- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
CSM Threats event for Linux systems have the following JSON schema:
BACKEND_EVENT_JSON_SCHEMA
{
"$id": "https://github.com/DataDog/datadog-agent/tree/main/pkg/security/serializers",
"$defs": {
"AWSIMDSEvent": {
"properties": {
"is_imds_v2": {
"type": "boolean",
"description": "is_imds_v2 reports if the IMDS event follows IMDSv1 or IMDSv2 conventions"
},
"security_credentials": {
"$ref": "#/$defs/AWSSecurityCredentials",
"description": "SecurityCredentials holds the scrubbed data collected on the security credentials"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"is_imds_v2"
],
"description": "AWSIMDSEventSerializer serializes an AWS IMDS event to JSON"
},
"AWSSecurityCredentials": {
"properties": {
"code": {
"type": "string",
"description": "code is the IMDS server code response"
},
"type": {
"type": "string",
"description": "type is the security credentials type"
},
"access_key_id": {
"type": "string",
"description": "access_key_id is the unique access key ID of the credentials"
},
"last_updated": {
"type": "string",
"description": "last_updated is the last time the credentials were updated"
},
"expiration": {
"type": "string",
"description": "expiration is the expiration date of the credentials"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"code",
"type",
"access_key_id",
"last_updated",
"expiration"
],
"description": "AWSSecurityCredentialsSerializer serializes the security credentials from an AWS IMDS request"
},
"AgentContext": {
"properties": {
"rule_id": {
"type": "string"
},
"rule_version": {
"type": "string"
},
"rule_actions": {
"items": true,
"type": "array"
},
"policy_name": {
"type": "string"
},
"policy_version": {
"type": "string"
},
"version": {
"type": "string"
},
"os": {
"type": "string"
},
"arch": {
"type": "string"
},
"origin": {
"type": "string"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"rule_id"
]
},
"BPFEvent": {
"properties": {
"cmd": {
"type": "string",
"description": "BPF command"
},
"map": {
"$ref": "#/$defs/BPFMap",
"description": "BPF map"
},
"program": {
"$ref": "#/$defs/BPFProgram",
"description": "BPF program"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"cmd"
],
"description": "BPFEventSerializer serializes a BPF event to JSON"
},
"BPFMap": {
"properties": {
"name": {
"type": "string",
"description": "Name of the BPF map"
},
"map_type": {
"type": "string",
"description": "Type of the BPF map"
}
},
"additionalProperties": false,
"type": "object",
"description": "BPFMapSerializer serializes a BPF map to JSON"
},
"BPFProgram": {
"properties": {
"name": {
"type": "string",
"description": "Name of the BPF program"
},
"tag": {
"type": "string",
"description": "Hash (sha1) of the BPF program"
},
"program_type": {
"type": "string",
"description": "Type of the BPF program"
},
"attach_type": {
"type": "string",
"description": "Attach type of the BPF program"
},
"helpers": {
"items": {
"type": "string"
},
"type": "array",
"description": "List of helpers used by the BPF program"
}
},
"additionalProperties": false,
"type": "object",
"description": "BPFProgramSerializer serializes a BPF map to JSON"
},
"BindEvent": {
"properties": {
"addr": {
"$ref": "#/$defs/IPPortFamily",
"description": "Bound address (if any)"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"addr"
],
"description": "BindEventSerializer serializes a bind event to JSON"
},
"CGroupContext": {
"properties": {
"id": {
"type": "string",
"description": "CGroup ID"
},
"manager": {
"type": "string",
"description": "CGroup manager"
}
},
"additionalProperties": false,
"type": "object",
"description": "CGroupContextSerializer serializes a cgroup context to JSON"
},
"ContainerContext": {
"properties": {
"id": {
"type": "string",
"description": "Container ID"
},
"created_at": {
"type": "string",
"format": "date-time",
"description": "Creation time of the container"
},
"variables": {
"$ref": "#/$defs/Variables",
"description": "Variables values"
}
},
"additionalProperties": false,
"type": "object",
"description": "ContainerContextSerializer serializes a container context to JSON"
},
"DDContext": {
"properties": {
"span_id": {
"type": "string",
"description": "Span ID used for APM correlation"
},
"trace_id": {
"type": "string",
"description": "Trace ID used for APM correlation"
}
},
"additionalProperties": false,
"type": "object",
"description": "DDContextSerializer serializes a span context to JSON"
},
"DNSEvent": {
"properties": {
"id": {
"type": "integer",
"description": "id is the unique identifier of the DNS request"
},
"question": {
