이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

When activity matches a Cloud Security Management Threats (CSM Threats) Agent expression, a CSM Threats log will be collected from the system containing all the relevant context about the activity.

This log is sent to Datadog, where it is analyzed. Based on analysis, CSM Threats logs can trigger Security Signals or they can be stored as logs for audit, threat investigation purposes.

CSM Threats logs have the following JSON schema:

BACKEND_EVENT_JSON_SCHEMA

{
    "$id": "https://github.com/DataDog/datadog-agent/tree/main/pkg/security/serializers",
    "$defs": {
        "AWSIMDSEvent": {
            "properties": {
                "is_imds_v2": {
                    "type": "boolean",
                    "description": "is_imds_v2 reports if the IMDS event follows IMDSv1 or IMDSv2 conventions"
                },
                "security_credentials": {
                    "$ref": "#/$defs/AWSSecurityCredentials",
                    "description": "SecurityCredentials holds the scrubbed data collected on the security credentials"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "required": [
                "is_imds_v2"
            ],
            "description": "AWSIMDSEventSerializer serializes an AWS IMDS event to JSON"
        },
        "AWSSecurityCredentials": {
            "properties": {
                "code": {
                    "type": "string",
                    "description": "code is the IMDS server code response"
                },
                "type": {
                    "type": "string",
                    "description": "type is the security credentials type"
                },
                "access_key_id": {
                    "type": "string",
                    "description": "access_key_id is the unique access key ID of the credentials"
                },
                "last_updated": {
                    "type": "string",
                    "description": "last_updated is the last time the credentials were updated"
                },
                "expiration": {
                    "type": "string",
                    "description": "expiration is the expiration date of the credentials"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "required": [
                "code",
                "type",
                "access_key_id",
                "last_updated",
                "expiration"
            ],
            "description": "AWSSecurityCredentialsSerializer serializes the security credentials from an AWS IMDS request"
        },
        "AgentContext": {
            "properties": {
                "rule_id": {
                    "type": "string"
                },
                "rule_version": {
                    "type": "string"
                },
                "rule_actions": {
                    "items": true,
                    "type": "array"
                },
                "policy_name": {
                    "type": "string"
                },
                "policy_version": {
                    "type": "string"
                },
                "version": {
                    "type": "string"
                },
                "os": {
                    "type": "string"
                },
                "arch": {
                    "type": "string"
                },
                "origin": {
                    "type": "string"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "required": [
                "rule_id"
            ]
        },
        "BPFEvent": {
            "properties": {
                "cmd": {
                    "type": "string",
                    "description": "BPF command"
                },
                "map": {
                    "$ref": "#/$defs/BPFMap",
                    "description": "BPF map"
                },
                "program": {
                    "$ref": "#/$defs/BPFProgram",
                    "description": "BPF program"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "required": [
                "cmd"
            ],
            "description": "BPFEventSerializer serializes a BPF event to JSON"
        },
        "BPFMap": {
            "properties": {
                "name": {
                    "type": "string",
                    "description": "Name of the BPF map"
                },
                "map_type": {
                    "type": "string",
                    "description": "Type of the BPF map"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "description": "BPFMapSerializer serializes a BPF map to JSON"
        },
        "BPFProgram": {
            "properties": {
                "name": {
                    "type": "string",
                    "description": "Name of the BPF program"
                },
                "tag": {
                    "type": "string",
                    "description": "Hash (sha1) of the BPF program"
                },
                "program_type": {
                    "type": "string",
                    "description": "Type of the BPF program"
                },
                "attach_type": {
                    "type": "string",
                    "description": "Attach type of the BPF program"
                },
                "helpers": {
                    "items": {
                        "type": "string"
                    },
                    "type": "array",
                    "description": "List of helpers used by the BPF program"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "description": "BPFProgramSerializer serializes a BPF map to JSON"
        },
        "BindEvent": {
            "properties": {
                "addr": {
                    "$ref": "#/$defs/IPPortFamily",
                    "description": "Bound address (if any)"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "required": [
                "addr"
            ],
            "description": "BindEventSerializer serializes a bind event to JSON"
        },
        "ContainerContext": {
            "properties": {
                "id": {
                    "type": "string",
                    "description": "Container ID"
                },
                "created_at": {
                    "type": "string",
                    "format": "date-time",
                    "description": "Creation time of the container"
                },
                "variables": {
                    "$ref": "#/$defs/Variables",
                    "description": "Variables values"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "description": "ContainerContextSerializer serializes a container context to JSON"
        },
        "DDContext": {
            "properties": {
                "span_id": {
                    "type": "integer",
                    "description": "Span ID used for APM correlation"
                },
                "trace_id": {
                    "type": "integer",
                    "description": "Trace ID used for APM correlation"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "description": "DDContextSerializer serializes a span context to JSON"
        },
        "DNSEvent": {
            "properties": {
                "id": {
                    "type": "integer",
                    "description": "id is the unique identifier of the DNS request"
                },
                "question": {
                    "$ref": "#/$defs/DNSQuestion",
                    "description": "question is a DNS question for the DNS request"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "required": [
                "id",
                "question"
            ],
            "description": "DNSEventSerializer serializes a DNS event to JSON"
        },
        "DNSQuestion": {
            "properties": {
                "class": {
                    "type": "string",
                    "description": "class is the class looked up by the DNS question"
                },
                "type": {
                    "type": "string",
                    "description": "type is a two octet code which specifies the DNS question type"
                },
                "name": {
                    "type": "string",
                    "description": "name is the queried domain name"
                },
                "size": {
                    "type": "integer",
                    "description": "size is the total DNS request size in bytes"
                },
                "count": {
                    "type": "integer",
                    "description": "count is the total count of questions in the DNS request"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "required": [
                "class",
                "type",
                "name",
                "size",
                "count"
            ],
            "description": "DNSQuestionSerializer serializes a DNS question to JSON"
        },
        "EventContext": {
            "properties": {
                "name": {
                    "type": "string",
                    "description": "Event name"
                },
                "category": {
                    "type": "string",
                    "description": "Event category"
                },
                "outcome": {
                    "type": "string",
                    "description": "Event outcome"
                },
                "async": {
                    "type": "boolean",
                    "description": "True if the event was asynchronous"
                },
                "matched_rules": {
                    "items": {
                        "$ref": "#/$defs/MatchedRule"
                    },
                    "type": "array",
                    "description": "The list of rules that the event matched (only valid in the context of an anomaly)"
                },
                "variables": {
                    "$ref": "#/$defs/Variables",
                    "description": "Variables values"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "description": "EventContextSerializer serializes an event context to JSON"
        },
        "ExitEvent": {
            "properties": {
                "cause": {
                    "type": "string",
                    "description": "Cause of the process termination (one of EXITED, SIGNALED, COREDUMPED)"
                },
                "code": {
                    "type": "integer",
                    "description": "Exit code of the process or number of the signal that caused the process to terminate"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "required": [
                "cause",
                "code"
            ],
            "description": "ExitEventSerializer serializes an exit event to JSON"
        },
        "File": {
            "properties": {
                "path": {
                    "type": "string",
                    "description": "File path"
                },
                "name": {
                    "type": "string",
                    "description": "File basename"
                },
                "path_resolution_error": {
                    "type": "string",
                    "description": "Error message from path resolution"
                },
                "inode": {
                    "type": "integer",
                    "description": "File inode number"
                },
                "mode": {
                    "type": "integer",
                    "description": "File mode"
                },
                "in_upper_layer": {
                    "type": "boolean",
                    "description": "Indicator of file OverlayFS layer"
                },
                "mount_id": {
                    "type": "integer",
                    "description": "File mount ID"
                },
                "filesystem": {
                    "type": "string",
                    "description": "File filesystem name"
                },
                "uid": {
                    "type": "integer",
                    "description": "File User ID"
                },
                "gid": {
                    "type": "integer",
                    "description": "File Group ID"
                },
                "user": {
                    "type": "string",
                    "description": "File user"
                },
                "group": {
                    "type": "string",
                    "description": "File group"
                },
                "attribute_name": {
                    "type": "string",
                    "description": "File extended attribute name"
                },
                "attribute_namespace": {
                    "type": "string",
                    "description": "File extended attribute namespace"
                },
                "flags": {
                    "items": {
                        "type": "string"
                    },
                    "type": "array",
                    "description": "File flags"
                },
                "access_time": {
                    "type": "string",
                    "format": "date-time",
                    "description": "File access time"
                },
                "modification_time": {
                    "type": "string",
                    "format": "date-time",
                    "description": "File modified time"
                },
                "change_time": {
                    "type": "string",
                    "format": "date-time",
                    "description": "File change time"
                },
                "package_name": {
                    "type": "string",
                    "description": "System package name"
                },
                "package_version": {
                    "type": "string",
                    "description": "System package version"
                },
                "hashes": {
                    "items": {
                        "type": "string"
                    },
                    "type": "array",
                    "description": "List of cryptographic hashes of the file"
                },
                "hash_state": {
                    "type": "string",
                    "description": "State of the hashes or reason why they weren't computed"
                },
                "mount_path": {
                    "type": "string",
                    "description": "MountPath path of the mount"
                },
                "mount_source": {
                    "type": "string",
                    "description": "MountSource source of the mount"
                },
                "mount_origin": {
                    "type": "string",
                    "description": "MountOrigin origin of the mount"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "required": [
                "uid",
                "gid"
            ],
            "description": "FileSerializer serializes a file to JSON"
        },
        "FileEvent": {
            "properties": {
                "path": {
                    "type": "string",
                    "description": "File path"
                },
                "name": {
                    "type": "string",
                    "description": "File basename"
                },
                "path_resolution_error": {
                    "type": "string",
                    "description": "Error message from path resolution"
                },
                "inode": {
                    "type": "integer",
                    "description": "File inode number"
                },
                "mode": {
                    "type": "integer",
                    "description": "File mode"
                },
                "in_upper_layer": {
                    "type": "boolean",
                    "description": "Indicator of file OverlayFS layer"
                },
                "mount_id": {
                    "type": "integer",
                    "description": "File mount ID"
                },
                "filesystem": {
                    "type": "string",
                    "description": "File filesystem name"
                },
                "uid": {
                    "type": "integer",
                    "description": "File User ID"
                },
                "gid": {
                    "type": "integer",
                    "description": "File Group ID"
                },
                "user": {
                    "type": "string",
                    "description": "File user"
                },
                "group": {
                    "type": "string",
                    "description": "File group"
                },
                "attribute_name": {
                    "type": "string",
                    "description": "File extended attribute name"
                },
                "attribute_namespace": {
                    "type": "string",
                    "description": "File extended attribute namespace"
                },
                "flags": {
                    "items": {
                        "type": "string"
                    },
                    "type": "array",
                    "description": "File flags"
                },
                "access_time": {
                    "type": "string",
                    "format": "date-time",
                    "description": "File access time"
                },
                "modification_time": {
                    "type": "string",
                    "format": "date-time",
                    "description": "File modified time"
                },
                "change_time": {
                    "type": "string",
                    "format": "date-time",
                    "description": "File change time"
                },
                "package_name": {
                    "type": "string",
                    "description": "System package name"
                },
                "package_version": {
                    "type": "string",
                    "description": "System package version"
                },
                "hashes": {
                    "items": {
                        "type": "string"
                    },
                    "type": "array",
                    "description": "List of cryptographic hashes of the file"
                },
                "hash_state": {
                    "type": "string",
                    "description": "State of the hashes or reason why they weren't computed"
                },
                "mount_path": {
                    "type": "string",
                    "description": "MountPath path of the mount"
                },
                "mount_source": {
                    "type": "string",
                    "description": "MountSource source of the mount"
