRING |
App-ID sub category. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_app_id_risk |
INTEGER |
App-ID risk |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_location |
RECORD |
Geolocation information of the source IP. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_as_data |
RECORD |
ASN data from the source of the network activity. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_evtlog_normalized_user |
RECORD |
A normalized user for the event log event. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_direction_confidence |
INTEGER |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
|||||||
action_evtlog_int_fields |
RECORD |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
|||||||
action_file_pe_info |
RECORD |
Only valid according to collection policy. Usually, enabled on some write-file events. The field is not aptly named since it sometimes contains info on non-PE files as well. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_file_last_writer_actor |
STRING |
Instance ID of the actor that wrote the file. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_file_signature_is_embedded |
BOOLEAN |
Indicates whether or not the signature is embedded inside the PE or part of an external catalog file. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_file_auth_sha1 |
STRING |
SHA1 of the binary's Authenticode, which is the part of a PE used when signing. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_file_auth_sha2 |
STRING |
SHA256 of the binary's Authenticode, which is the part of a PE used when signing. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_file_reparse_count |
INTEGER |
Only valid for sub_type = 1/2 (create_new/open), which provides the reparse count if the file was open through a reparse point. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_file_pipe_impersonation_integrity_level |
INTEGER |
When the event type is impersonate_pipe, this field contains the integrity level of the token that is used for the impersonation. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_file_operation_flags |
INTEGER |
The specified flags for the file operation. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_file_is_anonymous |
BOOLEAN |
Indicates whether or not the file was created without an accesible path from the filesystem (`open(..., O_TMPFILE)`, `memfd_create`). |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_module_last_writer_actor |
STRING |
Instance ID of the actor that wrote the file for the module. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_module_code_integrity |
INTEGER |
The value of ci!g_CiOptions when the driver is loaded. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_module_boot_code_integrity |
INTEGER |
The value of ci!g_CiOptions at boot time. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_module_signature_is_embedded |
BOOLEAN |
Indicates whether or not the signature is embedded inside the PE or part of an external catalog file. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_module_system_properties |
INTEGER |
Addition properties of the DLL. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_module_auth_sha2 |
STRING |
SHA256 of the binary's Authenticode, which is the part of a PE used when signing. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_module_auth_sha1 |
STRING |
SHA1 of the binary's Authenticode, which is the part of a PE used when signing. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_local_port |
INTEGER |
Source port |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_network_icmp_data |
RECORD |
Only valid for event_sub_type = 18. ICMP packet data. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_network_creation_time_original |
INTEGER |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
|||||||
action_network_is_loopback |
BOOLEAN |
Valid for stream_connect, datagram_connect, raw_data, outbound_icmp and stream_statistics. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_socket_type |
INTEGER |
0 : Unknown type |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_process_pe_load_info |
RECORD |
Windows: Information about the loaded PE image. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_process_token |
RECORD |
Security context of the process. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_process_privileges |
INTEGER |
String representing a 64-bit integer. These are the enabled special privileges that the process is running with. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_process_fds |
RECORD |
Unix: FD information about 'stdin', 'stdout', and 'stderr'. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_process_is_container_root |
BOOLEAN |
Linux: True for the process that creates the container. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_process_container_info |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||||
action_process_ns_pid |
INTEGER |
The PID of the new process in the relevant Linux namespace. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_process_ns_user_sid |
STRING |
Linux-only: Effective UID of the executed binary in the relevant Linux namespace. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_process_ns_user_real_sid |
STRING |
Linux-only: Real UID of the executed binary in the relevant Linux namespace. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_process_is_remote_session_root |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||||
action_process_remote_session_port |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||||
action_process_local_session_ip |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||||
action_process_local_session_port |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||||
action_process_static_analysis_score |
INTEGER |
Static analysis score of executed binary. Scale of 0-1, where 0 is definitely benign, and 1 is definitely malware. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_process_container_id |
STRING |
Linux: The ID of the container in which this process is running. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_process_user_real_sid |
STRING |
Unix-only: Real UID of the executed binary. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_process_signature_is_embedded |
BOOLEAN |
Indicates whether or not the signature is embedded inside the PE or part of an external catalog file. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_process_file_access_time |
INTEGER |
Access time of the file that created the process. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_process_cwd |
STRING |
Working directory from which the process was executed. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_process_is_64bit |
BOOLEAN |
Indicates whether or not the process is 64 bit. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_process_is_native |
BOOLEAN |
Indicates whether or not this process is a "native process". On a 32-bit machine, the value is always true, and on a 64-bit machine, the value is true when the process is 64-bit. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_process_peb |
STRING |
Windows: The address of the PEB of the process. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_process_peb32 |
STRING |
Windows: The address of the PEB32 of the process. Only non-zero if this is a WOW64 process. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_process_image_auth_sha1 |