"$ref": "#/$defs/DNSQuestion",
"description": "question is a DNS question for the DNS request"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"id",
"question"
],
"description": "DNSEventSerializer serializes a DNS event to JSON"
},
"DNSQuestion": {
"properties": {
"class": {
"type": "string",
"description": "class is the class looked up by the DNS question"
},
"type": {
"type": "string",
"description": "type is a two octet code which specifies the DNS question type"
},
"name": {
"type": "string",
"description": "name is the queried domain name"
},
"size": {
"type": "integer",
"description": "size is the total DNS request size in bytes"
},
"count": {
"type": "integer",
"description": "count is the total count of questions in the DNS request"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"class",
"type",
"name",
"size",
"count"
],
"description": "DNSQuestionSerializer serializes a DNS question to JSON"
},
"EventContext": {
"properties": {
"name": {
"type": "string",
"description": "Event name"
},
"category": {
"type": "string",
"description": "Event category"
},
"outcome": {
"type": "string",
"description": "Event outcome"
},
"async": {
"type": "boolean",
"description": "True if the event was asynchronous"
},
"matched_rules": {
"items": {
"$ref": "#/$defs/MatchedRule"
},
"type": "array",
"description": "The list of rules that the event matched (only valid in the context of an anomaly)"
},
"variables": {
"$ref": "#/$defs/Variables",
"description": "Variables values"
}
},
"additionalProperties": false,
"type": "object",
"description": "EventContextSerializer serializes an event context to JSON"
},
"ExitEvent": {
"properties": {
"cause": {
"type": "string",
"description": "Cause of the process termination (one of EXITED, SIGNALED, COREDUMPED)"
},
"code": {
"type": "integer",
"description": "Exit code of the process or number of the signal that caused the process to terminate"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"cause",
"code"
],
"description": "ExitEventSerializer serializes an exit event to JSON"
},
"File": {
"properties": {
"path": {
"type": "string",
"description": "File path"
},
"name": {
"type": "string",
"description": "File basename"
},
"path_resolution_error": {
"type": "string",
"description": "Error message from path resolution"
},
"inode": {
"type": "integer",
"description": "File inode number"
},
"mode": {
"type": "integer",
"description": "File mode"
},
"in_upper_layer": {
"type": "boolean",
"description": "Indicator of file OverlayFS layer"
},
"mount_id": {
"type": "integer",
"description": "File mount ID"
},
"filesystem": {
"type": "string",
"description": "File filesystem name"
},
"uid": {
"type": "integer",
"description": "File User ID"
},
"gid": {
"type": "integer",
"description": "File Group ID"
},
"user": {
"type": "string",
"description": "File user"
},
"group": {
"type": "string",
"description": "File group"
},
"attribute_name": {
"type": "string",
"description": "File extended attribute name"
},
"attribute_namespace": {
"type": "string",
"description": "File extended attribute namespace"
},
"flags": {
"items": {
"type": "string"
},
"type": "array",
"description": "File flags"
},
"access_time": {
"type": "string",
"format": "date-time",
"description": "File access time"
},
"modification_time": {
"type": "string",
"format": "date-time",
"description": "File modified time"
},
"change_time": {
"type": "string",
"format": "date-time",
"description": "File change time"
},
"package_name": {
"type": "string",
"description": "System package name"
},
"package_version": {
"type": "string",
"description": "System package version"
},
"hashes": {
"items": {
"type": "string"
},
"type": "array",
"description": "List of cryptographic hashes of the file"
},
"hash_state": {
"type": "string",
"description": "State of the hashes or reason why they weren't computed"
},
"mount_path": {
"type": "string",
"description": "MountPath path of the mount"
},
"mount_source": {
"type": "string",
"description": "MountSource source of the mount"
},
"mount_origin": {
"type": "string",
"description": "MountOrigin origin of the mount"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"uid",
"gid"
],
"description": "FileSerializer serializes a file to JSON"
},
"FileEvent": {
"properties": {
"path": {
"type": "string",
"description": "File path"
},
"name": {
"type": "string",
"description": "File basename"
},
"path_resolution_error": {
"type": "string",
"description": "Error message from path resolution"
},
"inode": {
"type": "integer",
"description": "File inode number"
},
"mode": {
"type": "integer",