                },
                "mount_origin": {
                    "type": "string",
                    "description": "MountOrigin origin of the mount"
                },
                "destination": {
                    "$ref": "#/$defs/File",
                    "description": "Target file information"
                },
                "new_mount_id": {
                    "type": "integer",
                    "description": "New Mount ID"
                },
                "device": {
                    "type": "integer",
                    "description": "Device associated with the file"
                },
                "fstype": {
                    "type": "string",
                    "description": "Filesystem type"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "required": [
                "uid",
                "gid"
            ],
            "description": "FileEventSerializer serializes a file event to JSON"
        },
        "IMDSEvent": {
            "properties": {
                "type": {
                    "type": "string",
                    "description": "type is the type of IMDS event"
                },
                "cloud_provider": {
                    "type": "string",
                    "description": "cloud_provider is the intended cloud provider of the IMDS event"
                },
                "url": {
                    "type": "string",
                    "description": "url is the url of the IMDS request"
                },
                "host": {
                    "type": "string",
                    "description": "host is the host of the HTTP protocol"
                },
                "user_agent": {
                    "type": "string",
                    "description": "user_agent is the user agent of the HTTP client"
                },
                "server": {
                    "type": "string",
                    "description": "server is the server header of a response"
                },
                "aws": {
                    "$ref": "#/$defs/AWSIMDSEvent",
                    "description": "AWS holds the AWS specific data parsed from the IMDS event"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "required": [
                "type",
                "cloud_provider"
            ],
            "description": "IMDSEventSerializer serializes an IMDS event to JSON"
        },
        "IPPort": {
            "properties": {
                "ip": {
                    "type": "string",
                    "description": "IP address"
                },
                "port": {
                    "type": "integer",
                    "description": "Port number"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "required": [
                "ip",
                "port"
            ],
            "description": "IPPortSerializer is used to serialize an IP and Port context to JSON"
        },
        "IPPortFamily": {
            "properties": {
                "family": {
                    "type": "string",
                    "description": "Address family"
                },
                "ip": {
                    "type": "string",
                    "description": "IP address"
                },
                "port": {
                    "type": "integer",
                    "description": "Port number"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "required": [
                "family",
                "ip",
                "port"
            ],
            "description": "IPPortFamilySerializer is used to serialize an IP, port, and address family context to JSON"
        },
        "MMapEvent": {
            "properties": {
                "address": {
                    "type": "string",
                    "description": "memory segment address"
                },
                "offset": {
                    "type": "integer",
                    "description": "file offset"
                },
                "length": {
                    "type": "integer",
                    "description": "memory segment length"
                },
                "protection": {
                    "type": "string",
                    "description": "memory segment protection"
                },
                "flags": {
                    "type": "string",
                    "description": "memory segment flags"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "required": [
                "address",
                "offset",
                "length",
                "protection",
                "flags"
            ],
            "description": "MMapEventSerializer serializes a mmap event to JSON"
        },
        "MProtectEvent": {
            "properties": {
                "vm_start": {
                    "type": "string",
                    "description": "memory segment start address"
                },
                "vm_end": {
                    "type": "string",
                    "description": "memory segment end address"
                },
                "vm_protection": {
                    "type": "string",
                    "description": "initial memory segment protection"
                },
                "req_protection": {
                    "type": "string",
                    "description": "new memory segment protection"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "required": [
                "vm_start",
                "vm_end",
                "vm_protection",
                "req_protection"
            ],
            "description": "MProtectEventSerializer serializes a mmap event to JSON"
        },
        "MatchedRule": {
            "properties": {
                "id": {
                    "type": "string",
                    "description": "ID of the rule"
                },
                "version": {
                    "type": "string",
                    "description": "Version of the rule"
                },
                "tags": {
                    "items": {
                        "type": "string"
                    },
                    "type": "array",
                    "description": "Tags of the rule"
                },
                "policy_name": {
                    "type": "string",
                    "description": "Name of the policy that introduced the rule"
                },
                "policy_version": {
                    "type": "string",
                    "description": "Version of the policy that introduced the rule"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "description": "MatchedRuleSerializer serializes a rule"
        },
        "ModuleEvent": {
            "properties": {
                "name": {
                    "type": "string",
                    "description": "module name"
                },
                "loaded_from_memory": {
                    "type": "boolean",
                    "description": "indicates if a module was loaded from memory, as opposed to a file"
                },
                "argv": {
                    "items": {
                        "type": "string"
                    },
                    "type": "array"
                },
                "args_truncated": {
                    "type": "boolean"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "required": [
                "name"
            ],
            "description": "ModuleEventSerializer serializes a module event to JSON"
        },
        "MountEvent": {
            "properties": {
                "mp": {
                    "$ref": "#/$defs/File",
                    "description": "Mount point file information"
                },
                "root": {
                    "$ref": "#/$defs/File",
                    "description": "Root file information"
                },
                "mount_id": {
                    "type": "integer",
                    "description": "Mount ID of the new mount"
                },
                "parent_mount_id": {
                    "type": "integer",
                    "description": "Mount ID of the parent mount"
                },
                "bind_src_mount_id": {
                    "type": "integer",
                    "description": "Mount ID of the source of a bind mount"
                },
                "device": {
                    "type": "integer",
                    "description": "Device associated with the file"
                },
                "fs_type": {
                    "type": "string",
                    "description": "Filesystem type"
                },
                "mountpoint.path": {
                    "type": "string",
                    "description": "Mount point path"
                },
                "source.path": {
                    "type": "string",
                    "description": "Mount source path"
                },
                "mountpoint.path_error": {
                    "type": "string",
                    "description": "Mount point path error"
                },
                "source.path_error": {
                    "type": "string",
                    "description": "Mount source path error"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "required": [
                "mount_id",
                "parent_mount_id",
                "bind_src_mount_id",
                "device"
            ],
            "description": "MountEventSerializer serializes a mount event to JSON"
        },
        "NetworkContext": {
            "properties": {
                "device": {
                    "$ref": "#/$defs/NetworkDevice",
                    "description": "device is the network device on which the event was captured"
                },
                "l3_protocol": {
                    "type": "string",
                    "description": "l3_protocol is the layer 3 protocol name"
                },
                "l4_protocol": {
                    "type": "string",
                    "description": "l4_protocol is the layer 4 protocol name"
                },
                "source": {
                    "$ref": "#/$defs/IPPort",
                    "description": "source is the emitter of the network event"
                },
                "destination": {
                    "$ref": "#/$defs/IPPort",
                    "description": "destination is the receiver of the network event"
                },
                "size": {
                    "type": "integer",
                    "description": "size is the size in bytes of the network event"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "required": [
                "l3_protocol",
                "l4_protocol",
                "source",
                "destination",
                "size"
            ],
            "description": "NetworkContextSerializer serializes the network context to JSON"
        },
        "NetworkDevice": {
            "properties": {
                "netns": {
                    "type": "integer",
                    "description": "netns is the interface ifindex"
                },
                "ifindex": {
                    "type": "integer",
                    "description": "ifindex is the network interface ifindex"
                },
                "ifname": {
                    "type": "string",
                    "description": "ifname is the network interface name"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "required": [
                "netns",
                "ifindex",
                "ifname"
            ],
            "description": "NetworkDeviceSerializer serializes the network device context to JSON"
        },
        "PTraceEvent": {
            "properties": {
                "request": {
                    "type": "string",
                    "description": "ptrace request"
                },
                "address": {
                    "type": "string",
                    "description": "address at which the ptrace request was executed"
                },
                "tracee": {
                    "$ref": "#/$defs/ProcessContext",
                    "description": "process context of the tracee"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "required": [
                "request",
                "address"
            ],
            "description": "PTraceEventSerializer serializes a mmap event to JSON"
        },
        "Process": {
            "properties": {
                "pid": {
                    "type": "integer",
                    "description": "Process ID"
                },
                "ppid": {
                    "type": "integer",
                    "description": "Parent Process ID"
                },
                "tid": {
                    "type": "integer",
                    "description": "Thread ID"
                },
                "uid": {
                    "type": "integer",
                    "description": "User ID"
                },
                "gid": {
                    "type": "integer",
                    "description": "Group ID"
                },
                "user": {
                    "type": "string",
                    "description": "User name"
                },
                "group": {
                    "type": "string",
                    "description": "Group name"
                },
                "path_resolution_error": {
                    "type": "string",
                    "description": "Description of an error in the path resolution"
                },
                "comm": {
                    "type": "string",
                    "description": "Command name"
                },
                "tty": {
                    "type": "string",
                    "description": "TTY associated with the process"
                },
                "fork_time": {
                    "type": "string",
                    "format": "date-time",
                    "description": "Fork time of the process"
                },
                "exec_time": {
                    "type": "string",
                    "format": "date-time",
                    "description": "Exec time of the process"
                },
                "exit_time": {
                    "type": "string",
                    "format": "date-time",
                    "description": "Exit time of the process"
                },
                "credentials": {
                    "$ref": "#/$defs/ProcessCredentials",
                    "description": "Credentials associated with the process"
                },
                "user_session": {
                    "$ref": "#/$defs/UserSessionContext",
                    "description": "Context of the user session for this event"
                },
                "executable": {
                    "$ref": "#/$defs/File",
                    "description": "File information of the executable"
                },
                "interpreter": {
                    "$ref": "#/$defs/File",
                    "description": "File information of the interpreter"
                },
                "container": {
                    "$ref": "#/$defs/ContainerContext",
                    "description": "Container context"
                },
                "argv0": {
                    "type": "string",
                    "description": "First command line argument"
                },
                "args": {
                    "items": {
                        "type": "string"
                    },
                    "type": "array",
                    "description": "Command line arguments"
                },
                "args_truncated": {
                    "type": "boolean",
                    "description": "Indicator of arguments truncation"
                },
                "envs": {
                    "items": {
                        "type": "string"
                    },
                    "type": "array",
                    "description": "Environment variables of the process"
                },
                "envs_truncated": {
                    "type": "boolean",
                    "description": "Indicator of environments variable truncation"
                },
                "is_thread": {
                    "type": "boolean",
                    "description": "Indicates whether the process is considered a thread (that is, a child process that hasn't executed another program)"
                },
                "is_kworker": {
                    "type": "boolean",
                    "description": "Indicates whether the process is a kworker"
                },
                "is_exec_child": {
                    "type": "boolean",
                    "description": "Indicates whether the process is an exec following another exec"
                },
                "source": {
                    "type": "string",
                    "description": "Process source"
                },
                "syscalls": {
                    "$ref": "#/$defs/SyscallsEvent",
                    "description": "List of syscalls captured to generate the event"
                },
                "aws_security_credentials": {
                    "items": {
                        "$ref": "#/$defs/AWSSecurityCredentials"
                    },
                    "type": "array",
                    "description": "List of AWS Security Credentials that the process had access to"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "required": [
                "uid",
                "gid"
            ],
            "description": "ProcessSerializer serializes a process to JSON"
        },
        "ProcessContext": {
            "properties": {
                "pid": {
                    "type": "integer",
                    "description": "Process ID"
                },
                "ppid": {
                    "type": "integer",
                    "description": "Parent Process ID"
                },
                "tid": {
                    "type": "integer",
                    "description": "Thread ID"
                },
                "uid": {
                    "type": "integer",
                    "description": "User ID"
                },
                "gid": {
                    "type": "integer",
                    "description": "Group ID"
                },
                "user": {
                    "type": "string",
                    "description": "User name"
                },
                "group": {
                    "type": "string",
                    "description": "Group name"
                },
                "path_resolution_error": {
                    "type": "string",
                    "description": "Description of an error in the path resolution"
