Field Name |
Mode |
Data Type |
Fields mode |
Fields name |
DATA TYPE |
Description |
Action / Type reminder |
Suffix |
Guid |
|---|---|---|---|---|---|---|---|---|---|
dst_os_actor_causality_id |
NULLABLE |
STRING |
Causality chain ID. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
dbc0b083-0d00-4b04-b903-787af73d5956 |
||||
dst_os_actor_effective_user_sid |
NULLABLE |
STRING |
Win: Primary user token of the executed binary. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
4479cc57-9939-4360-bb1f-f8d184fd427f |
||||
dst_os_actor_effective_username |
NULLABLE |
STRING |
Effective username |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
c7340a50-2b98-44e5-9018-178dcb7e0c71 |
||||
dst_os_actor_is_injected_thread |
NULLABLE |
BOOLEAN |
Indicates whether or not the thread is injected. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
8f1a8574-29a5-4dbb-b5fc-dcdff3157df9 |
||||
dst_os_actor_primary_user_sid |
NULLABLE |
STRING |
Win: Primary user token of the executed binary. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
f05c000b-9c34-42cd-bb8f-0fe6e81bf8c2 |
||||
dst_os_actor_primary_username |
NULLABLE |
STRING |
Name assigned to the user_sid. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
32cc7993-668c-4252-8aea-6986dfd785b8 |
||||
dst_os_actor_process_auth_id |
NULLABLE |
STRING |
Windows: LUID (uint64) representing the token of the process. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
d11df8bf-dc42-49e7-a1f9-5d4f3cca2617 |
||||
dst_os_actor_process_causality_id |
NULLABLE |
STRING |
Process causality chain ID. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
b9b4d2f7-3067-49b5-b0e7-98b1a871e47b |
||||
dst_os_actor_process_command_line |
NULLABLE |
STRING |
Process command line - The command used to execute the process. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
2a1ae552-1652-437a-a794-d894bdef98f6 |
||||
dst_os_actor_process_command_line_indices |
NULLABLE |
STRING |
Process command line - The command used to execute the process. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
35e6cf01-a12a-4b76-961d-1449e4aafcc5 |
||||
dst_os_actor_process_device_info |
RECORD |
NULLABLE |
storage_device_bus_type |
INTEGER |
Info about the device (volume + HW) from which this process started. including name, class guid, class name, bus type, volume guid, mount point, file system, drive type, vendor id, product id, and serial number. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
use to_json_string prior to filtering/altering this field |
32411fb0-b8ca-4001-8a4a-fd2aaf54f463 |
|
dst_os_actor_process_execution_time |
NULLABLE |
INTEGER |
Process execution time in epoch time. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
1944df53-6ddc-42d9-91d6-b47f747ac065 |
||||
dst_os_actor_process_file_access_time |
NULLABLE |
INTEGER |
Access time of the file that created the process. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
e473d7fe-cd02-4a9b-b695-a9ab2ab21aed |
||||
dst_os_actor_process_file_create_time |
NULLABLE |
INTEGER |
Creation time of the file that created the process. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
26f63583-7518-4277-92d2-0fce846df20a |
||||
dst_os_actor_process_file_mod_time |
NULLABLE |
INTEGER |
Modification time of the file that created the process. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
7cabdb4a-a2f7-47ed-9847-35901a11a945 |
||||
dst_os_actor_process_file_size |
NULLABLE |
INTEGER |
Size of the file involved in the process in bytes. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
474a4e4f-d3e6-4284-b2ef-9a3eba56ceab |
||||
dst_os_actor_process_image_command_line |
NULLABLE |
STRING |
Process command line - The command used to execute the process. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
cd567524-2ac4-4d2c-ae8d-61b38e4b4024 |
||||
dst_os_actor_process_image_extension |
NULLABLE |
STRING |
Process image extension - File extension. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
32f2f891-584e-4c02-af00-44641c526189 |
||||
dst_os_actor_process_image_md5 |
NULLABLE |
STRING |
MD5 of the binary. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
5f2f27f2-1e18-497d-85db-c29beb794a88 |
||||
dst_os_actor_process_image_name |
NULLABLE |
STRING |
Process image name. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
9b91558c-64ab-4cb5-9265-a3b19f903a64 |
||||
dst_os_actor_process_image_path |
NULLABLE |
STRING |
Process image path - A string identifying the location of the execution. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
658feeb9-7c70-4197-8a54-ce074848ee65 |
||||
dst_os_actor_process_image_sha256 |
NULLABLE |
STRING |
SHA256 of the binary. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
77d26287-ccef-405d-8ad4-d98a16fd62b8 |
||||
dst_os_actor_process_instance_id |
NULLABLE |
STRING |
Process instance ID. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
a3b45e9e-c4f3-47e0-88d3-ddea70f1ff15 |
||||
dst_os_actor_process_integrity_level |
NULLABLE |
INTEGER |
Integrity level of the process. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
4b778554-b47f-498d-921a-890882814dc8 |
||||
dst_os_actor_process_is_64bit |
NULLABLE |
BOOLEAN |
Indicates whether or not the process is 64-bit. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
d2774de7-eddc-41f7-abcd-47d4b3e1b30a |
||||
dst_os_actor_process_is_native |
NULLABLE |
BOOLEAN |
Indicates whether or not this process is a "native process". On a 32-bit machine, the value is always true, and on 64-bit machine, the value is true, if the process is 64-bit. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
