This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

CSM Threats event for Windows have the following JSON schema:

BACKEND_EVENT_JSON_SCHEMA

{
    "$id": "https://github.com/DataDog/datadog-agent/tree/main/pkg/security/serializers",
    "$defs": {
        "AgentContext": {
            "properties": {
                "rule_id": {
                    "type": "string"
                },
                "rule_version": {
                    "type": "string"
                },
                "rule_actions": {
                    "items": true,
                    "type": "array"
                },
                "policy_name": {
                    "type": "string"
                },
                "policy_version": {
                    "type": "string"
                },
                "version": {
                    "type": "string"
                },
                "os": {
                    "type": "string"
                },
                "arch": {
                    "type": "string"
                },
                "origin": {
                    "type": "string"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "required": [
                "rule_id"
            ]
        },
        "ChangePermissionEvent": {
            "properties": {
                "username": {
                    "type": "string",
                    "description": "User name"
                },
                "user_domain": {
                    "type": "string",
                    "description": "User domain"
                },
                "path": {
                    "type": "string",
                    "description": "Object name"
                },
                "type": {
                    "type": "string",
                    "description": "Object type"
                },
                "old_sd": {
                    "type": "string",
                    "description": "Original Security Descriptor"
                },
                "new_sd": {
                    "type": "string",
                    "description": "New Security Descriptor"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "description": "ChangePermissionEventSerializer serializes a permission change event to JSON"
        },
        "ContainerContext": {
            "properties": {
                "id": {
                    "type": "string",
                    "description": "Container ID"
                },
                "created_at": {
                    "type": "string",
                    "format": "date-time",
                    "description": "Creation time of the container"
                },
                "variables": {
                    "$ref": "#/$defs/Variables",
                    "description": "Variables values"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "description": "ContainerContextSerializer serializes a container context to JSON"
        },
        "EventContext": {
            "properties": {
                "name": {
                    "type": "string",
                    "description": "Event name"
                },
                "category": {
                    "type": "string",
                    "description": "Event category"
                },
                "outcome": {
                    "type": "string",
                    "description": "Event outcome"
                },
                "async": {
                    "type": "boolean",
                    "description": "True if the event was asynchronous"
                },
                "matched_rules": {
                    "items": {
                        "$ref": "#/$defs/MatchedRule"
                    },
                    "type": "array",
                    "description": "The list of rules that the event matched (only valid in the context of an anomaly)"
                },
                "variables": {
                    "$ref": "#/$defs/Variables",
                    "description": "Variables values"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "description": "EventContextSerializer serializes an event context to JSON"
        },
        "ExitEvent": {
            "properties": {
                "cause": {
                    "type": "string",
                    "description": "Cause of the process termination (one of EXITED, SIGNALED, COREDUMPED)"
                },
                "code": {
                    "type": "integer",
                    "description": "Exit code of the process or number of the signal that caused the process to terminate"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "required": [
                "cause",
                "code"
            ],
            "description": "ExitEventSerializer serializes an exit event to JSON"
        },
        "File": {
            "properties": {
                "path": {
                    "type": "string",
                    "description": "File path"
                },
                "device_path": {
                    "type": "string",
                    "description": "File device path"
                },
                "name": {
                    "type": "string",
                    "description": "File basename"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "description": "FileSerializer serializes a file to JSON"
        },
        "FileEvent": {
            "properties": {
                "path": {
                    "type": "string",
                    "description": "File path"
                },
                "device_path": {
                    "type": "string",
                    "description": "File device path"
                },
                "name": {
                    "type": "string",
                    "description": "File basename"
                },
                "destination": {
                    "$ref": "#/$defs/File",
                    "description": "Target file information"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "description": "FileEventSerializer serializes a file event to JSON"
        },
        "MatchedRule": {
            "properties": {
                "id": {
                    "type": "string",
                    "description": "ID of the rule"
                },
                "version": {
                    "type": "string",
                    "description": "Version of the rule"
                },
                "tags": {
                    "items": {
                        "type": "string"
                    },
                    "type": "array",
                    "description": "Tags of the rule"