                },
                "comm": {
                    "type": "string",
                    "description": "Command name"
                },
                "tty": {
                    "type": "string",
                    "description": "TTY associated with the process"
                },
                "fork_time": {
                    "type": "string",
                    "format": "date-time",
                    "description": "Fork time of the process"
                },
                "exec_time": {
                    "type": "string",
                    "format": "date-time",
                    "description": "Exec time of the process"
                },
                "exit_time": {
                    "type": "string",
                    "format": "date-time",
                    "description": "Exit time of the process"
                },
                "credentials": {
                    "$ref": "#/$defs/ProcessCredentials",
                    "description": "Credentials associated with the process"
                },
                "user_session": {
                    "$ref": "#/$defs/UserSessionContext",
                    "description": "Context of the user session for this event"
                },
                "executable": {
                    "$ref": "#/$defs/File",
                    "description": "File information of the executable"
                },
                "interpreter": {
                    "$ref": "#/$defs/File",
                    "description": "File information of the interpreter"
                },
                "container": {
                    "$ref": "#/$defs/ContainerContext",
                    "description": "Container context"
                },
                "argv0": {
                    "type": "string",
                    "description": "First command line argument"
                },
                "args": {
                    "items": {
                        "type": "string"
                    },
                    "type": "array",
                    "description": "Command line arguments"
                },
                "args_truncated": {
                    "type": "boolean",
                    "description": "Indicator of arguments truncation"
                },
                "envs": {
                    "items": {
                        "type": "string"
                    },
                    "type": "array",
                    "description": "Environment variables of the process"
                },
                "envs_truncated": {
                    "type": "boolean",
                    "description": "Indicator of environments variable truncation"
                },
                "is_thread": {
                    "type": "boolean",
                    "description": "Indicates whether the process is considered a thread (that is, a child process that hasn't executed another program)"
                },
                "is_kworker": {
                    "type": "boolean",
                    "description": "Indicates whether the process is a kworker"
                },
                "is_exec_child": {
                    "type": "boolean",
                    "description": "Indicates whether the process is an exec following another exec"
                },
                "source": {
                    "type": "string",
                    "description": "Process source"
                },
                "syscalls": {
                    "$ref": "#/$defs/SyscallsEvent",
                    "description": "List of syscalls captured to generate the event"
                },
                "aws_security_credentials": {
                    "items": {
                        "$ref": "#/$defs/AWSSecurityCredentials"
                    },
                    "type": "array",
                    "description": "List of AWS Security Credentials that the process had access to"
                },
                "parent": {
                    "$ref": "#/$defs/Process",
                    "description": "Parent process"
                },
                "ancestors": {
                    "items": {
                        "$ref": "#/$defs/Process"
                    },
                    "type": "array",
                    "description": "Ancestor processes"
                },
                "variables": {
                    "$ref": "#/$defs/Variables",
                    "description": "Variables values"
                },
                "truncated_ancestors": {
                    "type": "boolean",
                    "description": "True if the ancestors list was truncated because it was too big"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "required": [
                "uid",
                "gid"
            ],
            "description": "ProcessContextSerializer serializes a process context to JSON"
        },
        "ProcessCredentials": {
            "properties": {
                "uid": {
                    "type": "integer",
                    "description": "User ID"
                },
                "user": {
                    "type": "string",
                    "description": "User name"
                },
                "gid": {
                    "type": "integer",
                    "description": "Group ID"
                },
                "group": {
                    "type": "string",
                    "description": "Group name"
                },
                "euid": {
                    "type": "integer",
                    "description": "Effective User ID"
                },
                "euser": {
                    "type": "string",
                    "description": "Effective User name"
                },
                "egid": {
                    "type": "integer",
                    "description": "Effective Group ID"
                },
                "egroup": {
                    "type": "string",
                    "description": "Effective Group name"
                },
                "fsuid": {
                    "type": "integer",
                    "description": "Filesystem User ID"
                },
                "fsuser": {
                    "type": "string",
                    "description": "Filesystem User name"
                },
                "fsgid": {
                    "type": "integer",
                    "description": "Filesystem Group ID"
                },
                "fsgroup": {
                    "type": "string",
                    "description": "Filesystem Group name"
                },
                "cap_effective": {
                    "items": {
                        "type": "string"
                    },
                    "type": "array",
                    "description": "Effective Capability set"
                },
                "cap_permitted": {
                    "items": {
                        "type": "string"
                    },
                    "type": "array",
                    "description": "Permitted Capability set"
                },
                "destination": {
                    "description": "Credentials after the operation"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "required": [
                "uid",
                "gid",
                "euid",
                "egid",
                "fsuid",
                "fsgid",
                "cap_effective",
                "cap_permitted"
            ],
            "description": "ProcessCredentialsSerializer serializes the process credentials to JSON"
        },
        "SELinuxBoolChange": {
            "properties": {
                "name": {
                    "type": "string",
                    "description": "SELinux boolean name"
                },
                "state": {
                    "type": "string",
                    "description": "SELinux boolean state ('on' or 'off')"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "description": "SELinuxBoolChangeSerializer serializes a SELinux boolean change to JSON"
        },
        "SELinuxBoolCommit": {
            "properties": {
                "state": {
                    "type": "boolean",
                    "description": "SELinux boolean commit operation"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "description": "SELinuxBoolCommitSerializer serializes a SELinux boolean commit to JSON"
        },
        "SELinuxEnforceStatus": {
            "properties": {
                "status": {
                    "type": "string",
                    "description": "SELinux enforcement status (one of 'enforcing', 'permissive' or 'disabled')"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "description": "SELinuxEnforceStatusSerializer serializes a SELinux enforcement status change to JSON"
        },
        "SELinuxEvent": {
            "properties": {
                "bool": {
                    "$ref": "#/$defs/SELinuxBoolChange",
                    "description": "SELinux boolean operation"
                },
                "enforce": {
                    "$ref": "#/$defs/SELinuxEnforceStatus",
                    "description": "SELinux enforcement change"
                },
                "bool_commit": {
                    "$ref": "#/$defs/SELinuxBoolCommit",
                    "description": "SELinux boolean commit"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "description": "SELinuxEventSerializer serializes a SELinux context to JSON"
        },
        "SecurityProfileContext": {
            "properties": {
                "name": {
                    "type": "string",
                    "description": "Name of the security profile"
                },
                "version": {
                    "type": "string",
                    "description": "Version of the profile in use"
                },
                "tags": {
                    "items": {
                        "type": "string"
                    },
                    "type": "array",
                    "description": "List of tags associated to this profile"
                },
                "event_in_profile": {
                    "type": "boolean",
                    "description": "True if the corresponding event is part of this profile"
                },
                "event_type_state": {
                    "type": "string",
                    "description": "State of the event type in this profile"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "required": [
                "name",
                "version",
                "tags",
                "event_in_profile",
                "event_type_state"
            ],
            "description": "SecurityProfileContextSerializer serializes the security profile context in an event"
        },
        "SignalEvent": {
            "properties": {
                "type": {
                    "type": "string",
                    "description": "signal type"
                },
                "pid": {
                    "type": "integer",
                    "description": "signal target pid"
                },
                "target": {
                    "$ref": "#/$defs/ProcessContext",
                    "description": "process context of the signal target"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "required": [
                "type",
                "pid"
            ],
            "description": "SignalEventSerializer serializes a signal event to JSON"
        },
        "SpliceEvent": {
            "properties": {
                "pipe_entry_flag": {
                    "type": "string",
                    "description": "Entry flag of the fd_out pipe passed to the splice syscall"
                },
                "pipe_exit_flag": {
                    "type": "string",
                    "description": "Exit flag of the fd_out pipe passed to the splice syscall"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "required": [
                "pipe_entry_flag",
                "pipe_exit_flag"
            ],
            "description": "SpliceEventSerializer serializes a splice event to JSON"
        },
        "Syscall": {
            "properties": {
                "name": {
                    "type": "string",
                    "description": "Name of the syscall"
                },
                "id": {
                    "type": "integer",
                    "description": "ID of the syscall in the host architecture"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "required": [
                "name",
                "id"
            ],
            "description": "SyscallSerializer serializes a syscall"
        },
        "SyscallArgs": {
            "properties": {
                "path": {
                    "type": "string",
                    "description": "Path argument"
                },
                "mode": {
                    "type": "integer",
                    "description": "Mode argument"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "description": "SyscallArgsSerializer args serializer"
        },
        "SyscallContext": {
            "properties": {
                "chmod": {
                    "$ref": "#/$defs/SyscallArgs"
                },
                "chdir": {
                    "$ref": "#/$defs/SyscallArgs"
                },
                "exec": {
                    "$ref": "#/$defs/SyscallArgs"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "description": "SyscallContextSerializer serializes syscall context"
        },
        "SyscallsEvent": {
            "items": {
                "$ref": "#/$defs/Syscall"
            },
            "type": "array",
            "description": "SyscallsEventSerializer serializes the syscalls from a syscalls event"
        },
        "UserContext": {
            "properties": {
                "id": {
                    "type": "string",
                    "description": "User name"
                },
                "group": {
                    "type": "string",
                    "description": "Group name"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "description": "UserContextSerializer serializes a user context to JSON"
        },
        "UserSessionContext": {
            "properties": {
                "id": {
                    "type": "string",
                    "description": "Unique identifier of the user session on the host"
                },
                "session_type": {
                    "type": "string",
                    "description": "Type of the user session"
                },
                "k8s_username": {
                    "type": "string",
                    "description": "Username of the Kubernetes \"kubectl exec\" session"
                },
                "k8s_uid": {
                    "type": "string",
                    "description": "UID of the Kubernetes \"kubectl exec\" session"
                },
                "k8s_groups": {
                    "items": {
                        "type": "string"
                    },
                    "type": "array",
                    "description": "Groups of the Kubernetes \"kubectl exec\" session"
                },
                "k8s_extra": {
                    "additionalProperties": {
                        "items": {
                            "type": "string"
                        },
                        "type": "array"
                    },
                    "type": "object",
                    "description": "Extra of the Kubernetes \"kubectl exec\" session"
                }
            },
            "additionalProperties": false,
            "type": "object",
            "description": "UserSessionContextSerializer serializes the user session context to JSON"
        },
        "Variables": {
            "type": "object",
            "description": "Variables serializes the variable values"
        }
    },
    "properties": {
        "agent": {
            "$ref": "#/$defs/AgentContext"
        },
        "title": {
            "type": "string"
        },
        "evt": {
            "$ref": "#/$defs/EventContext"
        },
        "date": {
            "type": "string",
            "format": "date-time"
        },
        "file": {
            "$ref": "#/$defs/FileEvent"
        },
        "exit": {
            "$ref": "#/$defs/ExitEvent"
        },
        "process": {
            "$ref": "#/$defs/ProcessContext"
        },
        "container": {
            "$ref": "#/$defs/ContainerContext"
        },
        "network": {
            "$ref": "#/$defs/NetworkContext"
        },
        "dd": {
            "$ref": "#/$defs/DDContext"
        },
        "security_profile": {
            "$ref": "#/$defs/SecurityProfileContext"
        },
        "selinux": {
            "$ref": "#/$defs/SELinuxEvent"
        },
        "bpf": {
            "$ref": "#/$defs/BPFEvent"
        },
        "mmap": {
            "$ref": "#/$defs/MMapEvent"
        },
        "mprotect": {
            "$ref": "#/$defs/MProtectEvent"
        },
        "ptrace": {
            "$ref": "#/$defs/PTraceEvent"
        },
        "module": {
            "$ref": "#/$defs/ModuleEvent"
        },
        "signal": {
            "$ref": "#/$defs/SignalEvent"
        },
        "splice": {
            "$ref": "#/$defs/SpliceEvent"
        },
        "dns": {
            "$ref": "#/$defs/DNSEvent"
        },
        "imds": {
            "$ref": "#/$defs/IMDSEvent"
        },
        "bind": {
            "$ref": "#/$defs/BindEvent"
        },
        "mount": {
            "$ref": "#/$defs/MountEvent"
        },
        "syscalls": {
            "$ref": "#/$defs/SyscallsEvent"
        },
        "usr": {
            "$ref": "#/$defs/UserContext"
        },
        "syscall": {
            "$ref": "#/$defs/SyscallContext"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "required": [
        "agent",
        "title"
    ]
}
ParameterTypeDescription
agent$refPlease see AgentContext
titlestring
evt$refPlease see EventContext
datestring
file$refPlease see FileEvent
exit$refPlease see ExitEvent
process$refPlease see ProcessContext
container$refPlease see ContainerContext
network$refPlease see NetworkContext
dd$refPlease see DDContext
security_profile$refPlease see SecurityProfileContext
selinux$refPlease see SELinuxEvent
bpf$refPlease see BPFEvent
mmap$refPlease see MMapEvent
mprotect$refPlease see MProtectEvent
ptrace$refPlease see PTraceEvent
module$refPlease see ModuleEvent
signal$refPlease see SignalEvent
splice$refPlease see SpliceEvent
dns$refPlease see DNSEvent
imds$refPlease see IMDSEvent
bind$refPlease see BindEvent
mount$refPlease see MountEvent
syscalls$refPlease see SyscallsEvent
usr$refPlease see UserContext
syscall$refPlease see SyscallContext

