Field Name |
Mode |
Data Type |
Fields mode |
Fields name |
DATA TYPE |
Description |
Action / Type reminder |
Suffix |
Guid |
|---|---|---|---|---|---|---|---|---|---|
dst_causality_actor_causality_id |
NULLABLE |
STRING |
Causality chain identifier. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
fe7feeec-4716-42dd-9da2-7b3e68a1d005 |
||||
dst_causality_actor_effective_user_sid |
NULLABLE |
STRING |
Win: Primary user token of the executed binary. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
dea75c68-2bc2-4a8c-a94b-5ecbcd109b2d |
||||
dst_causality_actor_effective_username |
NULLABLE |
STRING |
Source effective username. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
c935e66a-5ad2-4e76-8280-63a23cfc7392 |
||||
dst_causality_actor_primary_user_sid |
NULLABLE |
STRING |
Win: Primary user token of the executed binary. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
906fc2ca-f8a2-41e9-a909-8da4091c345d |
||||
dst_causality_actor_primary_username |
NULLABLE |
STRING |
Name assigned to the user_sid. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
6c4904fa-0d2b-4708-b9cc-27f20e066dd3 |
||||
dst_causality_actor_process_auth_id |
NULLABLE |
STRING |
Windows: LUID (uint64) representing the token of the process. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
165d72c7-a1cf-4e93-beb0-bef96a3f0be1 |
||||
dst_causality_actor_process_causality_id |
NULLABLE |
STRING |
Process causality chain identifier |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
c8e9cddc-787c-41d3-9f85-230467e92625 |
||||
dst_causality_actor_process_command_line |
NULLABLE |
STRING |
Process command line - The command used to execute the process. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
20dd20fe-5577-4642-aee0-99bf388b65ba |
||||
dst_causality_actor_process_command_line_indices |
NULLABLE |
STRING |
Process command line - The command used to execute the process. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
7416f867-b1dd-4576-a3bc-965b11a13b7e |
||||
dst_causality_actor_process_device_info |
RECORD |
NULLABLE |
storage_device_bus_type |
INTEGER |
Info about the device (volume + HW) from which this process started. including name, class guid, class name, bus type, volume guid, mount point, file system, drive type, vendor id, product id, and serial number. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
use to_json_string prior to filtering/altering this field |
89b5c329-66e9-4d6d-bfbf-099355d112f8 |
|
dst_causality_actor_process_execution_time |
NULLABLE |
INTEGER |
Process execution time. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
92a22959-329b-40d2-90c9-3e3f8bd4bd23 |
||||
dst_causality_actor_process_file_access_time |
NULLABLE |
INTEGER |
Access time of the file that created the process. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
7fbb27e9-199c-4a82-8163-7c9328d0e40d |
||||
dst_causality_actor_process_file_create_time |
NULLABLE |
INTEGER |
Creation time of the file that created the process. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
d7e5a145-8a21-48f3-8954-b81ed1db30b4 |
||||
dst_causality_actor_process_file_mod_time |
NULLABLE |
INTEGER |
Modification time of the file that created the process. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
629a0b2a-0e82-438f-87ad-59ae2bb202c4 |
||||
dst_causality_actor_process_file_size |
NULLABLE |
INTEGER |
Size of the file involved in the process in bytes. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
7cb3f915-7a59-4d6d-a938-6a048ca0519e |
||||
dst_causality_actor_process_image_extension |
NULLABLE |
STRING |
Process image extension - File extension. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
ca17f957-6b3a-4a26-bddc-a16c7e1653c3 |
||||
dst_causality_actor_process_image_md5 |
NULLABLE |
STRING |
MD5 of the binary. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
d47d42bb-1562-413b-acf0-2c1353fab984 |
||||
dst_causality_actor_process_image_name |
NULLABLE |
STRING |
Process image name. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
2ac99d75-69d3-44a3-a673-2ec911d24d54 |
||||
dst_causality_actor_process_image_path |
NULLABLE |
STRING |
Process image path - A string identifying the location of the execution. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
97bf78e6-5267-4eca-a694-b3b22bc73954 |
||||
dst_causality_actor_process_image_sha256 |
NULLABLE |
STRING |
SHA256 of the binary. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
6d7b7d55-b330-4397-9ee8-12dca7da9db0 |
||||
dst_causality_actor_process_instance_id |
NULLABLE |
STRING |
Process instance identifier. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
80386767-0bfe-48c4-9e8a-36786e80e8a9 |
||||
dst_causality_actor_process_integrity_level |
NULLABLE |
INTEGER |
Process integrity level. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
bfec664a-ad72-4824-8f3e-73db2e2d4c5c |
||||
dst_causality_actor_process_is_64bit |
NULLABLE |
BOOLEAN |
Indicates whether or not the process is 64-bit. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
fc32f3ee-4caf-440e-8b54-2ec674fc41c2 |
||||
dst_causality_actor_process_is_native |
NULLABLE |
BOOLEAN |
Indicates whether or not this process is a "native process". On a 32-bit machine, the value is always true, and on 64-bit machine, the value is true, if the process is 64-bit. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
e5ac689f-e85d-4cab-88d6-b1a3bd1c5c8c |
||||
dst_causality_actor_process_is_replay |
NULLABLE |
BOOLEAN |
Indicates whether or not the agent is alive during the execution of the process. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
7886b488-7293-4246-b4b7-4bc671e98c1c |
||||
dst_causality_actor_process_is_special |
NULLABLE |
INTEGER |
Indicates special system processes: |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