                },
                "policy_name": {
                    "type": "string",
                    "description": "Name of the policy that introduced the rule"
                },
                "policy_version": {
                    "type": "string",
                    "description": "Version of the policy that introduced the rule"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "description": "MatchedRuleSerializer serializes a rule"
        },
        "Process": {
            "properties": {
                "pid": {
                    "type": "integer",
                    "description": "Process ID"
                },
                "ppid": {
                    "type": "integer",
                    "description": "Parent Process ID"
                },
                "exec_time": {
                    "type": "string",
                    "format": "date-time",
                    "description": "Exec time of the process"
                },
                "exit_time": {
                    "type": "string",
                    "format": "date-time",
                    "description": "Exit time of the process"
                },
                "executable": {
                    "$ref": "#/$defs/File",
                    "description": "File information of the executable"
                },
                "container": {
                    "$ref": "#/$defs/ContainerContext",
                    "description": "Container context"
                },
                "cmdline": {
                    "type": "string",
                    "description": "Command line arguments"
                },
                "user": {
                    "type": "string",
                    "description": "User name"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "description": "ProcessSerializer serializes a process to JSON"
        },
        "ProcessContext": {
            "properties": {
                "pid": {
                    "type": "integer",
                    "description": "Process ID"
                },
                "ppid": {
                    "type": "integer",
                    "description": "Parent Process ID"
                },
                "exec_time": {
                    "type": "string",
                    "format": "date-time",
                    "description": "Exec time of the process"
                },
                "exit_time": {
                    "type": "string",
                    "format": "date-time",
                    "description": "Exit time of the process"
                },
                "executable": {
                    "$ref": "#/$defs/File",
                    "description": "File information of the executable"
                },
                "container": {
                    "$ref": "#/$defs/ContainerContext",
                    "description": "Container context"
                },
                "cmdline": {
                    "type": "string",
                    "description": "Command line arguments"
                },
                "user": {
                    "type": "string",
                    "description": "User name"
                },
                "parent": {
                    "$ref": "#/$defs/Process",
                    "description": "Parent process"
                },
                "ancestors": {
                    "items": {
                        "$ref": "#/$defs/Process"
                    },
                    "type": "array",
                    "description": "Ancestor processes"
                },
                "variables": {
                    "$ref": "#/$defs/Variables",
                    "description": "Variables values"
                },
                "truncated_ancestors": {
                    "type": "boolean",
                    "description": "True if the ancestors list was truncated because it was too big"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "description": "ProcessContextSerializer serializes a process context to JSON"
        },
        "RegistryEvent": {
            "properties": {
                "key_name": {
                    "type": "string",
                    "description": "Registry key name"
                },
                "key_path": {
                    "type": "string",
                    "description": "Registry key path"
                },
                "value_name": {
                    "type": "string",
                    "description": "Value name of the key value"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "description": "RegistryEventSerializer serializes a registry event to JSON"
        },
        "UserContext": {
            "properties": {
                "name": {
                    "type": "string",
                    "description": "User name"
                },
                "sid": {
                    "type": "string",
                    "description": "Owner Sid"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "description": "UserContextSerializer serializes a user context to JSON"
        },
        "Variables": {
            "type": "object",
            "description": "Variables serializes the variable values"
        }
    },
    "properties": {
        "agent": {
            "$ref": "#/$defs/AgentContext"
        },
        "title": {
            "type": "string"
        },
        "evt": {
            "$ref": "#/$defs/EventContext"
        },
        "date": {
            "type": "string",
            "format": "date-time"
        },
        "file": {
            "$ref": "#/$defs/FileEvent"
        },
        "exit": {
            "$ref": "#/$defs/ExitEvent"
        },
        "process": {
            "$ref": "#/$defs/ProcessContext"
        },
        "container": {
            "$ref": "#/$defs/ContainerContext"
        },
        "registry": {
            "$ref": "#/$defs/RegistryEvent"
        },
        "usr": {
            "$ref": "#/$defs/UserContext"
        },
        "permission_change": {
            "$ref": "#/$defs/ChangePermissionEvent"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "required": [
        "agent",
        "title"
    ]
}
ParameterTypeDescription
agent$refPlease see AgentContext
titlestring
evt$refPlease see EventContext
datestring
file$refPlease see FileEvent
exit$refPlease see ExitEvent
process$refPlease see ProcessContext
container$refPlease see ContainerContext
registry$refPlease see RegistryEvent
usr$refPlease see UserContext
permission_change$refPlease see ChangePermissionEvent