"description": "File mode"
},
"in_upper_layer": {
"type": "boolean",
"description": "Indicator of file OverlayFS layer"
},
"mount_id": {
"type": "integer",
"description": "File mount ID"
},
"filesystem": {
"type": "string",
"description": "File filesystem name"
},
"uid": {
"type": "integer",
"description": "File User ID"
},
"gid": {
"type": "integer",
"description": "File Group ID"
},
"user": {
"type": "string",
"description": "File user"
},
"group": {
"type": "string",
"description": "File group"
},
"attribute_name": {
"type": "string",
"description": "File extended attribute name"
},
"attribute_namespace": {
"type": "string",
"description": "File extended attribute namespace"
},
"flags": {
"items": {
"type": "string"
},
"type": "array",
"description": "File flags"
},
"access_time": {
"type": "string",
"format": "date-time",
"description": "File access time"
},
"modification_time": {
"type": "string",
"format": "date-time",
"description": "File modified time"
},
"change_time": {
"type": "string",
"format": "date-time",
"description": "File change time"
},
"package_name": {
"type": "string",
"description": "System package name"
},
"package_version": {
"type": "string",
"description": "System package version"
},
"hashes": {
"items": {
"type": "string"
},
"type": "array",
"description": "List of cryptographic hashes of the file"
},
"hash_state": {
"type": "string",
"description": "State of the hashes or reason why they weren't computed"
},
"mount_path": {
"type": "string",
"description": "MountPath path of the mount"
},
"mount_source": {
"type": "string",
"description": "MountSource source of the mount"
},
"mount_origin": {
"type": "string",
"description": "MountOrigin origin of the mount"
},
"destination": {
"$ref": "#/$defs/File",
"description": "Target file information"
},
"new_mount_id": {
"type": "integer",
"description": "New Mount ID"
},
"device": {
"type": "integer",
"description": "Device associated with the file"
},
"fstype": {
"type": "string",
"description": "Filesystem type"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"uid",
"gid"
],
"description": "FileEventSerializer serializes a file event to JSON"
},
"IMDSEvent": {
"properties": {
"type": {
"type": "string",
"description": "type is the type of IMDS event"
},
"cloud_provider": {
"type": "string",
"description": "cloud_provider is the intended cloud provider of the IMDS event"
},
"url": {
"type": "string",
"description": "url is the url of the IMDS request"
},
"host": {
"type": "string",
"description": "host is the host of the HTTP protocol"
},
"user_agent": {
"type": "string",
"description": "user_agent is the user agent of the HTTP client"
},
"server": {
"type": "string",
"description": "server is the server header of a response"
},
"aws": {
"$ref": "#/$defs/AWSIMDSEvent",
"description": "AWS holds the AWS specific data parsed from the IMDS event"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"type",
"cloud_provider"
],
"description": "IMDSEventSerializer serializes an IMDS event to JSON"
},
"IPPort": {
"properties": {
"ip": {
"type": "string",
"description": "IP address"
},
"port": {
"type": "integer",
"description": "Port number"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"ip",
"port"
],
"description": "IPPortSerializer is used to serialize an IP and Port context to JSON"
},
"IPPortFamily": {
"properties": {
"family": {
"type": "string",
"description": "Address family"
},
"ip": {
"type": "string",
"description": "IP address"
},
"port": {
"type": "integer",
"description": "Port number"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"family",
"ip",
"port"
],
"description": "IPPortFamilySerializer is used to serialize an IP, port, and address family context to JSON"
},
"MMapEvent": {
"properties": {
"address": {
"type": "string",
"description": "memory segment address"
},
"offset": {
"type": "integer",
"description": "file offset"
},
"length": {
"type": "integer",
"description": "memory segment length"
},
"protection": {
"type": "string",
"description": "memory segment protection"
},
"flags": {
"type": "string",
"description": "memory segment flags"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"address",
"offset",
"length",
"protection",
"flags"
],
"description": "MMapEventSerializer serializes a mmap event to JSON"
},
"MProtectEvent": {
"properties": {
"vm_start": {
"type": "string",
"description": "memory segment start address"
},
"vm_end": {
"type": "string",
"description": "memory segment end address"
},
"vm_protection": {
"type": "string",
"description": "initial memory segment protection"
},
"req_protection": {
