Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

CSM Threats event for Windows have the following JSON schema:

BACKEND_EVENT_JSON_SCHEMA

{
    "$id": "https://github.com/DataDog/datadog-agent/tree/main/pkg/security/serializers",
    "$defs": {
        "AgentContext": {
            "properties": {
                "rule_id": {
                    "type": "string"
                },
                "rule_version": {
                    "type": "string"
                },
                "rule_actions": {
                    "items": true,
                    "type": "array"
                },
                "policy_name": {
                    "type": "string"
                },
                "policy_version": {
                    "type": "string"
                },
                "version": {
                    "type": "string"
                },
                "os": {
                    "type": "string"
                },
                "arch": {
                    "type": "string"
                },
                "origin": {
                    "type": "string"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "required": [
                "rule_id"
            ]
        },
        "ChangePermissionEvent": {
            "properties": {
                "username": {
                    "type": "string",
                    "description": "User name"
                },
                "user_domain": {
                    "type": "string",
                    "description": "User domain"
                },
                "path": {
                    "type": "string",
                    "description": "Object name"
                },
                "type": {
                    "type": "string",
                    "description": "Object type"
                },
                "old_sd": {
                    "type": "string",
                    "description": "Original Security Descriptor"
                },
                "new_sd": {
                    "type": "string",
                    "description": "New Security Descriptor"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "description": "ChangePermissionEventSerializer serializes a permission change event to JSON"
        },
        "ContainerContext": {
            "properties": {
                "id": {
                    "type": "string",
                    "description": "Container ID"
                },
                "created_at": {
                    "type": "string",
                    "format": "date-time",
                    "description": "Creation time of the container"
                },
                "variables": {
                    "$ref": "#/$defs/Variables",
                    "description": "Variables values"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "description": "ContainerContextSerializer serializes a container context to JSON"
        },
        "EventContext": {
            "properties": {
                "name": {
                    "type": "string",
                    "description": "Event name"
                },
                "category": {
                    "type": "string",
                    "description": "Event category"
                },
                "outcome": {
                    "type": "string",
                    "description": "Event outcome"
                },
                "async": {
                    "type": "boolean",
                    "description": "True if the event was asynchronous"
                },
                "matched_rules": {
                    "items": {
                        "$ref": "#/$defs/MatchedRule"
                    },
                    "type": "array",
                    "description": "The list of rules that the event matched (only valid in the context of an anomaly)"
                },
                "variables": {
                    "$ref": "#/$defs/Variables",
                    "description": "Variables values"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "description": "EventContextSerializer serializes an event context to JSON"
        },
        "ExitEvent": {
            "properties": {
                "cause": {
                    "type": "string",
                    "description": "Cause of the process termination (one of EXITED, SIGNALED, COREDUMPED)"
                },
                "code": {
                    "type": "integer",
                    "description": "Exit code of the process or number of the signal that caused the process to terminate"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "required": [
                "cause",
                "code"
            ],
            "description": "ExitEventSerializer serializes an exit event to JSON"
        },
        "File": {
            "properties": {
                "path": {
                    "type": "string",
                    "description": "File path"
                },
                "device_path": {
                    "type": "string",
                    "description": "File device path"
                },
                "name": {
                    "type": "string",
                    "description": "File basename"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "description": "FileSerializer serializes a file to JSON"
        },
        "FileEvent": {
            "properties": {
                "path": {
                    "type": "string",
                    "description": "File path"
                },
                "device_path": {
                    "type": "string",
                    "description": "File device path"
                },
                "name": {
                    "type": "string",
                    "description": "File basename"
                },
                "destination": {
                    "$ref": "#/$defs/File",
                    "description": "Target file information"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "description": "FileEventSerializer serializes a file event to JSON"
        },
        "MatchedRule": {
            "properties": {
                "id": {
                    "type": "string",
                    "description": "ID of the rule"
                },
                "version": {
                    "type": "string",
                    "description": "Version of the rule"
                },
                "tags": {
                    "items": {
                        "type": "string"
                    },
                    "type": "array",
                    "description": "Tags of the rule"
