Field Name |
Mode |
Data Type |
Fields mode |
Fields name |
DATA TYPE |
Description |
Action / Type reminder |
Suffix |
Guid |
|---|---|---|---|---|---|---|---|---|---|
dst_actor_causality_id |
NULLABLE |
STRING |
Causality ID of the destination actor. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
08813813-4b1d-4602-a958-7b05a6e97172 |
||||
dst_actor_effective_user_sid |
NULLABLE |
STRING |
Win: Primary user token of the executed binary. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
b68bedb1-f68f-416b-aee7-854265aa96e3 |
||||
dst_actor_effective_username |
NULLABLE |
STRING |
Name assigned to the 'actor_effective_user_sid'. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
2c843fc0-a99e-4929-b4cd-f3e831112668 |
||||
dst_actor_is_injected_thread |
NULLABLE |
BOOLEAN |
Indicates whether or not this destination actor's thread is an injected thread. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
cf495ecb-8efb-48d5-a760-f90947424ab3 |
||||
dst_actor_os_process_instance_id |
NULLABLE |
STRING |
Cortex XDR/XSIAM unique identifier for the destination operating system's actor process. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
32f5ce49-faf5-4169-b0b5-2fd0eeabcabb |
||||
dst_actor_primary_user_sid |
NULLABLE |
STRING |
Win: Primary user token of the executed binary. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
0dd6e2c4-27af-405f-a2f4-6f9022a5c105 |
||||
dst_actor_primary_username |
NULLABLE |
STRING |
Name assigned to the user_sid. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
6d9af9de-6e03-49ea-adeb-d1e004a2eec6 |
||||
dst_actor_process_auth_id |
NULLABLE |
STRING |
Windows: LUID (uint64) representing the token of the process. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
6bc8c812-9586-4ee2-9bfa-9f6cc96f22c9 |
||||
dst_actor_process_causality_id |
NULLABLE |
STRING |
Causality ID of the destination actor process. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
e3d995af-ed5b-4d04-8494-88057b90421b |
||||
dst_actor_process_command_line |
NULLABLE |
STRING |
Process command line - The command used to execute the process. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
bdb6ffa7-44cf-4f9e-b3af-640cedcbf26a |
||||
dst_actor_process_command_line_indices |
NULLABLE |
STRING |
Process command line - The command used to execute the process. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
c403d951-0863-4444-a261-45c923825332 |
||||
dst_actor_process_device_info |
RECORD |
NULLABLE |
storage_device_bus_type |
INTEGER |
Info about the device (volume + HW) from which this process started. including name, class guid, class name, bus type, volume guid, mount point, file system, drive type, vendor id, product id, and serial number. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
use to_json_string prior to filtering/altering this field |
97ad3615-4a92-49ab-a84f-ddb32a7fc609 |
|
dst_actor_process_execution_time |
NULLABLE |
INTEGER |
Destination actor process execution time in epoch time. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
8e845b4d-b759-4076-995d-81302fa4eaaf |
||||
dst_actor_process_file_access_time |
NULLABLE |
INTEGER |
Access time of the file that created the destination actor process. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
704d79aa-57a4-4e7a-bd18-fcd9ae537a45 |
||||
dst_actor_process_file_create_time |
NULLABLE |
INTEGER |
Creation time of the file that created the process. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
eaf38271-9840-4a59-af65-5b09631103f6 |
||||
dst_actor_process_file_mod_time |
NULLABLE |
INTEGER |
Modification time of the file that created the process. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
c6190a9b-a3d3-4803-a3a6-fc38b0d0c0f2 |
||||
dst_actor_process_file_size |
NULLABLE |
INTEGER |
Size of the file involved in the process in bytes. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
9f0ce369-9a7b-4971-b091-e27151ba58af |
||||
dst_actor_process_image_command_line |
NULLABLE |
STRING |
Process command line - The command used to execute the process. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
0dca070c-8927-4d1e-9dda-e543e2796e5e |
||||
dst_actor_process_image_extension |
NULLABLE |
STRING |
Process image extension - File extension. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
8d62d76d-2294-404f-967b-ef76df67239e |
||||
dst_actor_process_image_md5 |
NULLABLE |
STRING |
MD5 of the binary. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
a65513e5-10de-4fa7-b2a1-5776f264ef98 |
||||
dst_actor_process_image_name |
NULLABLE |
STRING |
File name of the 'dst_actor_process_image_path'. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
3381a86c-9a49-436c-ae17-874a40666825 |
||||
dst_actor_process_image_path |
NULLABLE |
STRING |
Process image path - A string identifying the location of the execution. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
eff8e820-84c3-47f3-9452-4798a03ded42 |
||||
dst_actor_process_image_sha256 |
NULLABLE |
STRING |
SHA256 of the binary. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
c2bbd5cc-faea-4c90-9048-022d4651085d |
||||
dst_actor_process_instance_id |
NULLABLE |
STRING |
Process instance ID. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
a051e713-7447-4d1e-be21-f1b7f44a9963 |
||||
dst_actor_process_integrity_level |
NULLABLE |
INTEGER |
Process integrity level. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
72e9c04f-0ba1-4f32-9e30-ce17292e0c7e |
||||
dst_actor_process_is_64bit |
NULLABLE |
BOOLEAN |
Indicates whether or not the process is 64-bit. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
d369989f-963d-40f6-902f-0148b214a94a |
||||
dst_actor_process_is_native |
NULLABLE |
BOOLEAN |
Indicates whether or not this process is a "native process". On a 32-bit machine the value is always true, and on a 64-bit machine the value is true, if the process is 64-bit. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
dda1d7e3-76e4-4484-bc1c-a793cf762099 |
||||
dst_actor_process_is_replay |
NULLABLE |
