Field Name |
Mode |
Data Type |
Fields mode |
Fields name |
DATA TYPE |
Description |
Action / Type reminder |
Suffix |
Guid |
|---|---|---|---|---|---|---|---|---|---|
causality_actor_causality_id |
NULLABLE |
STRING |
Causality ID of the causality actor. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
7a4db553-0b3b-40c7-b952-b6a745146814 |
||||
causality_actor_effective_user_sid |
NULLABLE |
STRING |
Win: Primary user token of the executed binary. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
fed5cb5a-004a-4cfb-a0f1-7699b8981ee7 |
||||
causality_actor_effective_username |
NULLABLE |
STRING |
Source effective username. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
c1e10aa4-06f1-42e3-ac48-2243ff8e815d |
||||
causality_actor_primary_user_sid |
NULLABLE |
STRING |
Win: Primary user token of the executed binary. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
dd8c9bdd-7006-4b06-a333-6ca59f06804d |
||||
causality_actor_primary_username |
NULLABLE |
STRING |
Name assigned to the user_sid. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
4c373c32-776d-43a1-b3e9-563f89a592f2 |
||||
causality_actor_process_auth_id |
NULLABLE |
STRING |
Windows: LUID (uint64) representing the token of the process. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
da30881d-a70c-41cc-9b6b-93e90bd83a7f |
||||
causality_actor_process_causality_id |
NULLABLE |
STRING |
Causality ID of the causality actor process. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
fbcef791-6b57-450d-a015-4a325fffd88d |
||||
causality_actor_process_command_line |
NULLABLE |
STRING |
Process command line - The command used to execute the process. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
939cbb1d-1dad-4686-a7e0-dc1acca3e9a7 |
||||
causality_actor_process_command_line_indices |
NULLABLE |
STRING |
Process command line - The command used to execute the process. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
84446788-1c71-4dff-8e00-c993331a42aa |
||||
causality_actor_process_device_info |
RECORD |
NULLABLE |
storage_device_bus_type |
INTEGER |
Info about the device (volume + HW) from which this process started. including name, class guid, class name, bus type, volume guid, mount point, file system, drive type, vendor id, product id, and serial number. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
use to_json_string prior to filtering/altering this field |
85803bb7-9a63-4fc5-ae82-ff8b4384a6f3 |
|
causality_actor_process_execution_time |
NULLABLE |
INTEGER |
Causality actor process execution time in epoch time. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
a174a6d3-9674-4027-9bae-7b6cba2a3e22 |
||||
causality_actor_process_file_access_time |
NULLABLE |
INTEGER |
Access time of the file that created the process. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
6ead2e47-f0ab-421b-86c3-c3112148b937 |
||||
causality_actor_process_file_create_time |
NULLABLE |
INTEGER |
Creation time of the file that created the process. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
fcacd537-d521-466a-9029-de3fe494fe91 |
||||
causality_actor_process_file_mod_time |
NULLABLE |
INTEGER |
Modification time of the file that created the process. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
c0387d2f-b3da-4a47-9409-6fb4afb05959 |
||||
causality_actor_process_file_size |
NULLABLE |
INTEGER |
Size of the file involved in the process in bytes. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
74423eaf-ac90-4bae-b95c-a4f393beeb30 |
||||
causality_actor_process_image_extension |
NULLABLE |
STRING |
Process image extension - File extension. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
81bd6bae-0863-4884-8d3b-7b04e03df9e7 |
||||
causality_actor_process_image_md5 |
NULLABLE |
STRING |
MD5 of the binary. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
7317374b-1d1a-4e33-9fed-2ee822583453 |
||||
causality_actor_process_image_name |
NULLABLE |
STRING |
File name of the 'causality_actor_process_image_path'. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
ca95c4f5-64bd-4167-9a28-887686ba28df |
||||
causality_actor_process_image_path |
NULLABLE |
STRING |
Process image path - A string identifying the location of the execution. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
3423a1ce-8134-49e5-bc6c-73913c2504d0 |
||||
causality_actor_process_image_sha256 |
NULLABLE |
STRING |
SHA256 of the binary. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
4041b5a5-ef5c-474f-a5a0-37620a47e66d |
||||
causality_actor_process_instance_id |
NULLABLE |
STRING |
Cortex XDR/XSIAM unique identifier for the causality actor process. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
8758f162-bcd4-4fd6-bdbb-878c5bda9a5b |
||||
causality_actor_process_integrity_level |
NULLABLE |
INTEGER |
Process integrity level. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
6ce64568-e467-4141-bb69-4280e03bb783 |
||||
causality_actor_process_is_64bit |
NULLABLE |
BOOLEAN |
Indicates whether or not the process is 64-bit. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
fc5b0bc9-50b3-4742-b5fc-ab63be68818c |
||||
causality_actor_process_is_native |
NULLABLE |
BOOLEAN |
Indicates whether this process is a "native process". On a 32-bit machine the value is always true; on a 64-bit machine, it is true, if the process is a 64-bit process. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
d565a1d2-7d19-4f15-9abe-184192f634fd |
||||
causality_actor_process_is_replay |
NULLABLE |
BOOLEAN |
Indicates whether or not the Agent was alive during the execution of the process. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
248d2fc6-0cd9-4142-a65b-5215835c1621 |
||||
causality_actor_process_is_special |
NULLABLE |
INTEGER |
Indicates special system processes: |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