                },
                "policy_name": {
                    "type": "string",
                    "description": "Name of the policy that introduced the rule"
                },
                "policy_version": {
                    "type": "string",
                    "description": "Version of the policy that introduced the rule"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "description": "MatchedRuleSerializer serializes a rule"
        },
        "Process": {
            "properties": {
                "pid": {
                    "type": "integer",
                    "description": "Process ID"
                },
                "ppid": {
                    "type": "integer",
                    "description": "Parent Process ID"
                },
                "exec_time": {
                    "type": "string",
                    "format": "date-time",
                    "description": "Exec time of the process"
                },
                "exit_time": {
                    "type": "string",
                    "format": "date-time",
                    "description": "Exit time of the process"
                },
                "executable": {
                    "$ref": "#/$defs/File",
                    "description": "File information of the executable"
                },
                "container": {
                    "$ref": "#/$defs/ContainerContext",
                    "description": "Container context"
                },
                "cmdline": {
                    "type": "string",
                    "description": "Command line arguments"
                },
                "user": {
                    "type": "string",
                    "description": "User name"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "description": "ProcessSerializer serializes a process to JSON"
        },
        "ProcessContext": {
            "properties": {
                "pid": {
                    "type": "integer",
                    "description": "Process ID"
                },
                "ppid": {
                    "type": "integer",
                    "description": "Parent Process ID"
                },
                "exec_time": {
                    "type": "string",
                    "format": "date-time",
                    "description": "Exec time of the process"
                },
                "exit_time": {
                    "type": "string",
                    "format": "date-time",
                    "description": "Exit time of the process"
                },
                "executable": {
                    "$ref": "#/$defs/File",
                    "description": "File information of the executable"
                },
                "container": {
                    "$ref": "#/$defs/ContainerContext",
                    "description": "Container context"
                },
                "cmdline": {
                    "type": "string",
                    "description": "Command line arguments"
                },
                "user": {
                    "type": "string",
                    "description": "User name"
                },
                "parent": {
                    "$ref": "#/$defs/Process",
                    "description": "Parent process"
                },
                "ancestors": {
                    "items": {
                        "$ref": "#/$defs/Process"
                    },
                    "type": "array",
                    "description": "Ancestor processes"
                },
                "variables": {
                    "$ref": "#/$defs/Variables",
                    "description": "Variables values"
                },
                "truncated_ancestors": {
                    "type": "boolean",
                    "description": "True if the ancestors list was truncated because it was too big"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "description": "ProcessContextSerializer serializes a process context to JSON"
        },
        "RegistryEvent": {
            "properties": {
                "key_name": {
                    "type": "string",
                    "description": "Registry key name"
                },
                "key_path": {
                    "type": "string",
                    "description": "Registry key path"
                },
                "value_name": {
                    "type": "string",
                    "description": "Value name of the key value"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "description": "RegistryEventSerializer serializes a registry event to JSON"
        },
        "UserContext": {
            "properties": {
                "name": {
                    "type": "string",
                    "description": "User name"
                },
                "sid": {
                    "type": "string",
                    "description": "Owner Sid"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "description": "UserContextSerializer serializes a user context to JSON"
        },
        "Variables": {
            "type": "object",
            "description": "Variables serializes the variable values"
        }
    },
    "properties": {
        "agent": {
            "$ref": "#/$defs/AgentContext"
        },
        "title": {
            "type": "string"
        },
        "evt": {
            "$ref": "#/$defs/EventContext"
        },
        "date": {
            "type": "string",
            "format": "date-time"
        },
        "file": {
            "$ref": "#/$defs/FileEvent"
        },
        "exit": {
            "$ref": "#/$defs/ExitEvent"
        },
        "process": {
            "$ref": "#/$defs/ProcessContext"
        },
        "container": {
            "$ref": "#/$defs/ContainerContext"
        },
        "registry": {
            "$ref": "#/$defs/RegistryEvent"
        },
        "usr": {
            "$ref": "#/$defs/UserContext"
        },
        "permission_change": {
            "$ref": "#/$defs/ChangePermissionEvent"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "required": [
        "agent",
        "title"
    ]
}
ParameterTypeDescription
agent$refPlease see AgentContext
titlestring
evt$refPlease see EventContext
datestring
file$refPlease see FileEvent
exit$refPlease see ExitEvent
process$refPlease see ProcessContext
container$refPlease see ContainerContext
registry$refPlease see RegistryEvent
usr$refPlease see UserContext
permission_change$refPlease see ChangePermissionEvent

AgentContext

{
    "properties": {
        "rule_id": {
            "type": "string"
        },
        "rule_version": {
            "type": "string"
        },
        "rule_actions": {
            "items": true,
            "type": "array"
        },
        "policy_name": {
            "type": "string"
        },
        "policy_version": {
            "type": "string"
        },
        "version": {
            "type": "string"
        },
        "os": {
            "type": "string"
        },
        "arch": {
            "type": "string"
        },
        "origin": {
            "type": "string"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "required": [
        "rule_id"
    ]
}

ChangePermissionEvent

{
    "properties": {
        "username": {
            "type": "string",
            "description": "User name"
        },
        "user_domain": {
            "type": "string",
            "description": "User domain"
        },
        "path": {
            "type": "string",
            "description": "Object name"
        },
        "type": {
            "type": "string",
            "description": "Object type"
        },
        "old_sd": {
            "type": "string",
            "description": "Original Security Descriptor"
        },
        "new_sd": {
            "type": "string",
            "description": "New Security Descriptor"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "description": "ChangePermissionEventSerializer serializes a permission change event to JSON"
}
FieldDescription
usernameUser name
user_domainUser domain
pathObject name
typeObject type
old_sdOriginal Security Descriptor
new_sdNew Security Descriptor

ContainerContext

{
    "properties": {
        "id": {
            "type": "string",
            "description": "Container ID"
        },
        "created_at": {
            "type": "string",
            "format": "date-time",
            "description": "Creation time of the container"
        },
        "variables": {
            "$ref": "#/$defs/Variables",
            "description": "Variables values"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "description": "ContainerContextSerializer serializes a container context to JSON"
}
FieldDescription
idContainer ID
created_atCreation time of the container
variablesVariables values
References
Variables

EventContext

{
    "properties": {
        "name": {
            "type": "string",
            "description": "Event name"
        },
        "category": {
            "type": "string",
            "description": "Event category"
        },
        "outcome": {
            "type": "string",
            "description": "Event outcome"
        },
        "async": {
            "type": "boolean",
            "description": "True if the event was asynchronous"
        },
        "matched_rules": {
            "items": {
                "$ref": "#/$defs/MatchedRule"
            },
            "type": "array",
            "description": "The list of rules that the event matched (only valid in the context of an anomaly)"
        },
        "variables": {
            "$ref": "#/$defs/Variables",
            "description": "Variables values"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "description": "EventContextSerializer serializes an event context to JSON"
}
FieldDescription
nameEvent name
categoryEvent category
outcomeEvent outcome
asyncTrue if the event was asynchronous
matched_rulesThe list of rules that the event matched (only valid in the context of an anomaly)
variablesVariables values
References
Variables

ExitEvent

{
    "properties": {
        "cause": {
            "type": "string",
            "description": "Cause of the process termination (one of EXITED, SIGNALED, COREDUMPED)"
        },
        "code": {
            "type": "integer",
            "description": "Exit code of the process or number of the signal that caused the process to terminate"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "required": [
        "cause",
        "code"
    ],
    "description": "ExitEventSerializer serializes an exit event to JSON"
}
FieldDescription
causeCause of the process termination (one of EXITED, SIGNALED, COREDUMPED)
codeExit code of the process or number of the signal that caused the process to terminate

File

{
    "properties": {
        "path": {
            "type": "string",
            "description": "File path"
        },
        "device_path": {
            "type": "string",
            "description": "File device path"
        },
        "name": {
            "type": "string",
            "description": "File basename"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "description": "FileSerializer serializes a file to JSON"
}
FieldDescription
pathFile path
device_pathFile device path
nameFile basename

FileEvent

{
    "properties": {
        "path": {
            "type": "string",
            "description": "File path"
        },
        "device_path": {
            "type": "string",
            "description": "File device path"
        },
        "name": {
            "type": "string",
            "description": "File basename"
        },
        "destination": {
            "$ref": "#/$defs/File",
            "description": "Target file information"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "description": "FileEventSerializer serializes a file event to JSON"
}
FieldDescription
pathFile path
device_pathFile device path
nameFile basename
destinationTarget file information
References
File