AWSIMDSEvent

{
    "properties": {
        "is_imds_v2": {
            "type": "boolean",
            "description": "is_imds_v2 reports if the IMDS event follows IMDSv1 or IMDSv2 conventions"
        },
        "security_credentials": {
            "$ref": "#/$defs/AWSSecurityCredentials",
            "description": "SecurityCredentials holds the scrubbed data collected on the security credentials"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "required": [
        "is_imds_v2"
    ],
    "description": "AWSIMDSEventSerializer serializes an AWS IMDS event to JSON"
}
FieldDescription
is_imds_v2is_imds_v2 reports if the IMDS event follows IMDSv1 or IMDSv2 conventions
security_credentialsSecurityCredentials holds the scrubbed data collected on the security credentials

AWSSecurityCredentials

{
    "properties": {
        "code": {
            "type": "string",
            "description": "code is the IMDS server code response"
        },
        "type": {
            "type": "string",
            "description": "type is the security credentials type"
        },
        "access_key_id": {
            "type": "string",
            "description": "access_key_id is the unique access key ID of the credentials"
        },
        "last_updated": {
            "type": "string",
            "description": "last_updated is the last time the credentials were updated"
        },
        "expiration": {
            "type": "string",
            "description": "expiration is the expiration date of the credentials"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "required": [
        "code",
        "type",
        "access_key_id",
        "last_updated",
        "expiration"
    ],
    "description": "AWSSecurityCredentialsSerializer serializes the security credentials from an AWS IMDS request"
}
FieldDescription
codecode is the IMDS server code response
typetype is the security credentials type
access_key_idaccess_key_id is the unique access key ID of the credentials
last_updatedlast_updated is the last time the credentials were updated
expirationexpiration is the expiration date of the credentials

AgentContext

{
    "properties": {
        "rule_id": {
            "type": "string"
        },
        "rule_version": {
            "type": "string"
        },
        "rule_actions": {
            "items": true,
            "type": "array"
        },
        "policy_name": {
            "type": "string"
        },
        "policy_version": {
            "type": "string"
        },
        "version": {
            "type": "string"
        },
        "os": {
            "type": "string"
        },
        "arch": {
            "type": "string"
        },
        "origin": {
            "type": "string"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "required": [
        "rule_id"
    ]
}