"type": "string",
"description": "new memory segment protection"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"vm_start",
"vm_end",
"vm_protection",
"req_protection"
],
"description": "MProtectEventSerializer serializes a mmap event to JSON"
},
"MatchedRule": {
"properties": {
"id": {
"type": "string",
"description": "ID of the rule"
},
"version": {
"type": "string",
"description": "Version of the rule"
},
"tags": {
"items": {
"type": "string"
},
"type": "array",
"description": "Tags of the rule"
},
"policy_name": {
"type": "string",
"description": "Name of the policy that introduced the rule"
},
"policy_version": {
"type": "string",
"description": "Version of the policy that introduced the rule"
}
},
"additionalProperties": false,
"type": "object",
"description": "MatchedRuleSerializer serializes a rule"
},
"ModuleEvent": {
"properties": {
"name": {
"type": "string",
"description": "module name"
},
"loaded_from_memory": {
"type": "boolean",
"description": "indicates if a module was loaded from memory, as opposed to a file"
},
"argv": {
"items": {
"type": "string"
},
"type": "array"
},
"args_truncated": {
"type": "boolean"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"name"
],
"description": "ModuleEventSerializer serializes a module event to JSON"
},
"MountEvent": {
"properties": {
"mp": {
"$ref": "#/$defs/File",
"description": "Mount point file information"
},
"root": {
"$ref": "#/$defs/File",
"description": "Root file information"
},
"mount_id": {
"type": "integer",
"description": "Mount ID of the new mount"
},
"parent_mount_id": {
"type": "integer",
"description": "Mount ID of the parent mount"
},
"bind_src_mount_id": {
"type": "integer",
"description": "Mount ID of the source of a bind mount"
},
"device": {
"type": "integer",
"description": "Device associated with the file"
},
"fs_type": {
"type": "string",
"description": "Filesystem type"
},
"mountpoint.path": {
"type": "string",
"description": "Mount point path"
},
"source.path": {
"type": "string",
"description": "Mount source path"
},
"mountpoint.path_error": {
"type": "string",
"description": "Mount point path error"
},
"source.path_error": {
"type": "string",
"description": "Mount source path error"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"mount_id",
"parent_mount_id",
"bind_src_mount_id",
"device"
],
"description": "MountEventSerializer serializes a mount event to JSON"
},
"NetworkContext": {
"properties": {
"device": {
"$ref": "#/$defs/NetworkDevice",
"description": "device is the network device on which the event was captured"
},
"l3_protocol": {
"type": "string",
"description": "l3_protocol is the layer 3 protocol name"
},
"l4_protocol": {
"type": "string",
"description": "l4_protocol is the layer 4 protocol name"
},
"source": {
"$ref": "#/$defs/IPPort",
"description": "source is the emitter of the network event"
},
"destination": {
"$ref": "#/$defs/IPPort",
"description": "destination is the receiver of the network event"
},
"size": {
"type": "integer",
"description": "size is the size in bytes of the network event"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"l3_protocol",
"l4_protocol",
"source",
"destination",
"size"
],
"description": "NetworkContextSerializer serializes the network context to JSON"
},
"NetworkDevice": {
"properties": {
"netns": {
"type": "integer",
"description": "netns is the interface ifindex"
},
"ifindex": {
"type": "integer",
"description": "ifindex is the network interface ifindex"
},
"ifname": {
"type": "string",
"description": "ifname is the network interface name"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"netns",
"ifindex",
"ifname"
],
"description": "NetworkDeviceSerializer serializes the network device context to JSON"
},
"PTraceEvent": {
"properties": {
"request": {
"type": "string",
"description": "ptrace request"
},
"address": {
"type": "string",
"description": "address at which the ptrace request was executed"
},
"tracee": {
"$ref": "#/$defs/ProcessContext",
"description": "process context of the tracee"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"request",
"address"
],
"description": "PTraceEventSerializer serializes a mmap event to JSON"
},
"Process": {
"properties": {
"pid": {
"type": "integer",
"description": "Process ID"
},
"ppid": {
"type": "integer",
"description": "Parent Process ID"
},
"tid": {
"type": "integer",
"description": "Thread ID"
},
"uid": {
"type": "integer",
"description": "User ID"
},
"gid": {
"type": "integer",
"description": "Group ID"
},
"user": {
"type": "string",
"description": "User name"
},
"group": {
"type": "string",
