Field Name |
Mode |
Data Type |
Fields mode |
Fields name |
DATA TYPE |
Description |
Action / Type reminder |
Suffix |
Guid |
|---|---|---|---|---|---|---|---|---|---|
os_actor_causality_id |
NULLABLE |
STRING |
the causality chain identifier of the Operating System actor |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
cb0e067d-d2f6-44c3-aae8-f60ca197d646 |
||||
os_actor_effective_user_sid |
NULLABLE |
STRING |
Win: Primary user token of the executed binary. |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
724e6fcb-bcf1-49eb-a9b4-a545355f660a |
||||
os_actor_effective_username |
NULLABLE |
STRING |
the username which launched the Operating System actor process |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
e623a8f6-33b5-43fb-a6c4-d2732bff3f26 |
||||
os_actor_is_injected_thread |
NULLABLE |
BOOLEAN |
Indicates whether or not the thread is injected to the operating system actor process. |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
65deb51d-ab00-496a-840f-2bc7065f4145 |
||||
os_actor_primary_user_sid |
NULLABLE |
STRING |
Win: Primary user token of the executed binary. |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
2126383c-fc8f-487c-94cf-0f8b9f19908c |
||||
os_actor_primary_username |
NULLABLE |
STRING |
Name assigned to the user_sid. |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
16efec8d-f360-4750-87a8-1c4ed1cd849f |
||||
os_actor_process_auth_id |
NULLABLE |
STRING |
Windows: LUID (uint64) representing the token of the process. |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
d931c251-3c23-47e6-a5cd-e43b8ef410e7 |
||||
os_actor_process_causality_id |
NULLABLE |
STRING |
the causality chain identifier of the Operating System actor process |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
f245c5c6-17d1-4c9e-ab27-e19fb97199d9 |
||||
os_actor_process_command_line |
NULLABLE |
STRING |
Process command line - The command used to execute the process. |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
08e28ac1-9755-404e-8fc1-f80eb8e6047e |
||||
os_actor_process_command_line_indices |
NULLABLE |
STRING |
Process command line - The command used to execute the process. |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
bfe2ce6c-723d-4862-b982-437554530504 |
||||
os_actor_process_device_info |
RECORD |
NULLABLE |
storage_device_bus_type |
INTEGER |
Info about the device (volume + HW) from which this process started. including name, class guid, class name, bus type, volume guid, mount point, file system, drive type, vendor id, product id, and serial number. |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
use to_json_string prior to filtering/altering this field |
c4688f1a-8204-4a97-be26-6808024dd959 |
|
os_actor_process_execution_time |
NULLABLE |
INTEGER |
the execution timestamp |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
db0458d5-cbb7-4a31-b9a9-9b9c0832e161 |
||||
os_actor_process_file_access_time |
NULLABLE |
INTEGER |
Access time of the file that created the process |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
5784e2a3-6400-45d1-9523-c9f06f351daf |
||||
os_actor_process_file_create_time |
NULLABLE |
INTEGER |
Creation time of the file that created the process. |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
2842b4c1-de52-4f82-a259-c9837bcca95b |
||||
os_actor_process_file_mod_time |
NULLABLE |
INTEGER |
Modification time of the file that created the process. |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
74ee25dc-1109-4cf9-bfe1-9a58493f7fec |
||||
os_actor_process_file_size |
NULLABLE |
INTEGER |
Size of the file involved in the process in bytes. |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
fc78d44f-1ebc-4298-871e-c53a23d7ace1 |
||||
os_actor_process_image_command_line |
NULLABLE |
STRING |
Process command line - The command used to execute the process. |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
cf100486-9766-461b-ba49-2901224090ea |
||||
os_actor_process_image_extension |
NULLABLE |
STRING |
Process image extension - File extension. |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
af379f20-2e19-40f4-a757-3c7fa299f054 |
||||
os_actor_process_image_md5 |
NULLABLE |
STRING |
MD5 of the binary. |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
0da05470-201a-4dbb-b43d-c85dcba06244 |
||||
os_actor_process_image_name |
NULLABLE |
STRING |
the process image name on the disk |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
2346571a-9035-4f93-b231-a1269f24781a |
||||
os_actor_process_image_path |
NULLABLE |
STRING |
Process image path - A string identifying the location of the execution. |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
2860651e-f6e6-4d38-993f-70092659e851 |
||||
os_actor_process_image_sha256 |
NULLABLE |
STRING |
SHA256 of the binary. |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
cefc700e-aeb4-482c-b4f6-ae96941cd2cf |
||||
os_actor_process_instance_id |
NULLABLE |
STRING |
Process instance identifier. |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
9c00c379-e302-41b4-97d1-d2b6660d4ed0 |
||||
os_actor_process_integrity_level |
NULLABLE |
INTEGER |
the integrity level of the process (INTEGER) |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
75d0aa7c-2c39-46c0-b153-1be5e31fd06b |
||||
os_actor_process_is_64bit |
NULLABLE |
BOOLEAN |
Indicates whether or not the process is compiled for 64 bit. |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
ad4a6173-c21a-4089-995e-f241eb4346e5 |
||||
os_actor_process_is_native |
NULLABLE |
BOOLEAN |