AgentContext

{
    "properties": {
        "rule_id": {
            "type": "string"
        },
        "rule_version": {
            "type": "string"
        },
        "rule_actions": {
            "items": true,
            "type": "array"
        },
        "policy_name": {
            "type": "string"
        },
        "policy_version": {
            "type": "string"
        },
        "version": {
            "type": "string"
        },
        "os": {
            "type": "string"
        },
        "arch": {
            "type": "string"
        },
        "origin": {
            "type": "string"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "required": [
        "rule_id"
    ]
}

ChangePermissionEvent

{
    "properties": {
        "username": {
            "type": "string",
            "description": "User name"
        },
        "user_domain": {
            "type": "string",
            "description": "User domain"
        },
        "path": {
            "type": "string",
            "description": "Object name"
        },
        "type": {
            "type": "string",
            "description": "Object type"
        },
        "old_sd": {
            "type": "string",
            "description": "Original Security Descriptor"
        },
        "new_sd": {
            "type": "string",
            "description": "New Security Descriptor"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "description": "ChangePermissionEventSerializer serializes a permission change event to JSON"
}
FieldDescription
usernameUser name
user_domainUser domain
pathObject name
typeObject type
old_sdOriginal Security Descriptor
new_sdNew Security Descriptor

ContainerContext

{
    "properties": {
        "id": {
            "type": "string",
            "description": "Container ID"
        },
        "created_at": {
            "type": "string",
            "format": "date-time",
            "description": "Creation time of the container"
        },
        "variables": {
            "$ref": "#/$defs/Variables",
            "description": "Variables values"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "description": "ContainerContextSerializer serializes a container context to JSON"
}
FieldDescription
idContainer ID
created_atCreation time of the container
variablesVariables values
References
Variables

EventContext

{
    "properties": {
        "name": {
            "type": "string",
            "description": "Event name"
        },
        "category": {
            "type": "string",
            "description": "Event category"
        },
        "outcome": {
            "type": "string",
            "description": "Event outcome"
        },
        "async": {
            "type": "boolean",
            "description": "True if the event was asynchronous"
        },
        "matched_rules": {
            "items": {
                "$ref": "#/$defs/MatchedRule"
            },
            "type": "array",
            "description": "The list of rules that the event matched (only valid in the context of an anomaly)"
        },
        "variables": {
            "$ref": "#/$defs/Variables",
            "description": "Variables values"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "description": "EventContextSerializer serializes an event context to JSON"
}
FieldDescription
nameEvent name
categoryEvent category
outcomeEvent outcome
asyncTrue if the event was asynchronous
matched_rulesThe list of rules that the event matched (only valid in the context of an anomaly)
variablesVariables values
References
Variables

ExitEvent

{
    "properties": {
        "cause": {
            "type": "string",
            "description": "Cause of the process termination (one of EXITED, SIGNALED, COREDUMPED)"
        },
        "code": {
            "type": "integer",
            "description": "Exit code of the process or number of the signal that caused the process to terminate"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "required": [
        "cause",
        "code"
    ],
    "description": "ExitEventSerializer serializes an exit event to JSON"
}
FieldDescription
causeCause of the process termination (one of EXITED, SIGNALED, COREDUMPED)
codeExit code of the process or number of the signal that caused the process to terminate

File

{
    "properties": {
        "path": {
            "type": "string",
            "description": "File path"
        },
        "device_path": {
            "type": "string",
            "description": "File device path"
        },
        "name": {
            "type": "string",
            "description": "File basename"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "description": "FileSerializer serializes a file to JSON"
}
FieldDescription
pathFile path
device_pathFile device path
nameFile basename

FileEvent

{
    "properties": {
        "path": {
            "type": "string",
            "description": "File path"
        },
        "device_path": {
            "type": "string",
            "description": "File device path"
        },
        "name": {
            "type": "string",
            "description": "File basename"
        },
        "destination": {
            "$ref": "#/$defs/File",
            "description": "Target file information"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "description": "FileEventSerializer serializes a file event to JSON"
}
FieldDescription
pathFile path
device_pathFile device path
nameFile basename
destinationTarget file information
References
File

