Field Name |
Mode |
Data Type |
Fields mode |
Fields name |
DATA TYPE |
Description |
Action / Type reminder |
Suffix |
Guid |
|---|---|---|---|---|---|---|---|---|---|
actor_causality_id |
NULLABLE |
STRING |
Will match 'causality_actor_causality_id' in the causality owner actor fields. |
Actor Actor: The Actor actor is the process that performed the action. |
234f3c7a-c9ca-4ae3-9baf-9aacb99461f2 |
||||
actor_effective_user_sid |
NULLABLE |
STRING |
Win: Primary user token of the executed binary. |
Actor Actor: The Actor actor is the process that performed the action. |
d2a230b5-51a1-4984-befb-84378f581c05 |
||||
actor_effective_username |
NULLABLE |
STRING |
Name assigned to 'actor_effective_user_sid'. |
Actor Actor: The Actor actor is the process that performed the action. |
154e1c7d-5954-4e95-a12b-70f3dd846b8d |
||||
actor_is_injected_thread |
NULLABLE |
BOOLEAN |
Indicates whether or not a user can connect to the USB port that the device is connected to. |
Actor Actor: The Actor actor is the process that performed the action. |
92709014-ba00-4ce1-9e02-093c4d551ec4 |
||||
actor_os_process_instance_id |
NULLABLE |
STRING |
Cortex XDR/XSIAM unique identifier for the operating system's actor process. |
Actor Actor: The Actor actor is the process that performed the action. |
0693cfe3-1bbc-483b-a20d-d2f67cb7fb14 |
||||
actor_primary_user_sid |
NULLABLE |
STRING |
Win: Primary user token of the executed binary. |
Actor Actor: The Actor actor is the process that performed the action. |
1af389b7-73c7-446f-bbba-4c852e5a4a41 |
||||
actor_primary_username |
NULLABLE |
STRING |
Name assigned to the user_sid. |
Actor Actor: The Actor actor is the process that performed the action. |
3f05c6b3-b5f0-43aa-b3ff-69b818603305 |
||||
actor_process_auth_id |
NULLABLE |
STRING |
Windows: LUID (uint64) representing the token of the process. |
Actor Actor: The Actor actor is the process that performed the action. |
92ad0e5e-9c12-4705-909f-5b89a9c3ed36 |
||||
actor_process_causality_id |
NULLABLE |
STRING |
Cortex XDR/XSIAM unique causality ID for the actor casuality chain. |
Actor Actor: The Actor actor is the process that performed the action. |
34c9275b-d349-4d83-9a4a-afc5ae769308 |
||||
actor_process_command_line |
NULLABLE |
STRING |
Process command line - The command used to execute the process. |
Actor Actor: The Actor actor is the process that performed the action. |
dc79b8d0-9eee-42f0-be63-d593125fb708 |
||||
actor_process_command_line_indices |
NULLABLE |
STRING |
Process command line - The command used to execute the process. |
Actor Actor: The Actor actor is the process that performed the action. |
aac6ac20-17ee-44fe-9e3f-1536e8c986ee |
||||
actor_process_device_info |
RECORD |
NULLABLE |
storage_device_bus_type |
INTEGER |
Info about the device (volume + HW) from which this process started. including name, class guid, class name, bus type, volume guid, mount point, file system, drive type, vendor id, product id, and serial number. |
Actor Actor: The Actor actor is the process that performed the action. |
use to_json_string prior to filtering/altering this field |
c770b4ac-289d-4ce8-bb40-b02d543584d6 |
|
actor_process_execution_time |
NULLABLE |
INTEGER |
Timestamp of the execution in epoch time. |
Actor Actor: The Actor actor is the process that performed the action. |
b11bbeb9-5981-4e01-938f-efb65199164b |
||||
actor_process_file_access_time |
NULLABLE |
INTEGER |
Creation time of the file that created the actor process. |
Actor Actor: The Actor actor is the process that performed the action. |
b098b64c-643d-4c92-a9d7-112fa8b20e0e |
||||
actor_process_file_create_time |
NULLABLE |
INTEGER |
Creation time of the file that created the process. |
Actor Actor: The Actor actor is the process that performed the action. |
1873368a-95a5-481c-b544-bedbbe4e8bd0 |
||||
actor_process_file_mod_time |
NULLABLE |
INTEGER |
Modification time of the file that created the process. |
Actor Actor: The Actor actor is the process that performed the action. |
4dbfbc58-561f-47b5-a3da-7070c53b03fe |
||||
actor_process_file_size |
NULLABLE |
INTEGER |
Size of the file involved in the process in bytes. |
Actor Actor: The Actor actor is the process that performed the action. |
83b1a470-22e5-449f-b1da-4eed45ddca31 |
||||