"description": "Group name"
},
"path_resolution_error": {
"type": "string",
"description": "Description of an error in the path resolution"
},
"comm": {
"type": "string",
"description": "Command name"
},
"tty": {
"type": "string",
"description": "TTY associated with the process"
},
"fork_time": {
"type": "string",
"format": "date-time",
"description": "Fork time of the process"
},
"exec_time": {
"type": "string",
"format": "date-time",
"description": "Exec time of the process"
},
"exit_time": {
"type": "string",
"format": "date-time",
"description": "Exit time of the process"
},
"credentials": {
"$ref": "#/$defs/ProcessCredentials",
"description": "Credentials associated with the process"
},
"user_session": {
"$ref": "#/$defs/UserSessionContext",
"description": "Context of the user session for this event"
},
"executable": {
"$ref": "#/$defs/File",
"description": "File information of the executable"
},
"interpreter": {
"$ref": "#/$defs/File",
"description": "File information of the interpreter"
},
"container": {
"$ref": "#/$defs/ContainerContext",
"description": "Container context"
},
"argv0": {
"type": "string",
"description": "First command line argument"
},
"args": {
"items": {
"type": "string"
},
"type": "array",
"description": "Command line arguments"
},
"args_truncated": {
"type": "boolean",
"description": "Indicator of arguments truncation"
},
"envs": {
"items": {
"type": "string"
},
"type": "array",
"description": "Environment variables of the process"
},
"envs_truncated": {
"type": "boolean",
"description": "Indicator of environments variable truncation"
},
"is_thread": {
"type": "boolean",
"description": "Indicates whether the process is considered a thread (that is, a child process that hasn't executed another program)"
},
"is_kworker": {
"type": "boolean",
"description": "Indicates whether the process is a kworker"
},
"is_exec_child": {
"type": "boolean",
"description": "Indicates whether the process is an exec following another exec"
},
"source": {
"type": "string",
"description": "Process source"
},
"syscalls": {
"$ref": "#/$defs/SyscallsEvent",
"description": "List of syscalls captured to generate the event"
},
"aws_security_credentials": {
"items": {
"$ref": "#/$defs/AWSSecurityCredentials"
},
"type": "array",
"description": "List of AWS Security Credentials that the process had access to"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"uid",
"gid"
],
"description": "ProcessSerializer serializes a process to JSON"
},
"ProcessContext": {
"properties": {
"pid": {
"type": "integer",
"description": "Process ID"
},
"ppid": {
"type": "integer",
"description": "Parent Process ID"
},
"tid": {
"type": "integer",
"description": "Thread ID"
},
"uid": {
"type": "integer",
"description": "User ID"
},
"gid": {
"type": "integer",
"description": "Group ID"
},
"user": {
"type": "string",
"description": "User name"
},
"group": {
"type": "string",
"description": "Group name"
},
"path_resolution_error": {
"type": "string",
"description": "Description of an error in the path resolution"
},
"comm": {
"type": "string",
"description": "Command name"
},
"tty": {
"type": "string",
"description": "TTY associated with the process"
},
"fork_time": {
"type": "string",
"format": "date-time",
"description": "Fork time of the process"
},
"exec_time": {
"type": "string",
"format": "date-time",
"description": "Exec time of the process"
},
"exit_time": {
"type": "string",
"format": "date-time",
"description": "Exit time of the process"
},
"credentials": {
"$ref": "#/$defs/ProcessCredentials",
"description": "Credentials associated with the process"
},
"user_session": {
"$ref": "#/$defs/UserSessionContext",
"description": "Context of the user session for this event"
},
"executable": {
"$ref": "#/$defs/File",
"description": "File information of the executable"
},
"interpreter": {
"$ref": "#/$defs/File",
"description": "File information of the interpreter"
},
"container": {
"$ref": "#/$defs/ContainerContext",
"description": "Container context"
},
"argv0": {
"type": "string",
"description": "First command line argument"
},
"args": {
"items": {
"type": "string"
},
"type": "array",
"description": "Command line arguments"
},
"args_truncated": {
"type": "boolean",
"description": "Indicator of arguments truncation"
},
"envs": {
"items": {
"type": "string"
},
"type": "array",
"description": "Environment variables of the process"
},
"envs_truncated": {
"type": "boolean",
"description": "Indicator of environments variable truncation"
},
"is_thread": {
"type": "boolean",
"description": "Indicates whether the process is considered a thread (that is, a child process that hasn't executed another program)"