62e2b884-d1da-4d6e-832e-28189854d10e |
||||
dst_causality_actor_process_logon_id |
NULLABLE |
STRING |
Windows: LUID (uint64) representing the token of the process. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
4948a77b-4f39-426d-8556-7bf9dbc3c8be |
||||
dst_causality_actor_process_os_pid |
NULLABLE |
INTEGER |
The Operating System (OS) Process Identifier (PID) of the destination causality actor process |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
1bb1fe75-a579-48ff-84a0-3f13337a1bfc |
||||
dst_causality_actor_process_session_id |
NULLABLE |
INTEGER |
Windows: Session ID of the process. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
d3f8790c-2285-49db-b579-7bc0ec866b80 |
||||
dst_causality_actor_process_signature_is_embedded |
NULLABLE |
BOOLEAN |
Indicates whether or not the signature is embedded inside the Program Executable (PE) or part of an external catalog file. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
7e28e4c1-ccd7-49c1-af97-bc73eade3cf2 |
||||
dst_causality_actor_process_signature_product |
NULLABLE |
STRING |
Signature product - The product family part of the signature. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
1a5b649c-c52e-449a-aa2e-5b36585d667d |
||||
dst_causality_actor_process_signature_status |
NULLABLE |
INTEGER |
Process Signature Status: Signed = 1 |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
b527aabd-ff0c-48b6-9b9d-d288248c2b04 |
||||
dst_causality_actor_process_signature_vendor |
NULLABLE |
STRING |
Signature vendor - The vendor part of the signature. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
8abc5b44-3bc9-46b2-adac-09b0497dd35f |
||||
dst_causality_actor_remote_host |
NULLABLE |
STRING |
Relevant when the actor is a remote actor and the host was resolved successfully. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
df8b37a1-52d0-4123-b548-b5277b4629c7 |
||||
dst_causality_actor_remote_ip |
NULLABLE |
STRING |
Relevant when the actor is a remote actor, where the type is not local and the IP was resolved successfully. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
a3588326-7174-482b-b641-0eb60543ed3e |
||||
dst_causality_actor_remote_pipe_name |
NULLABLE |
STRING |
Relevant when the actor is a remote actor, where the type is RemoteRpcNamedPipe. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
33fa3c5c-f077-4be3-a21a-8fb1ddd4c9a9 |
||||
dst_causality_actor_remote_port |
NULLABLE |
INTEGER |
Relevant when the actor is a remote actor, where the type is RemoteRpcTcp. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
3b2430c7-d525-4bf0-83e9-aaad4433a5f0 |
||||
dst_causality_actor_remote_port_pipe_name |
NULLABLE |
STRING |
Relevant when the actor is a remote actor, where the type is RemoteRpcTcp. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
28361c91-d08e-4850-ac80-67094d3f1d42 |
||||
dst_causality_actor_session_id |
NULLABLE |
INTEGER |
Session ID of the actor process. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
2887feca-6824-4921-a0e2-84d5f84ebc91 |
||||
dst_causality_actor_type |
NULLABLE |
INTEGER |
Type of Causality Actor: Local = 1. The actor is a local process. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
1286c6da-b0b2-4686-a16f-9987646a3a5e |
||||
dst_causality_actor_container_info |
RECORD |
Container information for the process. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
||||||
dst_causality_actor_process_ns_pid |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
||||||||
dst_causality_actor_ns_user_sid |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
||||||||
dst_causality_actor_rpc_interface_uuid |
STRING |
MS-RPC interface unique identifier. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
||||||
dst_causality_actor_rpc_func_opnum |
INTEGER |
MS-RPC function operation identitifer. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
||||||
dst_causality_actor_rpc_interface_version_major |
INTEGER |
MS-RPC interface major version. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
||||||
dst_causality_actor_rpc_interface_version_minor |
INTEGER |
MS-RPC interface minor version. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
||||||
dst_causality_actor_rpc_protocol |
STRING |
MS-RPC protocol type. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
||||||
dst_causality_actor_local_ip |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
||||||||
dst_causality_actor_process_last_writer_actor |
STRING |
Cortex instance ID of the last process that has written the causality actor process image. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
||||||
dst_causality_actor_process_static_analysis_score |
DEPRECATED |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
|||||||
dst_causality_actor_local_port |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
||||||||
dst_causality_actor_process_container_id |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
||||||||
dst_causality_actor_process_image_auth_sha1 |
STRING |
Process image SHA-2 authenticode. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
||||||
dst_causality_actor_process_image_auth_sha2 |
STRING |
Process image SHA-1 authenticode. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
||||||
dst_causality_actor_process_file_original_name |
STRING |
Original file name of the casuality actor image based on the file information metadata. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
||||||
dst_causality_actor_process_file_internal_name |
STRING |
Internal name of the casuality actor image based on the file information metadata. |
DST Causality Actor: The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
The DST Causality actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution.