Cette page n'est pas encore disponible en français, sa traduction est en cours. Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.
CSM Threats event for Windows have the following JSON schema:
BACKEND_EVENT_JSON_SCHEMA
{"$id":"https://github.com/DataDog/datadog-agent/tree/main/pkg/security/serializers","$defs":{"AgentContext":{"properties":{"rule_id":{"type":"string"},"rule_version":{"type":"string"},"rule_actions":{"items":true,"type":"array"},"policy_name":{"type":"string"},"policy_version":{"type":"string"},"version":{"type":"string"},"os":{"type":"string"},"arch":{"type":"string"},"origin":{"type":"string"}},"additionalProperties":false,"type":"object","required":["rule_id"]},"ChangePermissionEvent":{"properties":{"username":{"type":"string","description":"User name"},"user_domain":{"type":"string","description":"User domain"},"path":{"type":"string","description":"Object name"},"type":{"type":"string","description":"Object type"},"old_sd":{"type":"string","description":"Original Security Descriptor"},"new_sd":{"type":"string","description":"New Security Descriptor"}},"additionalProperties":false,"type":"object","description":"ChangePermissionEventSerializer serializes a permission change event to JSON"},"ContainerContext":{"properties":{"id":{"type":"string","description":"Container ID"},"created_at":{"type":"string","format":"date-time","description":"Creation time of the container"},"variables":{"$ref":"#/$defs/Variables","description":"Variables values"}},"additionalProperties":false,"type":"object","description":"ContainerContextSerializer serializes a container context to JSON"},"EventContext":{"properties":{"name":{"type":"string","description":"Event name"},"category":{"type":"string","description":"Event category"},"outcome":{"type":"string","description":"Event outcome"},"async":{"type":"boolean","description":"True if the event was asynchronous"},"matched_rules":{"items":{"$ref":"#/$defs/MatchedRule"},"type":"array","description":"The list of rules that the event matched (only valid in the context of an anomaly)"},"variables":{"$ref":"#/$defs/Variables","description":"Variables values"}},"additionalProperties":false,"type":"object","description":"EventContextSerializer serializes an event context to JSON"},"ExitEvent":{"properties":{"cause":{"type":"string","description":"Cause of the process termination (one of EXITED, SIGNALED, COREDUMPED)"},"code":{"type":"integer","description":"Exit code of the process or number of the signal that caused the process to terminate"}},"additionalProperties":false,"type":"object","required":["cause","code"],"description":"ExitEventSerializer serializes an exit event to JSON"},"File":{"properties":{"path":{"type":"string","description":"File path"},"device_path":{"type":"string","description":"File device path"},"name":{"type":"string","description":"File basename"}},"additionalProperties":false,"type":"object","description":"FileSerializer serializes a file to JSON"},"FileEvent":{"properties":{"path":{"type":"string","description":"File path"},"device_path":{"type":"string","description":"File device path"},"name":{"type":"string","description":"File basename"},"destination":{"$ref":"#/$defs/File","description":"Target file information"}},"additionalProperties":false,"type":"object","description":"FileEventSerializer serializes a file event to JSON"},"MatchedRule":{"properties":{"id":{"type":"string","description":"ID of the rule"},"version":{"type":"string","description":"Version of the rule"},"tags":{"items":{"type":"string"},"type":"array","description":"Tags of the rule"},"policy_name":{"type":"string","description":"Name of the policy that introduced the rule"},"policy_version":{"type":"string","description":"Version of the policy that introduced the rule"}},"additionalProperties":false,"type":"object","description":"MatchedRuleSerializer serializes a rule"},"Process":{"properties":{"pid":{"type":"integer","description":"Process ID"},"ppid":{"type":"integer","description":"Parent Process ID"},"exec_time":{"type":"string","format":"date-time","description":"Exec time of the process"},"exit_time":{"type":"string","format":"date-time","description":"Exit time of the process"},"executable":{"$ref":"#/$defs/File","description":"File information of the executable"},"container":{"$ref":"#/$defs/ContainerContext","description":"Container context"},"cmdline":{"type":"string","description":"Command line arguments"},"user":{"type":"string","description":"User name"}},"additionalProperties":false,"type":"object","description":"ProcessSerializer serializes a process to JSON"},"ProcessContext":{"properties":{"pid":{"type":"integer","description":"Process ID"},"ppid":{"type":"integer","description":"Parent Process ID"},"exec_time":{"type":"string","format":"date-time","description":"Exec time of the process"},"exit_time":{"type":"string","format":"date-time","description":"Exit time of the process"},"executable":{"$ref":"#/$defs/File","description":"File information of the executable"},"container":{"$ref":"#/$defs/ContainerContext","description":"Container context"},"cmdline":{"type":"string","description":"Command line arguments"},"user":{"type":"string","description":"User name"},"parent":{"$ref":"#/$defs/Process","description":"Parent process"},"ancestors":{"items":{"$ref":"#/$defs/Process"},"type":"array","description":"Ancestor processes"},"variables":{"$ref":"#/$defs/Variables","description":"Variables values"},"truncated_ancestors":{"type":"boolean","description":"True if the ancestors list was truncated because it was too big"}},"additionalProperties":false,"type":"object","description":"ProcessContextSerializer serializes a process context to JSON"},"RegistryEvent":{"properties":{"key_name":{"type":"string","description":"Registry key name"},"key_path":{"type":"string","description":"Registry key path"},"value_name":{"type":"string","description":"Value name of the key value"}},"additionalProperties":false,"type":"object","description":"RegistryEventSerializer serializes a registry event to JSON"},"UserContext":{"properties":{"name":{"type":"string","description":"User name"},"sid":{"type":"string","description":"Owner Sid"}},"additionalProperties":false,"type":"object","description":"UserContextSerializer serializes a user context to JSON"},"Variables":{"type":"object","description":"Variables serializes the variable values"}},"properties":{"agent":{"$ref":"#/$defs/AgentContext"},"title":{"type":"string"},"evt":{"$ref":"#/$defs/EventContext"},"date":{"type":"string","format":"date-time"},"file":{"$ref":"#/$defs/FileEvent"},"exit":{"$ref":"#/$defs/ExitEvent"},"process":{"$ref":"#/$defs/ProcessContext"},"container":{"$ref":"#/$defs/ContainerContext"},"registry":{"$ref":"#/$defs/RegistryEvent"},"usr":{"$ref":"#/$defs/UserContext"},"permission_change":{"$ref":"#/$defs/ChangePermissionEvent"}},"additionalProperties":false,"type":"object","required":["agent","title"]}
{"properties":{"id":{"type":"string","description":"Container ID"},"created_at":{"type":"string","format":"date-time","description":"Creation time of the container"},"variables":{"$ref":"#/$defs/Variables","description":"Variables values"}},"additionalProperties":false,"type":"object","description":"ContainerContextSerializer serializes a container context to JSON"}
{"properties":{"name":{"type":"string","description":"Event name"},"category":{"type":"string","description":"Event category"},"outcome":{"type":"string","description":"Event outcome"},"async":{"type":"boolean","description":"True if the event was asynchronous"},"matched_rules":{"items":{"$ref":"#/$defs/MatchedRule"},"type":"array","description":"The list of rules that the event matched (only valid in the context of an anomaly)"},"variables":{"$ref":"#/$defs/Variables","description":"Variables values"}},"additionalProperties":false,"type":"object","description":"EventContextSerializer serializes an event context to JSON"}
Field
Description
name
Event name
category
Event category
outcome
Event outcome
async
True if the event was asynchronous
matched_rules
The list of rules that the event matched (only valid in the context of an anomaly)
{"properties":{"cause":{"type":"string","description":"Cause of the process termination (one of EXITED, SIGNALED, COREDUMPED)"},"code":{"type":"integer","description":"Exit code of the process or number of the signal that caused the process to terminate"}},"additionalProperties":false,"type":"object","required":["cause","code"],"description":"ExitEventSerializer serializes an exit event to JSON"}
Field
Description
cause
Cause of the process termination (one of EXITED, SIGNALED, COREDUMPED)
code
Exit code of the process or number of the signal that caused the process to terminate
{"properties":{"path":{"type":"string","description":"File path"},"device_path":{"type":"string","description":"File device path"},"name":{"type":"string","description":"File basename"}},"additionalProperties":false,"type":"object","description":"FileSerializer serializes a file to JSON"}
{"properties":{"id":{"type":"string","description":"ID of the rule"},"version":{"type":"string","description":"Version of the rule"},"tags":{"items":{"type":"string"},"type":"array","description":"Tags of the rule"},"policy_name":{"type":"string","description":"Name of the policy that introduced the rule"},"policy_version":{"type":"string","description":"Version of the policy that introduced the rule"}},"additionalProperties":false,"type":"object","description":"MatchedRuleSerializer serializes a rule"}
{"properties":{"pid":{"type":"integer","description":"Process ID"},"ppid":{"type":"integer","description":"Parent Process ID"},"exec_time":{"type":"string","format":"date-time","description":"Exec time of the process"},"exit_time":{"type":"string","format":"date-time","description":"Exit time of the process"},"executable":{"$ref":"#/$defs/File","description":"File information of the executable"},"container":{"$ref":"#/$defs/ContainerContext","description":"Container context"},"cmdline":{"type":"string","description":"Command line arguments"},"user":{"type":"string","description":"User name"}},"additionalProperties":false,"type":"object","description":"ProcessSerializer serializes a process to JSON"}
{"properties":{"pid":{"type":"integer","description":"Process ID"},"ppid":{"type":"integer","description":"Parent Process ID"},"exec_time":{"type":"string","format":"date-time","description":"Exec time of the process"},"exit_time":{"type":"string","format":"date-time","description":"Exit time of the process"},"executable":{"$ref":"#/$defs/File","description":"File information of the executable"},"container":{"$ref":"#/$defs/ContainerContext","description":"Container context"},"cmdline":{"type":"string","description":"Command line arguments"},"user":{"type":"string","description":"User name"},"parent":{"$ref":"#/$defs/Process","description":"Parent process"},"ancestors":{"items":{"$ref":"#/$defs/Process"},"type":"array","description":"Ancestor processes"},"variables":{"$ref":"#/$defs/Variables","description":"Variables values"},"truncated_ancestors":{"type":"boolean","description":"True if the ancestors list was truncated because it was too big"}},"additionalProperties":false,"type":"object","description":"ProcessContextSerializer serializes a process context to JSON"}
Field
Description
pid
Process ID
ppid
Parent Process ID
exec_time
Exec time of the process
exit_time
Exit time of the process
executable
File information of the executable
container
Container context
cmdline
Command line arguments
user
User name
parent
Parent process
ancestors
Ancestor processes
variables
Variables values
truncated_ancestors
True if the ancestors list was truncated because it was too big
{"properties":{"key_name":{"type":"string","description":"Registry key name"},"key_path":{"type":"string","description":"Registry key path"},"value_name":{"type":"string","description":"Value name of the key value"}},"additionalProperties":false,"type":"object","description":"RegistryEventSerializer serializes a registry event to JSON"}
{"properties":{"name":{"type":"string","description":"User name"},"sid":{"type":"string","description":"Owner Sid"}},"additionalProperties":false,"type":"object","description":"UserContextSerializer serializes a user context to JSON"}