},
"is_kworker": {
"type": "boolean",
"description": "Indicates whether the process is a kworker"
},
"is_exec_child": {
"type": "boolean",
"description": "Indicates whether the process is an exec following another exec"
},
"source": {
"type": "string",
"description": "Process source"
},
"syscalls": {
"$ref": "#/$defs/SyscallsEvent",
"description": "List of syscalls captured to generate the event"
},
"aws_security_credentials": {
"items": {
"$ref": "#/$defs/AWSSecurityCredentials"
},
"type": "array",
"description": "List of AWS Security Credentials that the process had access to"
},
"parent": {
"$ref": "#/$defs/Process",
"description": "Parent process"
},
"ancestors": {
"items": {
"$ref": "#/$defs/Process"
},
"type": "array",
"description": "Ancestor processes"
},
"variables": {
"$ref": "#/$defs/Variables",
"description": "Variables values"
},
"truncated_ancestors": {
"type": "boolean",
"description": "True if the ancestors list was truncated because it was too big"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"uid",
"gid"
],
"description": "ProcessContextSerializer serializes a process context to JSON"
},
"ProcessCredentials": {
"properties": {
"uid": {
"type": "integer",
"description": "User ID"
},
"user": {
"type": "string",
"description": "User name"
},
"gid": {
"type": "integer",
"description": "Group ID"
},
"group": {
"type": "string",
"description": "Group name"
},
"euid": {
"type": "integer",
"description": "Effective User ID"
},
"euser": {
"type": "string",
"description": "Effective User name"
},
"egid": {
"type": "integer",
"description": "Effective Group ID"
},
"egroup": {
"type": "string",
"description": "Effective Group name"
},
"fsuid": {
"type": "integer",
"description": "Filesystem User ID"
},
"fsuser": {
"type": "string",
"description": "Filesystem User name"
},
"fsgid": {
"type": "integer",
"description": "Filesystem Group ID"
},
"fsgroup": {
"type": "string",
"description": "Filesystem Group name"
},
"auid": {
"type": "integer",
"description": "Login UID"
},
"cap_effective": {
"items": {
"type": "string"
},
"type": "array",
"description": "Effective Capability set"
},
"cap_permitted": {
"items": {
"type": "string"
},
"type": "array",
"description": "Permitted Capability set"
},
"destination": {
"description": "Credentials after the operation"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"uid",
"gid",
"euid",
"egid",
"fsuid",
"fsgid",
"auid",
"cap_effective",
"cap_permitted"
],
"description": "ProcessCredentialsSerializer serializes the process credentials to JSON"
},
"SELinuxBoolChange": {
"properties": {
"name": {
"type": "string",
"description": "SELinux boolean name"
},
"state": {
"type": "string",
"description": "SELinux boolean state ('on' or 'off')"
}
},
"additionalProperties": false,
"type": "object",
"description": "SELinuxBoolChangeSerializer serializes a SELinux boolean change to JSON"
},
"SELinuxBoolCommit": {
"properties": {
"state": {
"type": "boolean",
"description": "SELinux boolean commit operation"
}
},
"additionalProperties": false,
"type": "object",
"description": "SELinuxBoolCommitSerializer serializes a SELinux boolean commit to JSON"
},
"SELinuxEnforceStatus": {
"properties": {
"status": {
"type": "string",
"description": "SELinux enforcement status (one of 'enforcing', 'permissive' or 'disabled')"
}
},
"additionalProperties": false,
"type": "object",
"description": "SELinuxEnforceStatusSerializer serializes a SELinux enforcement status change to JSON"
},
"SELinuxEvent": {
"properties": {
"bool": {
"$ref": "#/$defs/SELinuxBoolChange",
"description": "SELinux boolean operation"
},
"enforce": {
"$ref": "#/$defs/SELinuxEnforceStatus",
"description": "SELinux enforcement change"
},
"bool_commit": {
"$ref": "#/$defs/SELinuxBoolCommit",
"description": "SELinux boolean commit"
}
},
"additionalProperties": false,
"type": "object",
"description": "SELinuxEventSerializer serializes a SELinux context to JSON"
},
"SecurityProfileContext": {
"properties": {
"name": {
"type": "string",
"description": "Name of the security profile"
},
"version": {
"type": "string",
"description": "Version of the profile in use"
},
"tags": {
"items": {
"type": "string"
},
"type": "array",
"description": "List of tags associated to this profile"
},
"event_in_profile": {
"type": "boolean",
"description": "True if the corresponding event is part of this profile"
},
"event_type_state": {
"type": "string",
"description": "State of the event type in this profile"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"name",
"version",