MatchedRule

{
    "properties": {
        "id": {
            "type": "string",
            "description": "ID of the rule"
        },
        "version": {
            "type": "string",
            "description": "Version of the rule"
        },
        "tags": {
            "items": {
                "type": "string"
            },
            "type": "array",
            "description": "Tags of the rule"
        },
        "policy_name": {
            "type": "string",
            "description": "Name of the policy that introduced the rule"
        },
        "policy_version": {
            "type": "string",
            "description": "Version of the policy that introduced the rule"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "description": "MatchedRuleSerializer serializes a rule"
}
FieldDescription
idID of the rule
versionVersion of the rule
tagsTags of the rule
policy_nameName of the policy that introduced the rule
policy_versionVersion of the policy that introduced the rule

Process

{
    "properties": {
        "pid": {
            "type": "integer",
            "description": "Process ID"
        },
        "ppid": {
            "type": "integer",
            "description": "Parent Process ID"
        },
        "exec_time": {
            "type": "string",
            "format": "date-time",
            "description": "Exec time of the process"
        },
        "exit_time": {
            "type": "string",
            "format": "date-time",
            "description": "Exit time of the process"
        },
        "executable": {
            "$ref": "#/$defs/File",
            "description": "File information of the executable"
        },
        "container": {
            "$ref": "#/$defs/ContainerContext",
            "description": "Container context"
        },
        "cmdline": {
            "type": "string",
            "description": "Command line arguments"
        },
        "user": {
            "type": "string",
            "description": "User name"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "description": "ProcessSerializer serializes a process to JSON"
}
FieldDescription
pidProcess ID
ppidParent Process ID
exec_timeExec time of the process
exit_timeExit time of the process
executableFile information of the executable
containerContainer context
cmdlineCommand line arguments
userUser name

ProcessContext

{
    "properties": {
        "pid": {
            "type": "integer",
            "description": "Process ID"
        },
        "ppid": {
            "type": "integer",
            "description": "Parent Process ID"
        },
        "exec_time": {
            "type": "string",
            "format": "date-time",
            "description": "Exec time of the process"
        },
        "exit_time": {
            "type": "string",
            "format": "date-time",
            "description": "Exit time of the process"
        },
        "executable": {
            "$ref": "#/$defs/File",
            "description": "File information of the executable"
        },
        "container": {
            "$ref": "#/$defs/ContainerContext",
            "description": "Container context"
        },
        "cmdline": {
            "type": "string",
            "description": "Command line arguments"
        },
        "user": {
            "type": "string",
            "description": "User name"
        },
        "parent": {
            "$ref": "#/$defs/Process",
            "description": "Parent process"
        },
        "ancestors": {
            "items": {
                "$ref": "#/$defs/Process"
            },
            "type": "array",
            "description": "Ancestor processes"
        },
        "variables": {
            "$ref": "#/$defs/Variables",
            "description": "Variables values"
        },
        "truncated_ancestors": {
            "type": "boolean",
            "description": "True if the ancestors list was truncated because it was too big"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "description": "ProcessContextSerializer serializes a process context to JSON"
}
FieldDescription
pidProcess ID
ppidParent Process ID
exec_timeExec time of the process
exit_timeExit time of the process
executableFile information of the executable
containerContainer context
cmdlineCommand line arguments
userUser name
parentParent process
ancestorsAncestor processes
variablesVariables values
truncated_ancestorsTrue if the ancestors list was truncated because it was too big

RegistryEvent

{
    "properties": {
        "key_name": {
            "type": "string",
            "description": "Registry key name"
        },
        "key_path": {
            "type": "string",
            "description": "Registry key path"
        },
        "value_name": {
            "type": "string",
            "description": "Value name of the key value"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "description": "RegistryEventSerializer serializes a registry event to JSON"
}
FieldDescription
key_nameRegistry key name
key_pathRegistry key path
value_nameValue name of the key value

UserContext

{
    "properties": {
        "name": {
            "type": "string",
            "description": "User name"
        },
        "sid": {
            "type": "string",
            "description": "Owner Sid"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "description": "UserContextSerializer serializes a user context to JSON"
}
FieldDescription
nameUser name
sidOwner Sid

Variables

{
    "type": "object",
    "description": "Variables serializes the variable values"
}