MatchedRule

{
    "properties": {
        "id": {
            "type": "string",
            "description": "ID of the rule"
        },
        "version": {
            "type": "string",
            "description": "Version of the rule"
        },
        "tags": {
            "items": {
                "type": "string"
            },
            "type": "array",
            "description": "Tags of the rule"
        },
        "policy_name": {
            "type": "string",
            "description": "Name of the policy that introduced the rule"
        },
        "policy_version": {
            "type": "string",
            "description": "Version of the policy that introduced the rule"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "description": "MatchedRuleSerializer serializes a rule"
}
FieldDescription
idID of the rule
versionVersion of the rule
tagsTags of the rule
policy_nameName of the policy that introduced the rule
policy_versionVersion of the policy that introduced the rule

Process

{
    "properties": {
        "pid": {
            "type": "integer",
            "description": "Process ID"
        },
        "ppid": {
            "type": "integer",
            "description": "Parent Process ID"
        },
        "exec_time": {
            "type": "string",
            "format": "date-time",
            "description": "Exec time of the process"
        },
        "exit_time": {
            "type": "string",
            "format": "date-time",
            "description": "Exit time of the process"
        },
        "executable": {
            "$ref": "#/$defs/File",
            "description": "File information of the executable"
        },
        "container": {
            "$ref": "#/$defs/ContainerContext",
            "description": "Container context"
        },
        "cmdline": {
            "type": "string",
            "description": "Command line arguments"
        },
        "user": {
            "type": "string",
            "description": "User name"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "description": "ProcessSerializer serializes a process to JSON"
}
FieldDescription
pidProcess ID
ppidParent Process ID
exec_timeExec time of the process
exit_timeExit time of the process
executableFile information of the executable
containerContainer context
cmdlineCommand line arguments
userUser name

ProcessContext

{
    "properties": {
        "pid": {
            "type": "integer",
            "description": "Process ID"
        },
        "ppid": {
            "type": "integer",
            "description": "Parent Process ID"
        },
        "exec_time": {
            "type": "string",
            "format": "date-time",
            "description": "Exec time of the process"
        },
        "exit_time": {
            "type": "string",
            "format": "date-time",
            "description": "Exit time of the process"
        },
        "executable": {
            "$ref": "#/$defs/File",
            "description": "File information of the executable"
        },
        "container": {
            "$ref": "#/$defs/ContainerContext",
            "description": "Container context"
        },
        "cmdline": {
            "type": "string",
            "description": "Command line arguments"
        },
        "user": {
            "type": "string",
            "description": "User name"
        },
        "parent": {
            "$ref": "#/$defs/Process",
            "description": "Parent process"
        },
        "ancestors": {
            "items": {
                "$ref": "#/$defs/Process"
            },
            "type": "array",
            "description": "Ancestor processes"
        },
        "variables": {
            "$ref": "#/$defs/Variables",
            "description": "Variables values"
        },
        "truncated_ancestors": {
            "type": "boolean",
            "description": "True if the ancestors list was truncated because it was too big"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "description": "ProcessContextSerializer serializes a process context to JSON"
}
FieldDescription
pidProcess ID
ppidParent Process ID
exec_timeExec time of the process
exit_timeExit time of the process
executableFile information of the executable
containerContainer context
cmdlineCommand line arguments
userUser name
parentParent process
ancestorsAncestor processes
variablesVariables values
truncated_ancestorsTrue if the ancestors list was truncated because it was too big

RegistryEvent

{
    "properties": {
        "key_name": {
            "type": "string",
            "description": "Registry key name"
        },
        "key_path": {
            "type": "string",
            "description": "Registry key path"
        },
        "value_name": {
            "type": "string",
            "description": "Value name of the key value"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "description": "RegistryEventSerializer serializes a registry event to JSON"
}
FieldDescription
key_nameRegistry key name
key_pathRegistry key path
value_nameValue name of the key value

UserContext

{
    "properties": {
        "name": {
            "type": "string",
            "description": "User name"
        },
        "sid": {
            "type": "string",
            "description": "Owner Sid"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "description": "UserContextSerializer serializes a user context to JSON"
}
FieldDescription
nameUser name
sidOwner Sid

Variables

{
    "type": "object",
    "description": "Variables serializes the variable values"
}