"tags",
"event_in_profile",
"event_type_state"
],
"description": "SecurityProfileContextSerializer serializes the security profile context in an event"
},
"SignalEvent": {
"properties": {
"type": {
"type": "string",
"description": "signal type"
},
"pid": {
"type": "integer",
"description": "signal target pid"
},
"target": {
"$ref": "#/$defs/ProcessContext",
"description": "process context of the signal target"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"type",
"pid"
],
"description": "SignalEventSerializer serializes a signal event to JSON"
},
"SpliceEvent": {
"properties": {
"pipe_entry_flag": {
"type": "string",
"description": "Entry flag of the fd_out pipe passed to the splice syscall"
},
"pipe_exit_flag": {
"type": "string",
"description": "Exit flag of the fd_out pipe passed to the splice syscall"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"pipe_entry_flag",
"pipe_exit_flag"
],
"description": "SpliceEventSerializer serializes a splice event to JSON"
},
"Syscall": {
"properties": {
"name": {
"type": "string",
"description": "Name of the syscall"
},
"id": {
"type": "integer",
"description": "ID of the syscall in the host architecture"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"name",
"id"
],
"description": "SyscallSerializer serializes a syscall"
},
"SyscallArgs": {
"properties": {
"path": {
"type": "string",
"description": "Path argument"
},
"flags": {
"type": "integer",
"description": "Flags argument"
},
"mode": {
"type": "integer",
"description": "Mode argument"
},
"uid": {
"type": "integer",
"description": "UID argument"
},
"gid": {
"type": "integer",
"description": "GID argument"
},
"dirfd": {
"type": "integer",
"description": "Directory file descriptor argument"
},
"destination_path": {
"type": "string",
"description": "Destination path argument"
},
"fs_type": {
"type": "string",
"description": "File system type argument"
}
},
"additionalProperties": false,
"type": "object",
"description": "SyscallArgsSerializer args serializer"
},
"SyscallContext": {
"properties": {
"chmod": {
"$ref": "#/$defs/SyscallArgs"
},
"chown": {
"$ref": "#/$defs/SyscallArgs"
},
"chdir": {
"$ref": "#/$defs/SyscallArgs"
},
"exec": {
"$ref": "#/$defs/SyscallArgs"
},
"open": {
"$ref": "#/$defs/SyscallArgs"
},
"unlink": {
"$ref": "#/$defs/SyscallArgs"
},
"link": {
"$ref": "#/$defs/SyscallArgs"
},
"rename": {
"$ref": "#/$defs/SyscallArgs"
},
"utimes": {
"$ref": "#/$defs/SyscallArgs"
},
"mount": {
"$ref": "#/$defs/SyscallArgs"
}
},
"additionalProperties": false,
"type": "object",
"description": "SyscallContextSerializer serializes syscall context"
},
"SyscallsEvent": {
"items": {
"$ref": "#/$defs/Syscall"
},
"type": "array",
"description": "SyscallsEventSerializer serializes the syscalls from a syscalls event"
},
"UserContext": {
"properties": {
"id": {
"type": "string",
"description": "User name"
},
"group": {
"type": "string",
"description": "Group name"
}
},
"additionalProperties": false,
"type": "object",
"description": "UserContextSerializer serializes a user context to JSON"
},
"UserSessionContext": {
"properties": {
"id": {
"type": "string",
"description": "Unique identifier of the user session on the host"
},
"session_type": {
"type": "string",
"description": "Type of the user session"
},
"k8s_username": {
"type": "string",
"description": "Username of the Kubernetes \"kubectl exec\" session"
},
"k8s_uid": {
"type": "string",
"description": "UID of the Kubernetes \"kubectl exec\" session"
},
"k8s_groups": {
"items": {
"type": "string"
},
"type": "array",
"description": "Groups of the Kubernetes \"kubectl exec\" session"
},
"k8s_extra": {
"additionalProperties": {
"items": {
"type": "string"
},
"type": "array"
},
"type": "object",
"description": "Extra of the Kubernetes \"kubectl exec\" session"
}
},
"additionalProperties": false,
"type": "object",
"description": "UserSessionContextSerializer serializes the user session context to JSON"
},
"Variables": {
"type": "object",
"description": "Variables serializes the variable values"
}
},
"properties": {
"agent": {
"$ref": "#/$defs/AgentContext"
},
"title": {
"type": "string"
},
"evt": {
"$ref": "#/$defs/EventContext"
},
"date": {
"type": "string",
"format": "date-time"
},
"file": {
"$ref": "#/$defs/FileEvent"
},
"exit": {
"$ref": "#/$defs/ExitEvent"
},
"process": {
"$ref": "#/$defs/ProcessContext"
},
"container": {
"$ref": "#/$defs/ContainerContext"
},
"cgroup": {
"$ref": "#/$defs/CGroupContext"
},
"network": {
"$ref": "#/$defs/NetworkContext"
},
"dd": {
"$ref": "#/$defs/DDContext"
},
"security_profile": {
"$ref": "#/$defs/SecurityProfileContext"