7e242fcf-dc66-4c63-b67d-0471e91a2e32 |
||||
causality_actor_process_logon_id |
NULLABLE |
STRING |
Windows: LUID (uint64) representing the token of the process. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
10231cb0-1d71-4509-95f3-aa1ce1d7a2c8 |
||||
causality_actor_process_os_pid |
NULLABLE |
INTEGER |
The Operating System (OS) Process Identifier (PID) of the causality actor process |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
0cde941c-e5bc-4687-8874-0d1b538d7738 |
||||
causality_actor_process_session_id |
NULLABLE |
INTEGER |
Windows: Session ID of the process. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
b27727a0-ab52-454a-9380-5fc84da5c92f |
||||
causality_actor_process_signature_is_embedded |
NULLABLE |
BOOLEAN |
Indicates whether or not the signature is embedded inside the Program Executable (PE) or part of an external catalog file. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
202f3f63-2157-4105-bca2-14541155850b |
||||
causality_actor_process_signature_product |
NULLABLE |
STRING |
Signature product - The product family part of the signature. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
bbfb60f2-67f4-405e-9013-920113be9067 |
||||
causality_actor_process_signature_status |
NULLABLE |
INTEGER |
Signature status of the process: Signed = 1 |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
26b94978-973f-4726-99ea-32257fa93a4a |
||||
causality_actor_process_signature_vendor |
NULLABLE |
STRING |
Signature vendor - The vendor part of the signature. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
afb61570-929f-4f6c-867c-2c451413a8c4 |
||||
causality_actor_remote_host |
NULLABLE |
STRING |
Relevant when the actor is a remote actor and the host was resolved successfully. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
0b710029-6668-4550-bbcd-906e138b52bd |
||||
causality_actor_remote_ip |
NULLABLE |
STRING |
Relevant when the actor is a remote actor, where the type is not local and the IP was resolved successfully. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
c084b15c-8a33-4889-a068-22e929acb3ee |
||||
causality_actor_remote_pipe_name |
NULLABLE |
STRING |
Relevant when the actor is a remote actor, where the type is RemoteRpcNamedPipe. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
21823501-53e5-44d2-9025-e65f5a3024f6 |
||||
causality_actor_remote_port |
NULLABLE |
INTEGER |
Relevant when the actor is a remote actor, where the type is RemoteRpcTcp. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
dd4f5b38-17c1-432d-97a9-2258d87b817c |
||||
causality_actor_remote_port_pipe_name |
NULLABLE |
STRING |
Relevant when the actor is a remote actor, where the type is RemoteRpcTcp. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
7fa3de5f-b82e-485c-9110-bad49a9dba9a |
||||
causality_actor_session_id |
NULLABLE |
INTEGER |
Sesion ID |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
9426d445-b7ac-43df-9b53-7e543f47e21b |
||||
causality_actor_type |
NULLABLE |
INTEGER |
Local = 1. The actor is a local process |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
b1f2962a-4f7d-41b9-8257-59ea0e7fb6cc |
||||
causality_actor_primary_normalized_user |
RECORD |
Normalized user information. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
||||||
causality_actor_container_info |
RECORD |
The container information for the process. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
||||||
causality_actor_process_ns_pid |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
||||||||
causality_actor_ns_user_sid |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
||||||||
causality_actor_rpc_interface_uuid |
STRING |
MS-RPC interface unique identifier. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
||||||
causality_actor_rpc_func_opnum |
INTEGER |
MS-RPC function operation identitifer. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
||||||
causality_actor_rpc_interface_version_major |
INTEGER |
MS-RPC interface major version. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
||||||
causality_actor_rpc_interface_version_minor |
INTEGER |
MS-RPC interface minor version. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
||||||
causality_actor_rpc_protocol |
STRING |
MS-RPC protocol type. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
||||||
causality_actor_local_ip |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
||||||||
causality_actor_process_last_writer_actor |
STRING |
Cortex instance ID of the last process that has written the causality actor process image. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
||||||
causality_actor_process_static_analysis_score |
DEPRECATED |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
|||||||
causality_actor_local_port |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
||||||||
causality_actor_process_container_id |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
||||||||
causality_actor_process_image_auth_sha1 |
STRING |
Process image SHA-2 authenticode. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
||||||
causality_actor_process_image_auth_sha2 |
STRING |
Process image SHA-1 authenticode. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
||||||
causality_actor_process_file_original_name |
STRING |
Original file name of the casuality actor image based on the file information metadata. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
||||||
causality_actor_process_file_internal_name |
STRING |
Internal name of the casuality actor image based on the file information metadata. |
Causality Actor: The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree. |
The Causality actor—also referred to as the causality group owner (CGO)—is the parent process in the execution chain that the Cortex XDR/XSIAM agent identified as being responsible for initiating the process tree.