3aeffa7e-2b5f-48be-b917-6636dfcf91b8 |
||||
dst_os_actor_process_is_replay |
NULLABLE |
BOOLEAN |
Indicates whether or not the process event data is replayed or not. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
7c5f915f-2b0b-4731-abfd-e58ae13baa50 |
||||
dst_os_actor_process_is_special |
NULLABLE |
INTEGER |
Indicates special system processes: |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
03629d88-9fb4-4e5b-93f3-791932546d1d |
||||
dst_os_actor_process_logon_id |
NULLABLE |
STRING |
Windows: LUID (uint64) representing the token of the process. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
f8b4a9fd-2fd3-458c-99f2-a43156607c5c |
||||
dst_os_actor_process_os_pid |
NULLABLE |
INTEGER |
The Operating System (OS) Process Identifier (PID) of the destination operating system actor process. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
7adde542-8dca-4caf-b5f9-a30b0834bc98 |
||||
dst_os_actor_process_session_id |
NULLABLE |
INTEGER |
Windows: Session ID of the process. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
52b5977b-ace1-472e-8d76-f2f19ded0fd6 |
||||
dst_os_actor_process_signature_is_embedded |
NULLABLE |
BOOLEAN |
Indicates whether or not the signature is embedded inside the Program Executable or part of an external catalog file. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
76d40fba-9ede-4dd5-936c-c321a2a7138f |
||||
dst_os_actor_process_signature_product |
NULLABLE |
STRING |
Signature product - The product family part of the signature. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
16c1ee60-b31e-463f-880b-67048da7653b |
||||
dst_os_actor_process_signature_status |
NULLABLE |
INTEGER |
Signature status of the process: |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
34ae52cc-50b4-4c9c-9f42-2dff48d8c21e |
||||
dst_os_actor_process_signature_vendor |
NULLABLE |
STRING |
Signature vendor - The vendor part of the signature. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
ffa59640-1adf-4645-853d-d4a123499da2 |
||||
dst_os_actor_remote_host |
NULLABLE |
STRING |
Relevant when the actor is a remote actor and the host was resolved successfully. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
a05fe308-8d7f-4ee2-91f5-81fe0fb157fc |
||||
dst_os_actor_remote_ip |
NULLABLE |
STRING |
Relevant when the actor is a remote actor, where the type is not local and the IP was resolved successfully. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
aeeb52d2-d649-44ac-a896-a335798f395d |
||||
dst_os_actor_remote_port |
NULLABLE |
INTEGER |
Relevant when the actor is a remote actor, where the type is RemoteRpcTcp. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
c1f23062-ae21-4fc1-8269-6d85036a0e87 |
||||
dst_os_actor_session_id |
NULLABLE |
INTEGER |
Windows: Session ID of the process. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
b1a6e657-ad5e-4a99-933f-edf3e49e6491 |
||||
dst_os_actor_thread_thread_id |
NULLABLE |
INTEGER |
An identifier of the Operating System (OS) thread responsible for the event. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
f8cae139-f1fa-4209-8797-d98360b0bd5d |
||||
dst_os_actor_type |
NULLABLE |
INTEGER |
Operating System actor type: Local = 1. The actor is a local process. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
14f21843-bd20-48ca-8636-f4e2269653d9 |
||||
dst_os_actor_container_info |
RECORD |
Container information for the process. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
||||||
dst_os_actor_process_ns_pid |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
||||||||
dst_os_actor_ns_user_sid |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
||||||||
dst_os_actor_process_container_id |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
||||||||
dst_os_actor_process_image_auth_sha1 |
STRING |
Process image SHA-1 authenticode. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
||||||
dst_os_actor_process_image_auth_sha2 |
STRING |
The process image SHA-2 authenticode. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
||||||
dst_os_actor_process_last_writer_actor |
STRING |
Cortex instance ID of the last process that has written the os actor process image. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
||||||
dst_os_actor_rpc_func_opnum |
INTEGER |
MS-RPC function operation identitifer. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
||||||
dst_os_actor_rpc_interface_version_major |
INTEGER |
MS-RPC interface major version. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
||||||
dst_os_actor_rpc_interface_version_minor |
INTEGER |
MS-RPC interface minor version. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
||||||
dst_os_actor_rpc_protocol |
STRING |
MS-RPC protocol type. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
||||||
dst_os_actor_rpc_interface_uuid |
STRING |
MS-RPC interface unique identifier. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
||||||
dst_os_actor_process_static_analysis_score |
DEPRECATED |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
|||||||
dst_os_actor_process_file_original_name |
STRING |
Original file name of the destination os actor image based on the file information metadata. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
||||||
dst_os_actor_process_file_internal_name |
STRING |
Internal name of the destination os actor image based on the file information metadata. |
DST OS Actor: The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution. |
The DST OS actor is the process identified by the operation system on the remote host as the process that performed an action that was responsible for the entire chain of execution.