BPFEvent

{
    "properties": {
        "cmd": {
            "type": "string",
            "description": "BPF command"
        },
        "map": {
            "$ref": "#/$defs/BPFMap",
            "description": "BPF map"
        },
        "program": {
            "$ref": "#/$defs/BPFProgram",
            "description": "BPF program"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "required": [
        "cmd"
    ],
    "description": "BPFEventSerializer serializes a BPF event to JSON"
}
FieldDescription
cmdBPF command
mapBPF map
programBPF program

BPFMap

{
    "properties": {
        "name": {
            "type": "string",
            "description": "Name of the BPF map"
        },
        "map_type": {
            "type": "string",
            "description": "Type of the BPF map"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "description": "BPFMapSerializer serializes a BPF map to JSON"
}
FieldDescription
nameName of the BPF map
map_typeType of the BPF map

BPFProgram

{
    "properties": {
        "name": {
            "type": "string",
            "description": "Name of the BPF program"
        },
        "tag": {
            "type": "string",
            "description": "Hash (sha1) of the BPF program"
        },
        "program_type": {
            "type": "string",
            "description": "Type of the BPF program"
        },
        "attach_type": {
            "type": "string",
            "description": "Attach type of the BPF program"
        },
        "helpers": {
            "items": {
                "type": "string"
            },
            "type": "array",
            "description": "List of helpers used by the BPF program"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "description": "BPFProgramSerializer serializes a BPF map to JSON"
}
FieldDescription
nameName of the BPF program
tagHash (sha1) of the BPF program
program_typeType of the BPF program
attach_typeAttach type of the BPF program
helpersList of helpers used by the BPF program

BindEvent

{
    "properties": {
        "addr": {
            "$ref": "#/$defs/IPPortFamily",
            "description": "Bound address (if any)"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "required": [
        "addr"
    ],
    "description": "BindEventSerializer serializes a bind event to JSON"
}
FieldDescription
addrBound address (if any)
References
IPPortFamily

ContainerContext

{
    "properties": {
        "id": {
            "type": "string",
            "description": "Container ID"
        },
        "created_at": {
            "type": "string",
            "format": "date-time",
            "description": "Creation time of the container"
        },
        "variables": {
            "$ref": "#/$defs/Variables",
            "description": "Variables values"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "description": "ContainerContextSerializer serializes a container context to JSON"
}
FieldDescription
idContainer ID
created_atCreation time of the container
variablesVariables values
References
Variables

DDContext

{
    "properties": {
        "span_id": {
            "type": "integer",
            "description": "Span ID used for APM correlation"
        },
        "trace_id": {
            "type": "integer",
            "description": "Trace ID used for APM correlation"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "description": "DDContextSerializer serializes a span context to JSON"
}
FieldDescription
span_idSpan ID used for APM correlation
trace_idTrace ID used for APM correlation

DNSEvent

{
    "properties": {
        "id": {
            "type": "integer",
            "description": "id is the unique identifier of the DNS request"
        },
        "question": {
            "$ref": "#/$defs/DNSQuestion",
            "description": "question is a DNS question for the DNS request"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "required": [
        "id",
        "question"
    ],
    "description": "DNSEventSerializer serializes a DNS event to JSON"
}
FieldDescription
idid is the unique identifier of the DNS request
questionquestion is a DNS question for the DNS request
References
DNSQuestion

DNSQuestion

{
    "properties": {
        "class": {
            "type": "string",
            "description": "class is the class looked up by the DNS question"
        },
        "type": {
            "type": "string",
            "description": "type is a two octet code which specifies the DNS question type"
        },
        "name": {
            "type": "string",
            "description": "name is the queried domain name"
        },
        "size": {
            "type": "integer",
            "description": "size is the total DNS request size in bytes"
        },
        "count": {
            "type": "integer",
            "description": "count is the total count of questions in the DNS request"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "required": [
        "class",
        "type",
        "name",
        "size",
        "count"
    ],
    "description": "DNSQuestionSerializer serializes a DNS question to JSON"
}
FieldDescription
classclass is the class looked up by the DNS question
typetype is a two octet code which specifies the DNS question type
namename is the queried domain name
sizesize is the total DNS request size in bytes
countcount is the total count of questions in the DNS request

EventContext

{
    "properties": {
        "name": {
            "type": "string",
            "description": "Event name"
        },
        "category": {
            "type": "string",
            "description": "Event category"
        },
        "outcome": {
            "type": "string",
            "description": "Event outcome"
        },
        "async": {
            "type": "boolean",
            "description": "True if the event was asynchronous"
        },
        "matched_rules": {
            "items": {
                "$ref": "#/$defs/MatchedRule"
            },
            "type": "array",
            "description": "The list of rules that the event matched (only valid in the context of an anomaly)"
        },
        "variables": {
            "$ref": "#/$defs/Variables",
            "description": "Variables values"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "description": "EventContextSerializer serializes an event context to JSON"
}
FieldDescription
nameEvent name
categoryEvent category
outcomeEvent outcome
asyncTrue if the event was asynchronous
matched_rulesThe list of rules that the event matched (only valid in the context of an anomaly)
variablesVariables values
References
Variables

ExitEvent

{
    "properties": {
        "cause": {
            "type": "string",
            "description": "Cause of the process termination (one of EXITED, SIGNALED, COREDUMPED)"
        },
        "code": {
            "type": "integer",
            "description": "Exit code of the process or number of the signal that caused the process to terminate"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "required": [
        "cause",
        "code"
    ],
    "description": "ExitEventSerializer serializes an exit event to JSON"
}
FieldDescription
causeCause of the process termination (one of EXITED, SIGNALED, COREDUMPED)
codeExit code of the process or number of the signal that caused the process to terminate

File

{
    "properties": {
        "path": {
            "type": "string",
            "description": "File path"
        },
        "name": {
            "type": "string",
            "description": "File basename"
        },
        "path_resolution_error": {
            "type": "string",
            "description": "Error message from path resolution"
        },
        "inode": {
            "type": "integer",
            "description": "File inode number"
        },
        "mode": {
            "type": "integer",
            "description": "File mode"
        },
        "in_upper_layer": {
            "type": "boolean",
            "description": "Indicator of file OverlayFS layer"
        },
        "mount_id": {
            "type": "integer",
            "description": "File mount ID"
        },
        "filesystem": {
            "type": "string",
            "description": "File filesystem name"
        },
        "uid": {
            "type": "integer",
            "description": "File User ID"
        },
        "gid": {
            "type": "integer",
            "description": "File Group ID"
        },
        "user": {
            "type": "string",
            "description": "File user"
        },
        "group": {
            "type": "string",
            "description": "File group"
        },
        "attribute_name": {
            "type": "string",
            "description": "File extended attribute name"
        },
        "attribute_namespace": {
            "type": "string",
            "description": "File extended attribute namespace"
        },
        "flags": {
            "items": {
                "type": "string"
            },
            "type": "array",
            "description": "File flags"
        },
        "access_time": {
            "type": "string",
            "format": "date-time",
            "description": "File access time"
        },
        "modification_time": {
            "type": "string",
            "format": "date-time",
            "description": "File modified time"
        },
        "change_time": {
            "type": "string",
            "format": "date-time",
            "description": "File change time"
        },
        "package_name": {
            "type": "string",
            "description": "System package name"
        },
        "package_version": {
            "type": "string",
            "description": "System package version"
        },
        "hashes": {
            "items": {
                "type": "string"
            },
            "type": "array",
            "description": "List of cryptographic hashes of the file"
        },
        "hash_state": {
            "type": "string",
            "description": "State of the hashes or reason why they weren't computed"
        },
        "mount_path": {
            "type": "string",
            "description": "MountPath path of the mount"
        },
        "mount_source": {
            "type": "string",
            "description": "MountSource source of the mount"
        },
        "mount_origin": {
            "type": "string",
            "description": "MountOrigin origin of the mount"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "required": [
        "uid",
        "gid"
    ],
    "description": "FileSerializer serializes a file to JSON"
}
FieldDescription
pathFile path
nameFile basename
path_resolution_errorError message from path resolution
inodeFile inode number
modeFile mode
in_upper_layerIndicator of file OverlayFS layer
mount_idFile mount ID
filesystemFile filesystem name
uidFile User ID
gidFile Group ID
userFile user
groupFile group
attribute_nameFile extended attribute name
attribute_namespaceFile extended attribute namespace
flagsFile flags
access_timeFile access time
modification_timeFile modified time
change_timeFile change time
package_nameSystem package name
package_versionSystem package version
hashesList of cryptographic hashes of the file
hash_stateState of the hashes or reason why they weren’t computed
mount_pathMountPath path of the mount
mount_sourceMountSource source of the mount
mount_originMountOrigin origin of the mount