actor_process_image_command_line |
NULLABLE |
STRING |
Process command line - The command used to execute the process. |
Actor Actor: The Actor actor is the process that performed the action. |
44266ab2-718b-4ea1-85ac-4c416523885e |
||||
actor_process_image_extension |
NULLABLE |
STRING |
Process image extension - File extension. |
Actor Actor: The Actor actor is the process that performed the action. |
31677070-b336-4945-8493-e11652e03411 |
||||
actor_process_image_md5 |
NULLABLE |
STRING |
MD5 of the binary. |
Actor Actor: The Actor actor is the process that performed the action. |
81559dba-1cd2-4b77-9892-86ad0ac0fd1e |
||||
actor_process_image_name |
NULLABLE |
STRING |
File name of the actor_process_image_path. |
Actor Actor: The Actor actor is the process that performed the action. |
94697c47-bc47-4818-a366-7250fa450e89 |
||||
actor_process_image_path |
NULLABLE |
STRING |
Process image path - A string identifying the location of the execution. |
Actor Actor: The Actor actor is the process that performed the action. |
86d808ce-8b32-41f8-8ed1-896b753d5b37 |
||||
actor_process_image_sha256 |
NULLABLE |
STRING |
SHA256 of the binary. |
Actor Actor: The Actor actor is the process that performed the action. |
20c366eb-95bb-44dd-9b40-c3008a9c8ba3 |
||||
actor_process_instance_id |
NULLABLE |
STRING |
Cortex XDR/XSIAM unique identifier of the actor process. |
Actor Actor: The Actor actor is the process that performed the action. |
f4efd71b-b361-423a-86b7-844aa9837110 |
||||
actor_process_integrity_level |
NULLABLE |
INTEGER |
Integrity level of the process. |
Actor Actor: The Actor actor is the process that performed the action. |
7816ceae-31f6-42d6-b031-cc2492408295 |
||||
actor_process_is_64bit |
NULLABLE |
BOOLEAN |
Indicates whether or not the process is a 64-bit process. |
Actor Actor: The Actor actor is the process that performed the action. |
bdd51bd8-d38f-4bff-9cb0-667f0fa62848 |
||||
actor_process_is_native |
NULLABLE |
BOOLEAN |
Indicates whether or not this process a "native process". |
Actor Actor: The Actor actor is the process that performed the action. |
d20c427f-8e58-4e8e-b79f-9d08b7f16086 |
||||
actor_process_is_replay |
NULLABLE |
BOOLEAN |
Indicates whether or not the agent was alive during the execution of the process. |
Actor Actor: The Actor actor is the process that performed the action. |
a706b855-bb12-45e5-a0a5-297146164e78 |
||||
actor_process_is_special |
NULLABLE |
INTEGER |
Indicates special system processes: |
Actor Actor: The Actor actor is the process that performed the action. |
efdf2015-601e-417e-a30d-7dddffec62cd |
||||
actor_process_logon_id |
NULLABLE |
STRING |
Windows: LUID (uint64) representing the token of the process. |
Actor Actor: The Actor actor is the process that performed the action. |
4b5645df-8dde-4993-b366-2b6b319d5614 |
||||
actor_process_os_pid |
NULLABLE |
INTEGER |
The Operating System (OS) Process Identifier (PID) of the actor process. |
Actor Actor: The Actor actor is the process that performed the action. |
71352da0-1f5b-407c-909a-bbf5afa04fad |
||||
actor_process_session_id |
NULLABLE |
INTEGER |
Windows: Session ID of the process. |
Actor Actor: The Actor actor is the process that performed the action. |
f22ee472-2e18-40a3-9629-d4e2c919b3e7 |
||||
actor_process_signature_is_embedded |
NULLABLE |
BOOLEAN |
Indicates whether or not the signature embedded inside the Program Executable (PE) or part of an external catalog file. |
Actor Actor: The Actor actor is the process that performed the action. |
ad2decd0-7054-4ee1-aacb-bf4382b735bd |
||||
actor_process_signature_product |
NULLABLE |
STRING |
Signature product - The product family part of the signature. |
Actor Actor: The Actor actor is the process that performed the action. |
8cac301d-9ac5-4e07-b9fb-b9c4c1386210 |
||||
actor_process_signature_status |
NULLABLE |
INTEGER |
Signature status of the process: |
Actor Actor: The Actor actor is the process that performed the action. |
4d25bb6e-5b16-49ae-ad4f-b4e892fdbb08 |
||||
actor_process_signature_vendor |
NULLABLE |
STRING |
Signature vendor - The vendor part of the signature. |
Actor Actor: The Actor actor is the process that performed the action. |
82fa25e7-3062-41ec-8c32-57c3cbce9ac4 |
||||
actor_remote_host |
NULLABLE |
STRING |