RECORD |
SHA1 of the binary's Authenticode, which is the part of a PE used when signing. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_process_image_auth_sha2 |
STRING |
SHA256 of the binary's Authenticode, which is the part of a PE used when signing. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_process_last_writer_actor |
STRING |
Instance ID of the actor that wrote the file for this process. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_process_script |
STRING |
When the executable is an interpreter, the script that it is executing. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_process_script_device_info |
RECORD |
Info about the device (volume + HW) from which this script was executed. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_process_environment_variables |
MAP |
Envrionment variables that were sent on the process execution. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_remote_process_file_info |
RECORD |
Metadata from the EXE file of the process. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_remote_process_file_create_time |
INTEGER |
Creation time of the file that created the process. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_remote_process_file_mod_time |
INTEGER |
Modification time of the file that created the process. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_remote_process_signature_is_embedded |
BOOLEAN |
Indicates whether or not the signature is embedded inside the PE or part of an external catalog file. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_remote_process_is_special |
INTEGER |
Indicates special system processes: |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_remote_process_is_replay |
BOOLEAN |
Indicates whether or not the agent was alive during the execution of the process. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_remote_process_is_64bit |
BOOLEAN |
Indicates whether or not the process is 64 bit. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_remote_process_is_native |
BOOLEAN |
Indicates whether or not this process is a "native process". On a 32-bit machine, the value is always true, and on a 64-bit machine, the value is true when the process is 64-bit. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_remote_process_file_size |
INTEGER |
Size of the file of the process in bytes. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_remote_process_image_auth_sha1 |
STRING |
SHA1 of the binary's Authenticode, which is the part of a PE used when signing. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_remote_process_image_auth_sha2 |
STRING |
Process image SHA-2 authenticode. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_remote_process_last_writer_actor |
STRING |
The instance ID of the last writer that changed the file of the process. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_user_session_id |
INTEGER |
Windows: Session ID of the process. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_mount_device_info |
RECORD |
Info about the device (volume + HW). |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_rpc_func_exception_code |
INTEGER |
If an exception occurred during this remote procedure call (RPC), the exception code is provided. Otherwise, the value is 0. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_rpc_interface_name |
STRING |
Description of the remote procedure call (RPC) interface, taken from the IDL file. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_rpc_func_str_call_fields |
RECORD |
Parameters where the keys are the names of the argument in the function call. The values are the values of the parameters. Values are strings. For instance, if we have a remote procedure call (RPC) to CreateService(ServiceName, ServiceType), we will get something like |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_rpc_func_name |
STRING |
Function name taken from the IDL file. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_rpc_func_int_call_fields |
RECORD |
Same as the field action_rpc_func_str_call_fields, but the values are integers. Since the values are in a uint64_t format, they are still serialized as strings. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_device_usb_vendor_name |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||||
action_device_usb_product_name |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||||
action_device_usb_interface_class |
INTEGER |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
|||||||
action_device_usb_interface_sub_class |
INTEGER |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
|||||||
action_thread_start_address |
INTEGER |
Start address of the thread function, which is serialized as a string as it can be a true 64-bit address. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_thread_parent_pid |
INTEGER |
Windows: Same as the actor info. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_thread_parent_tid |
INTEGER |
Windows: Same as the actor info. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_thread_parent_iid |
STRING |
Windows: Same as the actor info. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_thread_child_pid |
INTEGER |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
|||||||
action_thread_child_tid |
INTEGER |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
|||||||
action_thread_child_iid |
STRING |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
|||||||
action_thread_stack_base |
STRING |
Windows: Base of the stack. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_thread_stack_limit |
STRING |
Windows: Limit of the stack. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_thread_teb |
STRING |
Windows: Address of the TEB of the thread. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_process_handle_is_kernel |
BOOLEAN |
Indicates whether or not a handle is used by the kernel. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_process_handle_granted_access |
INTEGER |
Access rights that were granted when opening the handle. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_process_handle_opened_process_pid |
INTEGER |
PID of the process opened. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_process_handle_opened_process_iid |
STRING |
IID of the process opened. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
address_mapping |
RECORD |
symbol_name: Name of the suspicious function. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_ns_flags |
INTEGER |
Unshare: Flags raw value. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_ns_path |
STRING |
Setns-only: Path to the namespace file descriptor. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_time_change_clock_diff_ms |
INTEGER |
Difference in milliseconds from previous system time. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_trace_flags |
INTEGER |
Flags that were sent to the ptrace function. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_trace_ret |
INTEGER |
Return value of the ptrace function. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
||||||
action_trace_request_id |
INTEGER |
Request ID of the ptrace function. |
Action Actor: The Action actor is an an activity that took place and was recorded by the agent. |
The Action actor is an activity that took place and was recorded by the agent.