FileEvent

{
    "properties": {
        "path": {
            "type": "string",
            "description": "File path"
        },
        "name": {
            "type": "string",
            "description": "File basename"
        },
        "path_resolution_error": {
            "type": "string",
            "description": "Error message from path resolution"
        },
        "inode": {
            "type": "integer",
            "description": "File inode number"
        },
        "mode": {
            "type": "integer",
            "description": "File mode"
        },
        "in_upper_layer": {
            "type": "boolean",
            "description": "Indicator of file OverlayFS layer"
        },
        "mount_id": {
            "type": "integer",
            "description": "File mount ID"
        },
        "filesystem": {
            "type": "string",
            "description": "File filesystem name"
        },
        "uid": {
            "type": "integer",
            "description": "File User ID"
        },
        "gid": {
            "type": "integer",
            "description": "File Group ID"
        },
        "user": {
            "type": "string",
            "description": "File user"
        },
        "group": {
            "type": "string",
            "description": "File group"
        },
        "attribute_name": {
            "type": "string",
            "description": "File extended attribute name"
        },
        "attribute_namespace": {
            "type": "string",
            "description": "File extended attribute namespace"
        },
        "flags": {
            "items": {
                "type": "string"
            },
            "type": "array",
            "description": "File flags"
        },
        "access_time": {
            "type": "string",
            "format": "date-time",
            "description": "File access time"
        },
        "modification_time": {
            "type": "string",
            "format": "date-time",
            "description": "File modified time"
        },
        "change_time": {
            "type": "string",
            "format": "date-time",
            "description": "File change time"
        },
        "package_name": {
            "type": "string",
            "description": "System package name"
        },
        "package_version": {
            "type": "string",
            "description": "System package version"
        },
        "hashes": {
            "items": {
                "type": "string"
            },
            "type": "array",
            "description": "List of cryptographic hashes of the file"
        },
        "hash_state": {
            "type": "string",
            "description": "State of the hashes or reason why they weren't computed"
        },
        "mount_path": {
            "type": "string",
            "description": "MountPath path of the mount"
        },
        "mount_source": {
            "type": "string",
            "description": "MountSource source of the mount"
        },
        "mount_origin": {
            "type": "string",
            "description": "MountOrigin origin of the mount"
        },
        "destination": {
            "$ref": "#/$defs/File",
            "description": "Target file information"
        },
        "new_mount_id": {
            "type": "integer",
            "description": "New Mount ID"
        },
        "device": {
            "type": "integer",
            "description": "Device associated with the file"
        },
        "fstype": {
            "type": "string",
            "description": "Filesystem type"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "required": [
        "uid",
        "gid"
    ],
    "description": "FileEventSerializer serializes a file event to JSON"
}
FieldDescription
pathFile path
nameFile basename
path_resolution_errorError message from path resolution
inodeFile inode number
modeFile mode
in_upper_layerIndicator of file OverlayFS layer
mount_idFile mount ID
filesystemFile filesystem name
uidFile User ID
gidFile Group ID
userFile user
groupFile group
attribute_nameFile extended attribute name
attribute_namespaceFile extended attribute namespace
flagsFile flags
access_timeFile access time
modification_timeFile modified time
change_timeFile change time
package_nameSystem package name
package_versionSystem package version
hashesList of cryptographic hashes of the file
hash_stateState of the hashes or reason why they weren’t computed
mount_pathMountPath path of the mount
mount_sourceMountSource source of the mount
mount_originMountOrigin origin of the mount
destinationTarget file information
new_mount_idNew Mount ID
deviceDevice associated with the file
fstypeFilesystem type
References
File

IMDSEvent

{
    "properties": {
        "type": {
            "type": "string",
            "description": "type is the type of IMDS event"
        },
        "cloud_provider": {
            "type": "string",
            "description": "cloud_provider is the intended cloud provider of the IMDS event"
        },
        "url": {
            "type": "string",
            "description": "url is the url of the IMDS request"
        },
        "host": {
            "type": "string",
            "description": "host is the host of the HTTP protocol"
        },
        "user_agent": {
            "type": "string",
            "description": "user_agent is the user agent of the HTTP client"
        },
        "server": {
            "type": "string",
            "description": "server is the server header of a response"
        },
        "aws": {
            "$ref": "#/$defs/AWSIMDSEvent",
            "description": "AWS holds the AWS specific data parsed from the IMDS event"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "required": [
        "type",
        "cloud_provider"
    ],
    "description": "IMDSEventSerializer serializes an IMDS event to JSON"
}
FieldDescription
typetype is the type of IMDS event
cloud_providercloud_provider is the intended cloud provider of the IMDS event
urlurl is the url of the IMDS request
hosthost is the host of the HTTP protocol
user_agentuser_agent is the user agent of the HTTP client
serverserver is the server header of a response
awsAWS holds the AWS specific data parsed from the IMDS event
References
AWSIMDSEvent

IPPort

{
    "properties": {
        "ip": {
            "type": "string",
            "description": "IP address"
        },
        "port": {
            "type": "integer",
            "description": "Port number"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "required": [
        "ip",
        "port"
    ],
    "description": "IPPortSerializer is used to serialize an IP and Port context to JSON"
}
FieldDescription
ipIP address
portPort number

IPPortFamily

{
    "properties": {
        "family": {
            "type": "string",
            "description": "Address family"
        },
        "ip": {
            "type": "string",
            "description": "IP address"
        },
        "port": {
            "type": "integer",
            "description": "Port number"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "required": [
        "family",
        "ip",
        "port"
    ],
    "description": "IPPortFamilySerializer is used to serialize an IP, port, and address family context to JSON"
}
FieldDescription
familyAddress family
ipIP address
portPort number

MMapEvent

{
    "properties": {
        "address": {
            "type": "string",
            "description": "memory segment address"
        },
        "offset": {
            "type": "integer",
            "description": "file offset"
        },
        "length": {
            "type": "integer",
            "description": "memory segment length"
        },
        "protection": {
            "type": "string",
            "description": "memory segment protection"
        },
        "flags": {
            "type": "string",
            "description": "memory segment flags"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "required": [
        "address",
        "offset",
        "length",
        "protection",
        "flags"
    ],
    "description": "MMapEventSerializer serializes a mmap event to JSON"
}
FieldDescription
addressmemory segment address
offsetfile offset
lengthmemory segment length
protectionmemory segment protection
flagsmemory segment flags

MProtectEvent

{
    "properties": {
        "vm_start": {
            "type": "string",
            "description": "memory segment start address"
        },
        "vm_end": {
            "type": "string",
            "description": "memory segment end address"
        },
        "vm_protection": {
            "type": "string",
            "description": "initial memory segment protection"
        },
        "req_protection": {
            "type": "string",
            "description": "new memory segment protection"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "required": [
        "vm_start",
        "vm_end",
        "vm_protection",
        "req_protection"
    ],
    "description": "MProtectEventSerializer serializes a mmap event to JSON"
}
FieldDescription
vm_startmemory segment start address
vm_endmemory segment end address
vm_protectioninitial memory segment protection
req_protectionnew memory segment protection

MatchedRule

{
    "properties": {
        "id": {
            "type": "string",
            "description": "ID of the rule"
        },
        "version": {
            "type": "string",
            "description": "Version of the rule"
        },
        "tags": {
            "items": {
                "type": "string"
            },
            "type": "array",
            "description": "Tags of the rule"
        },
        "policy_name": {
            "type": "string",
            "description": "Name of the policy that introduced the rule"
        },
        "policy_version": {
            "type": "string",
            "description": "Version of the policy that introduced the rule"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "description": "MatchedRuleSerializer serializes a rule"
}
FieldDescription
idID of the rule
versionVersion of the rule
tagsTags of the rule
policy_nameName of the policy that introduced the rule
policy_versionVersion of the policy that introduced the rule

ModuleEvent

{
    "properties": {
        "name": {
            "type": "string",
            "description": "module name"
        },
        "loaded_from_memory": {
            "type": "boolean",
            "description": "indicates if a module was loaded from memory, as opposed to a file"
        },
        "argv": {
            "items": {
                "type": "string"
            },
            "type": "array"
        },
        "args_truncated": {
            "type": "boolean"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "required": [
        "name"
    ],
    "description": "ModuleEventSerializer serializes a module event to JSON"
}
FieldDescription
namemodule name
loaded_from_memoryindicates if a module was loaded from memory, as opposed to a file

MountEvent

{
    "properties": {
        "mp": {
            "$ref": "#/$defs/File",
            "description": "Mount point file information"
        },
        "root": {
            "$ref": "#/$defs/File",
            "description": "Root file information"
        },
        "mount_id": {
            "type": "integer",
            "description": "Mount ID of the new mount"
        },
        "parent_mount_id": {
            "type": "integer",
            "description": "Mount ID of the parent mount"
        },
        "bind_src_mount_id": {
            "type": "integer",
            "description": "Mount ID of the source of a bind mount"
        },
        "device": {
            "type": "integer",
            "description": "Device associated with the file"
        },
        "fs_type": {
            "type": "string",
            "description": "Filesystem type"
        },
        "mountpoint.path": {
            "type": "string",
            "description": "Mount point path"
        },
        "source.path": {
            "type": "string",
            "description": "Mount source path"
        },
        "mountpoint.path_error": {
            "type": "string",
            "description": "Mount point path error"
        },
        "source.path_error": {
            "type": "string",
            "description": "Mount source path error"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "required": [
        "mount_id",
        "parent_mount_id",
        "bind_src_mount_id",
        "device"
    ],
    "description": "MountEventSerializer serializes a mount event to JSON"
}
FieldDescription
mpMount point file information
rootRoot file information
mount_idMount ID of the new mount
parent_mount_idMount ID of the parent mount
bind_src_mount_idMount ID of the source of a bind mount
deviceDevice associated with the file
fs_typeFilesystem type
mountpoint.pathMount point path
source.pathMount source path
mountpoint.path_errorMount point path error
source.path_errorMount source path error
References
File
File

NetworkContext

{
    "properties": {
        "device": {
            "$ref": "#/$defs/NetworkDevice",
            "description": "device is the network device on which the event was captured"
        },
        "l3_protocol": {
            "type": "string",
            "description": "l3_protocol is the layer 3 protocol name"
        },
        "l4_protocol": {
            "type": "string",
            "description": "l4_protocol is the layer 4 protocol name"
        },
        "source": {
            "$ref": "#/$defs/IPPort",
            "description": "source is the emitter of the network event"
        },
        "destination": {
            "$ref": "#/$defs/IPPort",
            "description": "destination is the receiver of the network event"
        },
        "size": {
            "type": "integer",
            "description": "size is the size in bytes of the network event"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "required": [
        "l3_protocol",
        "l4_protocol",
        "source",
        "destination",
        "size"
    ],
    "description": "NetworkContextSerializer serializes the network context to JSON"
}
FieldDescription
devicedevice is the network device on which the event was captured
l3_protocoll3_protocol is the layer 3 protocol name
l4_protocoll4_protocol is the layer 4 protocol name
sourcesource is the emitter of the network event
destinationdestination is the receiver of the network event
sizesize is the size in bytes of the network event

NetworkDevice

{
    "properties": {
        "netns": {
            "type": "integer",
            "description": "netns is the interface ifindex"
        },
        "ifindex": {
            "type": "integer",
            "description": "ifindex is the network interface ifindex"
        },
        "ifname": {
            "type": "string",
            "description": "ifname is the network interface name"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "required": [
        "netns",
        "ifindex",
        "ifname"
    ],
    "description": "NetworkDeviceSerializer serializes the network device context to JSON"
}
FieldDescription
netnsnetns is the interface ifindex
ifindexifindex is the network interface ifindex
ifnameifname is the network interface name

PTraceEvent

{
    "properties": {
        "request": {
            "type": "string",
            "description": "ptrace request"
        },
        "address": {
            "type": "string",
            "description": "address at which the ptrace request was executed"
        },
        "tracee": {
            "$ref": "#/$defs/ProcessContext",
            "description": "process context of the tracee"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "required": [
        "request",
        "address"
    ],
    "description": "PTraceEventSerializer serializes a mmap event to JSON"
}
FieldDescription
requestptrace request
addressaddress at which the ptrace request was executed
traceeprocess context of the tracee
References
ProcessContext

Process

{
    "properties": {
        "pid": {
            "type": "integer",
            "description": "Process ID"
        },
        "ppid": {
            "type": "integer",
            "description": "Parent Process ID"
        },
        "tid": {
            "type": "integer",
            "description": "Thread ID"
        },
        "uid": {
            "type": "integer",
            "description": "User ID"
        },
        "gid": {
            "type": "integer",
            "description": "Group ID"
        },
        "user": {
            "type": "string",
            "description": "User name"
        },
        "group": {
            "type": "string",
            "description": "Group name"
        },
        "path_resolution_error": {
            "type": "string",
            "description": "Description of an error in the path resolution"
        },
        "comm": {
            "type": "string",
            "description": "Command name"
        },
        "tty": {
            "type": "string",
            "description": "TTY associated with the process"
        },
        "fork_time": {
            "type": "string",
            "format": "date-time",
            "description": "Fork time of the process"
        },
        "exec_time": {
            "type": "string",
            "format": "date-time",
            "description": "Exec time of the process"
        },
        "exit_time": {
            "type": "string",
            "format": "date-time",
            "description": "Exit time of the process"
        },
        "credentials": {
            "$ref": "#/$defs/ProcessCredentials",
            "description": "Credentials associated with the process"
        },
        "user_session": {
            "$ref": "#/$defs/UserSessionContext",
            "description": "Context of the user session for this event"
        },
        "executable": {
            "$ref": "#/$defs/File",
            "description": "File information of the executable"
        },
        "interpreter": {
            "$ref": "#/$defs/File",
            "description": "File information of the interpreter"
        },
        "container": {
            "$ref": "#/$defs/ContainerContext",
            "description": "Container context"
        },
        "argv0": {
            "type": "string",
            "description": "First command line argument"
        },
        "args": {
            "items": {
                "type": "string"
            },
            "type": "array",
            "description": "Command line arguments"
        },
        "args_truncated": {
            "type": "boolean",
            "description": "Indicator of arguments truncation"
        },
        "envs": {
            "items": {
                "type": "string"
            },
            "type": "array",
            "description": "Environment variables of the process"
        },
        "envs_truncated": {
            "type": "boolean",
            "description": "Indicator of environments variable truncation"
        },
        "is_thread": {
            "type": "boolean",
            "description": "Indicates whether the process is considered a thread (that is, a child process that hasn't executed another program)"
        },
        "is_kworker": {
            "type": "boolean",
            "description": "Indicates whether the process is a kworker"
        },
        "is_exec_child": {
            "type": "boolean",
            "description": "Indicates whether the process is an exec following another exec"
        },
        "source": {
            "type": "string",
            "description": "Process source"
        },
        "syscalls": {
            "$ref": "#/$defs/SyscallsEvent",
            "description": "List of syscalls captured to generate the event"
        },
        "aws_security_credentials": {
            "items": {
                "$ref": "#/$defs/AWSSecurityCredentials"
            },
            "type": "array",
            "description": "List of AWS Security Credentials that the process had access to"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "required": [
        "uid",
        "gid"
    ],
    "description": "ProcessSerializer serializes a process to JSON"
}
FieldDescription
pidProcess ID
ppidParent Process ID
tidThread ID
uidUser ID
gidGroup ID
userUser name
groupGroup name
path_resolution_errorDescription of an error in the path resolution
commCommand name
ttyTTY associated with the process
fork_timeFork time of the process
exec_timeExec time of the process
exit_timeExit time of the process
credentialsCredentials associated with the process
user_sessionContext of the user session for this event
executableFile information of the executable
interpreterFile information of the interpreter
containerContainer context
argv0First command line argument
argsCommand line arguments
args_truncatedIndicator of arguments truncation
envsEnvironment variables of the process
envs_truncatedIndicator of environments variable truncation
is_threadIndicates whether the process is considered a thread (that is, a child process that hasn’t executed another program)
is_kworkerIndicates whether the process is a kworker
is_exec_childIndicates whether the process is an exec following another exec
sourceProcess source
syscallsList of syscalls captured to generate the event
aws_security_credentialsList of AWS Security Credentials that the process had access to

ProcessContext

{
    "properties": {
        "pid": {
            "type": "integer",
            "description": "Process ID"
        },
        "ppid": {
            "type": "integer",
            "description": "Parent Process ID"
        },
        "tid": {
            "type": "integer",
            "description": "Thread ID"
        },
        "uid": {
            "type": "integer",
            "description": "User ID"
        },
        "gid": {
            "type": "integer",
            "description": "Group ID"
        },
        "user": {
            "type": "string",
            "description": "User name"
        },
        "group": {
            "type": "string",
            "description": "Group name"
        },
        "path_resolution_error": {
            "type": "string",
            "description": "Description of an error in the path resolution"
        },
        "comm": {
            "type": "string",
            "description": "Command name"
        },
        "tty": {
            "type": "string",
            "description": "TTY associated with the process"
        },
        "fork_time": {
            "type": "string",
            "format": "date-time",
            "description": "Fork time of the process"
        },
        "exec_time": {
            "type": "string",
            "format": "date-time",
            "description": "Exec time of the process"
        },
        "exit_time": {
            "type": "string",
            "format": "date-time",
            "description": "Exit time of the process"
        },
        "credentials": {
            "$ref": "#/$defs/ProcessCredentials",
            "description": "Credentials associated with the process"
        },
        "user_session": {
            "$ref": "#/$defs/UserSessionContext",
            "description": "Context of the user session for this event"
        },
        "executable": {
            "$ref": "#/$defs/File",
            "description": "File information of the executable"
        },
        "interpreter": {
            "$ref": "#/$defs/File",
            "description": "File information of the interpreter"
        },
        "container": {
            "$ref": "#/$defs/ContainerContext",
            "description": "Container context"
        },
        "argv0": {
            "type": "string",
            "description": "First command line argument"
        },
        "args": {
            "items": {
                "type": "string"
            },
            "type": "array",
            "description": "Command line arguments"
        },
        "args_truncated": {
            "type": "boolean",
            "description": "Indicator of arguments truncation"
        },
        "envs": {
            "items": {
                "type": "string"
            },
            "type": "array",
            "description": "Environment variables of the process"
        },
        "envs_truncated": {
            "type": "boolean",
            "description": "Indicator of environments variable truncation"
        },
        "is_thread": {
            "type": "boolean",
            "description": "Indicates whether the process is considered a thread (that is, a child process that hasn't executed another program)"
        },
        "is_kworker": {
            "type": "boolean",
            "description": "Indicates whether the process is a kworker"
        },
        "is_exec_child": {
            "type": "boolean",
            "description": "Indicates whether the process is an exec following another exec"
        },
        "source": {
            "type": "string",
            "description": "Process source"
        },
        "syscalls": {
            "$ref": "#/$defs/SyscallsEvent",
            "description": "List of syscalls captured to generate the event"
        },
        "aws_security_credentials": {
            "items": {
                "$ref": "#/$defs/AWSSecurityCredentials"
            },
            "type": "array",
            "description": "List of AWS Security Credentials that the process had access to"
        },
        "parent": {
            "$ref": "#/$defs/Process",
            "description": "Parent process"
        },
        "ancestors": {
            "items": {
                "$ref": "#/$defs/Process"
            },
            "type": "array",
            "description": "Ancestor processes"
        },
        "variables": {
            "$ref": "#/$defs/Variables",
            "description": "Variables values"
        },
        "truncated_ancestors": {
            "type": "boolean",
            "description": "True if the ancestors list was truncated because it was too big"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "required": [
        "uid",
        "gid"
    ],
    "description": "ProcessContextSerializer serializes a process context to JSON"
}
FieldDescription
pidProcess ID
ppidParent Process ID
tidThread ID
uidUser ID
gidGroup ID
userUser name
groupGroup name
path_resolution_errorDescription of an error in the path resolution
commCommand name
ttyTTY associated with the process
fork_timeFork time of the process
exec_timeExec time of the process
exit_timeExit time of the process
credentialsCredentials associated with the process
user_sessionContext of the user session for this event
executableFile information of the executable
interpreterFile information of the interpreter
containerContainer context
argv0First command line argument
argsCommand line arguments
args_truncatedIndicator of arguments truncation
envsEnvironment variables of the process
envs_truncatedIndicator of environments variable truncation
is_threadIndicates whether the process is considered a thread (that is, a child process that hasn’t executed another program)
is_kworkerIndicates whether the process is a kworker
is_exec_childIndicates whether the process is an exec following another exec
sourceProcess source
syscallsList of syscalls captured to generate the event
aws_security_credentialsList of AWS Security Credentials that the process had access to
parentParent process
ancestorsAncestor processes
variablesVariables values
truncated_ancestorsTrue if the ancestors list was truncated because it was too big