BOOLEAN |
A boolean value that specifies whether the Agent was alive during the execution of the process. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
f7e9e3e2-6ed2-4dc2-bfaa-1fd4e49d89d2 |
||||
dst_actor_process_is_special |
NULLABLE |
INTEGER |
Indicates special system processes: |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
f3b025c1-2146-489b-8af4-166f45996e22 |
||||
dst_actor_process_logon_id |
NULLABLE |
STRING |
Windows: LUID (uint64) representing the token of the process. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
51a324ca-c95c-4b42-96bf-28dd2a2fd609 |
||||
dst_actor_process_os_pid |
NULLABLE |
INTEGER |
The Operating System (OS) Process Identifier (PID) of the destination actor process |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
70ee99d1-02ff-44e6-980b-aebe66d0c83c |
||||
dst_actor_process_session_id |
NULLABLE |
INTEGER |
Windows: Session ID of the process. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
49123da7-8542-413f-8bcf-d1cb0eba2740 |
||||
dst_actor_process_signature_is_embedded |
NULLABLE |
BOOLEAN |
Indicates whether or not the signature is embedded inside the Program Executable (PE) or part of an external catalog file. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
84ef363a-c772-4db8-a14b-8359d0556ba3 |
||||
dst_actor_process_signature_product |
NULLABLE |
STRING |
Signature product - The product family part of the signature. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
1a825796-e65e-4e23-bfb4-19e497fdb6ee |
||||
dst_actor_process_signature_status |
NULLABLE |
INTEGER |
Signature status of the process: Signed = 1 |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
b005fa81-8f55-4ff1-a53d-30a8c62b2c24 |
||||
dst_actor_process_signature_vendor |
NULLABLE |
STRING |
Signature vendor - The vendor part of the signature. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
8dcdf410-6674-4ea9-befa-7b66d066858c |
||||
dst_actor_remote_host |
NULLABLE |
STRING |
Relevant when the actor is a remote actor and the host was resolved successfully. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
9c809fff-c7d5-4f62-81ea-130ec482cce5 |
||||
dst_actor_remote_ip |
NULLABLE |
STRING |
Relevant when the actor is a remote actor, where the type is not local and the IP was resolved successfully. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
656a77e1-8939-4eff-8e39-a6f7aada4f47 |
||||
dst_actor_remote_pipe_name |
NULLABLE |
STRING |
Relevant when the actor is a remote actor, where the type is RemoteRpcNamedPipe. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
362ef601-64e0-43d0-b880-0fa9694a20da |
||||
dst_actor_remote_port |
NULLABLE |
INTEGER |
Relevant when the actor is a remote actor, where the type is RemoteRpcTcp. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
34397304-2510-4f79-8d83-961f6783633a |
||||
dst_actor_thread_thread_id |
NULLABLE |
INTEGER |
An identifier of the operating system (OS) thread responsible for the event. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
52300311-e5e0-4d62-beaf-da7c52a97d3e |
||||
dst_actor_type |
NULLABLE |
INTEGER |
The type of actor: Local = 1. The actor is a local process. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
65f99a55-356e-42b9-93f6-edb3e31d3fb3 |
||||
dst_actor_primary_normalized_user |
RECORD |
A normalized user for the destination actor. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
||||||
dst_actor_effective_normalized_user |
RECORD |
A normalized user for the destination actor. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
||||||
dst_actor_container_info |
RECORD |
Container information for the destination process. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
||||||
dst_actor_process_ns_pid |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
||||||||
dst_actor_ns_user_sid |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
||||||||
dst_actor_process_container_id |
STRING |
Container ID that is running this destination process. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
||||||
dst_actor_rpc_interface_uuid |
STRING |
MS-RPC interface unique identifier. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
||||||
dst_actor_rpc_func_opnum |
INTEGER |
MS-RPC function operation identitifer. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
||||||
dst_actor_rpc_interface_version_major |
INTEGER |
MS-RPC interface major version. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
||||||
dst_actor_rpc_interface_version_minor |
INTEGER |
MS-RPC interface minor version. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
||||||
dst_actor_rpc_protocol |
STRING |
MS-RPC protocol type. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
||||||
dst_actor_local_ip |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
||||||||
dst_actor_local_port |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
||||||||
dst_actor_process_image_auth_sha2 |
STRING |
Process image SHA-2 authenticode. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
||||||
dst_actor_process_image_auth_sha1 |
STRING |
Process image SHA-1 authenticode. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
||||||
dst_actor_process_last_writer_actor |
STRING |
Cortex instance ID of the last process that has written the actor process image. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
||||||
dst_actor_process_static_analysis_score |
DEPRECATED |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
|||||||
dst_actor_process_file_original_name |
STRING |
Original file name of the casuality actor image based on the file information metadata. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
||||||
dst_actor_process_file_internal_name |
STRING |
Internal name of the casuality actor image based on the file information metadata. |
DST Action Actor: The DST Action actor is the receiving process for actions performed remotely from one host to another. |
The DST Action actor is the receiving process for actions performed remotely from one host to another.