Indicates whether or not this process is a "native process". On a 32 bit machine the value will be always true, on 64 bit machine it will be true if the process is 64 bit. |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
34b07e3a-5d9b-428f-a5cf-9a17b3c712cc |
||||
os_actor_process_is_replay |
NULLABLE |
BOOLEAN |
Indicates whether or not the process event data is replayed or not. |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
f95152e9-0fca-4ff1-94c8-48aed3dccd9b |
||||
os_actor_process_is_special |
NULLABLE |
INTEGER |
Indicates special system processes: |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
ecdecd86-d370-430b-bb9a-f0d7c23a5b9e |
||||
os_actor_process_logon_id |
NULLABLE |
STRING |
Windows: LUID (uint64) representing the token of the process. |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
3e30d068-8345-43d9-b891-f9422efcb710 |
||||
os_actor_process_os_pid |
NULLABLE |
INTEGER |
The Operating System (OS) Process Identifier (PID) of the operating system actor process |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
3f107c76-eebe-4a09-933d-73acfe9bc0f5 |
||||
os_actor_process_session_id |
NULLABLE |
INTEGER |
Windows: Session ID of the process. |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
9251d68c-8402-4edc-b80f-f5cac93b20ea |
||||
os_actor_process_signature_is_embedded |
NULLABLE |
BOOLEAN |
Indicates whether or not the signature is embedded inside the Program Executable (PE) or part of an external catalog file. |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
9ad8b130-58f2-467b-b9e0-3a721a77ba7b |
||||
os_actor_process_signature_product |
NULLABLE |
STRING |
Signature product - The product family part of the signature. |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
1d78db85-fc21-412c-b379-9c253e81f19d |
||||
os_actor_process_signature_status |
NULLABLE |
INTEGER |
Signature status of the process: |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
c11d9df6-c6db-4c36-ae9f-bb8ddf5a1d09 |
||||
os_actor_process_signature_vendor |
NULLABLE |
STRING |
Signature vendor - The vendor part of the signature. |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
fc9c9fcd-a62e-4162-a698-7580426e85f7 |
||||
os_actor_remote_host |
NULLABLE |
STRING |
Relevant when the actor is a remote actor and the host was resolved successfully. |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
7cd58ab8-21d9-422b-ab2b-437e1e6f7fec |
||||
os_actor_remote_ip |
NULLABLE |
STRING |
Relevant when the actor is a remote actor, where the type is not local and the IP was resolved successfully. |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
728f97e6-68eb-482c-bf19-a26f42a6c6e5 |
||||
os_actor_remote_port |
NULLABLE |
INTEGER |
Relevant when the actor is a remote actor, where the type is RemoteRpcTcp. |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
d2b64812-44c5-4c31-aabe-52dec8b60d34 |
||||
os_actor_session_id |
NULLABLE |
INTEGER |
session id of the actor process |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
729c0143-1525-4d51-a90f-0e829550dbfc |
||||
os_actor_thread_thread_id |
NULLABLE |
INTEGER |
thread id of the thread in the process which made the action |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
913244a7-244e-4e8d-b9a2-2a69d480ce62 |
||||
os_actor_type |
NULLABLE |
INTEGER |
Enum describing actor type: |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
c5523d4e-592e-451d-9035-03e46c4be67b |
||||
os_actor_container_info |
RECORD |
Container information for the process. |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
||||||
os_actor_process_ns_pid |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
||||||||
os_actor_ns_user_sid |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
||||||||
os_actor_process_container_id |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
||||||||
os_actor_process_image_auth_sha1 |
STRING |
Process image SHA-1 authenticode. |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
||||||
os_actor_process_image_auth_sha2 |
STRING |
Process image SHA-2 authenticode. |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
||||||
os_actor_process_last_writer_actor |
STRING |
Cortex instance ID of the last process that has written the os actor process image. |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
||||||
os_actor_rpc_func_opnum |
INTEGER |
MS-RPC function operation identitifer. |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
||||||
os_actor_rpc_interface_version_major |
INTEGER |
MS-RPC interface major version. |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
||||||
os_actor_rpc_interface_version_minor |
INTEGER |
MS-RPC interface minor version. |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
||||||
os_actor_rpc_protocol |
STRING |
MS-RPC protocol type. |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
||||||
os_actor_rpc_interface_uuid |
STRING |
MS-RPC interface unique identifier. |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
||||||
os_actor_process_static_analysis_score |
DEPRECATED |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
|||||||
os_actor_process_file_original_name |
STRING |
Original file name of the casuality actor image based on the file information metadata. |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
||||||
os_actor_process_file_internal_name |
STRING |
Internal name of the casuality actor image based on the file information metadata. |
OS Actor: The OS actor is the process identified by the operation system as the process that performed the action. |
The OS actor is the process identified by the operation system as the process that performed the action.