ProcessCredentials

{
    "properties": {
        "uid": {
            "type": "integer",
            "description": "User ID"
        },
        "user": {
            "type": "string",
            "description": "User name"
        },
        "gid": {
            "type": "integer",
            "description": "Group ID"
        },
        "group": {
            "type": "string",
            "description": "Group name"
        },
        "euid": {
            "type": "integer",
            "description": "Effective User ID"
        },
        "euser": {
            "type": "string",
            "description": "Effective User name"
        },
        "egid": {
            "type": "integer",
            "description": "Effective Group ID"
        },
        "egroup": {
            "type": "string",
            "description": "Effective Group name"
        },
        "fsuid": {
            "type": "integer",
            "description": "Filesystem User ID"
        },
        "fsuser": {
            "type": "string",
            "description": "Filesystem User name"
        },
        "fsgid": {
            "type": "integer",
            "description": "Filesystem Group ID"
        },
        "fsgroup": {
            "type": "string",
            "description": "Filesystem Group name"
        },
        "cap_effective": {
            "items": {
                "type": "string"
            },
            "type": "array",
            "description": "Effective Capability set"
        },
        "cap_permitted": {
            "items": {
                "type": "string"
            },
            "type": "array",
            "description": "Permitted Capability set"
        },
        "destination": {
            "description": "Credentials after the operation"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "required": [
        "uid",
        "gid",
        "euid",
        "egid",
        "fsuid",
        "fsgid",
        "cap_effective",
        "cap_permitted"
    ],
    "description": "ProcessCredentialsSerializer serializes the process credentials to JSON"
}
FieldDescription
uidUser ID
userUser name
gidGroup ID
groupGroup name
euidEffective User ID
euserEffective User name
egidEffective Group ID
egroupEffective Group name
fsuidFilesystem User ID
fsuserFilesystem User name
fsgidFilesystem Group ID
fsgroupFilesystem Group name
cap_effectiveEffective Capability set
cap_permittedPermitted Capability set
destinationCredentials after the operation

SELinuxBoolChange

{
    "properties": {
        "name": {
            "type": "string",
            "description": "SELinux boolean name"
        },
        "state": {
            "type": "string",
            "description": "SELinux boolean state ('on' or 'off')"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "description": "SELinuxBoolChangeSerializer serializes a SELinux boolean change to JSON"
}
FieldDescription
nameSELinux boolean name
stateSELinux boolean state (‘on’ or ‘off’)

SELinuxBoolCommit

{
    "properties": {
        "state": {
            "type": "boolean",
            "description": "SELinux boolean commit operation"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "description": "SELinuxBoolCommitSerializer serializes a SELinux boolean commit to JSON"
}
FieldDescription
stateSELinux boolean commit operation

SELinuxEnforceStatus

{
    "properties": {
        "status": {
            "type": "string",
            "description": "SELinux enforcement status (one of 'enforcing', 'permissive' or 'disabled')"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "description": "SELinuxEnforceStatusSerializer serializes a SELinux enforcement status change to JSON"
}
FieldDescription
statusSELinux enforcement status (one of ’enforcing’, ‘permissive’ or ‘disabled’)

SELinuxEvent

{
    "properties": {
        "bool": {
            "$ref": "#/$defs/SELinuxBoolChange",
            "description": "SELinux boolean operation"
        },
        "enforce": {
            "$ref": "#/$defs/SELinuxEnforceStatus",
            "description": "SELinux enforcement change"
        },
        "bool_commit": {
            "$ref": "#/$defs/SELinuxBoolCommit",
            "description": "SELinux boolean commit"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "description": "SELinuxEventSerializer serializes a SELinux context to JSON"
}
FieldDescription
boolSELinux boolean operation
enforceSELinux enforcement change
bool_commitSELinux boolean commit

SecurityProfileContext

{
    "properties": {
        "name": {
            "type": "string",
            "description": "Name of the security profile"
        },
        "version": {
            "type": "string",
            "description": "Version of the profile in use"
        },
        "tags": {
            "items": {
                "type": "string"
            },
            "type": "array",
            "description": "List of tags associated to this profile"
        },
        "event_in_profile": {
            "type": "boolean",
            "description": "True if the corresponding event is part of this profile"
        },
        "event_type_state": {
            "type": "string",
            "description": "State of the event type in this profile"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "required": [
        "name",
        "version",
        "tags",
        "event_in_profile",
        "event_type_state"
    ],
    "description": "SecurityProfileContextSerializer serializes the security profile context in an event"
}
FieldDescription
nameName of the security profile
versionVersion of the profile in use
tagsList of tags associated to this profile
event_in_profileTrue if the corresponding event is part of this profile
event_type_stateState of the event type in this profile

SignalEvent

{
    "properties": {
        "type": {
            "type": "string",
            "description": "signal type"
        },
        "pid": {
            "type": "integer",
            "description": "signal target pid"
        },
        "target": {
            "$ref": "#/$defs/ProcessContext",
            "description": "process context of the signal target"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "required": [
        "type",
        "pid"
    ],
    "description": "SignalEventSerializer serializes a signal event to JSON"
}
FieldDescription
typesignal type
pidsignal target pid
targetprocess context of the signal target
References
ProcessContext

SpliceEvent

{
    "properties": {
        "pipe_entry_flag": {
            "type": "string",
            "description": "Entry flag of the fd_out pipe passed to the splice syscall"
        },
        "pipe_exit_flag": {
            "type": "string",
            "description": "Exit flag of the fd_out pipe passed to the splice syscall"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "required": [
        "pipe_entry_flag",
        "pipe_exit_flag"
    ],
    "description": "SpliceEventSerializer serializes a splice event to JSON"
}
FieldDescription
pipe_entry_flagEntry flag of the fd_out pipe passed to the splice syscall
pipe_exit_flagExit flag of the fd_out pipe passed to the splice syscall

Syscall

{
    "properties": {
        "name": {
            "type": "string",
            "description": "Name of the syscall"
        },
        "id": {
            "type": "integer",
            "description": "ID of the syscall in the host architecture"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "required": [
        "name",
        "id"
    ],
    "description": "SyscallSerializer serializes a syscall"
}
FieldDescription
nameName of the syscall
idID of the syscall in the host architecture

SyscallArgs

{
    "properties": {
        "path": {
            "type": "string",
            "description": "Path argument"
        },
        "mode": {
            "type": "integer",
            "description": "Mode argument"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "description": "SyscallArgsSerializer args serializer"
}
FieldDescription
pathPath argument
modeMode argument

SyscallContext

{
    "properties": {
        "chmod": {
            "$ref": "#/$defs/SyscallArgs"
        },
        "chdir": {
            "$ref": "#/$defs/SyscallArgs"
        },
        "exec": {
            "$ref": "#/$defs/SyscallArgs"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "description": "SyscallContextSerializer serializes syscall context"
}

SyscallsEvent

{
    "items": {
        "$ref": "#/$defs/Syscall"
    },
    "type": "array",
    "description": "SyscallsEventSerializer serializes the syscalls from a syscalls event"
}

UserContext

{
    "properties": {
        "id": {
            "type": "string",
            "description": "User name"
        },
        "group": {
            "type": "string",
            "description": "Group name"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "description": "UserContextSerializer serializes a user context to JSON"
}
FieldDescription
idUser name
groupGroup name

UserSessionContext

{
    "properties": {
        "id": {
            "type": "string",
            "description": "Unique identifier of the user session on the host"
        },
        "session_type": {
            "type": "string",
            "description": "Type of the user session"
        },
        "k8s_username": {
            "type": "string",
            "description": "Username of the Kubernetes \"kubectl exec\" session"
        },
        "k8s_uid": {
            "type": "string",
            "description": "UID of the Kubernetes \"kubectl exec\" session"
        },
        "k8s_groups": {
            "items": {
                "type": "string"
            },
            "type": "array",
            "description": "Groups of the Kubernetes \"kubectl exec\" session"
        },
        "k8s_extra": {
            "additionalProperties": {
                "items": {
                    "type": "string"
                },
                "type": "array"
            },
            "type": "object",
            "description": "Extra of the Kubernetes \"kubectl exec\" session"
        }
    },
    "additionalProperties": false,
    "type": "object",
    "description": "UserSessionContextSerializer serializes the user session context to JSON"
}
FieldDescription
idUnique identifier of the user session on the host
session_typeType of the user session
k8s_usernameUsername of the Kubernetes “kubectl exec” session
k8s_uidUID of the Kubernetes “kubectl exec” session
k8s_groupsGroups of the Kubernetes “kubectl exec” session
k8s_extraExtra of the Kubernetes “kubectl exec” session

Variables

{
    "type": "object",
    "description": "Variables serializes the variable values"
}