Relevant when the actor is a remote actor and the host was resolved successfully. |
Actor Actor: The Actor actor is the process that performed the action. |
413ec8ca-ca5d-4ada-a794-17f9aad882a3 |
||||
actor_remote_ip |
NULLABLE |
STRING |
Relevant when the actor is a remote actor, where the type is not local and the IP was resolved successfully. |
Actor Actor: The Actor actor is the process that performed the action. |
d8925e31-e6b6-4310-b80b-4f68c3fe7a64 |
||||
actor_remote_pipe_name |
NULLABLE |
STRING |
Relevant when the actor is a remote actor, where the type is RemoteRpcNamedPipe. |
Actor Actor: The Actor actor is the process that performed the action. |
4d28422d-4e05-4194-838b-422956b5f6dd |
||||
actor_remote_port |
NULLABLE |
INTEGER |
Relevant when the actor is a remote actor, where the type is RemoteRpcTcp. |
Actor Actor: The Actor actor is the process that performed the action. |
8810323a-8932-440f-aa42-5e33720f3dc4 |
||||
actor_thread_thread_id |
NULLABLE |
INTEGER |
An identifier of the OS thread which is responsible for the event. |
Actor Actor: The Actor actor is the process that performed the action. |
98d6c973-6840-47cf-b79b-6219d09f4f94 |
||||
actor_type |
NULLABLE |
INTEGER |
Enum describing actor type: |
Actor Actor: The Actor actor is the process that performed the action. |
32cf78b2-1bbe-4eb6-b41a-5d34def563ed |
||||
actor_primary_normalized_user |
RECORD |
A normalized user for the actor. |
Actor Actor: The Actor actor is the process that performed the action. |
||||||
actor_effective_normalized_user |
RECORD |
Normalized user information. |
Actor Actor: The Actor actor is the process that performed the action. |
||||||
actor_container_info |
RECORD |
Container information for the process. |
Actor Actor: The Actor actor is the process that performed the action. |
||||||
actor_process_ns_pid |
Actor Actor: The Actor actor is the process that performed the action. |
||||||||
actor_ns_user_sid |
Actor Actor: The Actor actor is the process that performed the action. |
||||||||
actor_process_container_id |
Actor Actor: The Actor actor is the process that performed the action. |
||||||||
actor_rpc_interface_uuid |
STRING |
MS-RPC interface unique identifier. |
Actor Actor: The Actor actor is the process that performed the action. |
||||||
actor_rpc_func_opnum |
INTEGER |
MS-RPC function operation identitifer. |
Actor Actor: The Actor actor is the process that performed the action. |
||||||
actor_rpc_interface_version_major |
INTEGER |
MS-RPC interface major version. |
Actor Actor: The Actor actor is the process that performed the action. |
||||||
actor_rpc_interface_version_minor |
INTEGER |
MS-RPC interface minor version. |
Actor Actor: The Actor actor is the process that performed the action. |
||||||
actor_rpc_protocol |
STRING |
MS-RPC protocol type. |
Actor Actor: The Actor actor is the process that performed the action. |
||||||
actor_local_ip |
STRING |
Source IP of the network activity. |
Actor Actor: The Actor actor is the process that performed the action. |
||||||
actor_local_port |
INTEGER |
Source port for the network activity |
Actor Actor: The Actor actor is the process that performed the action. |
||||||
actor_process_image_auth_sha2 |
STRING |
Process image SHA-2 authenticode. |
Actor Actor: The Actor actor is the process that performed the action. |
||||||
actor_process_image_auth_sha1 |
STRING |
Process image SHA-1 authenticode. |
Actor Actor: The Actor actor is the process that performed the action. |
||||||
actor_process_last_writer_actor |
STRING |
Cortex instance ID of the last process that has written the actor process image. |
Actor Actor: The Actor actor is the process that performed the action. |
||||||
actor_process_static_analysis_score |
DEPRECATED |
Actor Actor: The Actor actor is the process that performed the action. |
|||||||
actor_process_file_original_name |
STRING |
Original file name of the actor image based on the file information metadata. |
Actor Actor: The Actor actor is the process that performed the action. |
||||||
actor_process_file_internal_name |
STRING |
Internal name of the actor image based on the file information metadata. |
Actor Actor: The Actor actor is the process that performed the action. |
The Actor actor is the process that performed the action.