},
"selinux": {
"$ref": "#/$defs/SELinuxEvent"
},
"bpf": {
"$ref": "#/$defs/BPFEvent"
},
"mmap": {
"$ref": "#/$defs/MMapEvent"
},
"mprotect": {
"$ref": "#/$defs/MProtectEvent"
},
"ptrace": {
"$ref": "#/$defs/PTraceEvent"
},
"module": {
"$ref": "#/$defs/ModuleEvent"
},
"signal": {
"$ref": "#/$defs/SignalEvent"
},
"splice": {
"$ref": "#/$defs/SpliceEvent"
},
"dns": {
"$ref": "#/$defs/DNSEvent"
},
"imds": {
"$ref": "#/$defs/IMDSEvent"
},
"bind": {
"$ref": "#/$defs/BindEvent"
},
"mount": {
"$ref": "#/$defs/MountEvent"
},
"syscalls": {
"$ref": "#/$defs/SyscallsEvent"
},
"usr": {
"$ref": "#/$defs/UserContext"
},
"syscall": {
"$ref": "#/$defs/SyscallContext"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"agent",
"title"
]
}
Parameter | Type | Description |
---|---|---|
agent | $ref | Please see AgentContext |
title | string | |
evt | $ref | Please see EventContext |
date | string | |
file | $ref | Please see FileEvent |
exit | $ref | Please see ExitEvent |
process | $ref | Please see ProcessContext |
container | $ref | Please see ContainerContext |
cgroup | $ref | Please see CGroupContext |
network | $ref | Please see NetworkContext |
dd | $ref | Please see DDContext |
security_profile | $ref | Please see SecurityProfileContext |
selinux | $ref | Please see SELinuxEvent |
bpf | $ref | Please see BPFEvent |
mmap | $ref | Please see MMapEvent |
mprotect | $ref | Please see MProtectEvent |
ptrace | $ref | Please see PTraceEvent |
module | $ref | Please see ModuleEvent |
signal | $ref | Please see SignalEvent |
splice | $ref | Please see SpliceEvent |
dns | $ref | Please see DNSEvent |
imds | $ref | Please see IMDSEvent |
bind | $ref | Please see BindEvent |
mount | $ref | Please see MountEvent |
syscalls | $ref | Please see SyscallsEvent |
usr | $ref | Please see UserContext |
syscall | $ref | Please see SyscallContext |
AWSIMDSEvent
{
"properties": {
"is_imds_v2": {
"type": "boolean",
"description": "is_imds_v2 reports if the IMDS event follows IMDSv1 or IMDSv2 conventions"
},
"security_credentials": {
"$ref": "#/$defs/AWSSecurityCredentials",
"description": "SecurityCredentials holds the scrubbed data collected on the security credentials"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"is_imds_v2"
],
"description": "AWSIMDSEventSerializer serializes an AWS IMDS event to JSON"
}
Field | Description |
---|---|
is_imds_v2 | is_imds_v2 reports if the IMDS event follows IMDSv1 or IMDSv2 conventions |
security_credentials | SecurityCredentials holds the scrubbed data collected on the security credentials |
References |
---|
AWSSecurityCredentials |
AWSSecurityCredentials
{
"properties": {
"code": {
"type": "string",
"description": "code is the IMDS server code response"
},
"type": {
"type": "string",
"description": "type is the security credentials type"
},
"access_key_id": {
"type": "string",
"description": "access_key_id is the unique access key ID of the credentials"
},
"last_updated": {
"type": "string",
"description": "last_updated is the last time the credentials were updated"
},
"expiration": {
"type": "string",
"description": "expiration is the expiration date of the credentials"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"code",
"type",
"access_key_id",
"last_updated",
"expiration"
],
"description": "AWSSecurityCredentialsSerializer serializes the security credentials from an AWS IMDS request"
}
Field | Description |
---|---|
code | code is the IMDS server code response |
type | type is the security credentials type |
access_key_id | access_key_id is the unique access key ID of the credentials |
last_updated | last_updated is the last time the credentials were updated |
expiration | expiration is the expiration date of the credentials |
AgentContext
{
"properties": {
"rule_id": {
"type": "string"
},
"rule_version": {
"type": "string"
},
"rule_actions": {
"items": true,
"type": "array"
},
"policy_name": {
"type": "string"
},
"policy_version": {
"type": "string"
},
"version": {
"type": "string"
},
"os": {
"type": "string"
},
"arch": {
"type": "string"
},
"origin": {
"type": "string"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"rule_id"
]
}
BPFEvent
{
"properties": {
"cmd": {
"type": "string",
"description": "BPF command"
},
"map": {
"$ref": "#/$defs/BPFMap",
"description": "BPF map"
},
"program": {
"$ref": "#/$defs/BPFProgram",
"description": "BPF program"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"cmd"
],
"description": "BPFEventSerializer serializes a BPF event to JSON"
}
Field | Description |
---|---|
cmd | BPF command |
map | BPF map |
program | BPF program |
References |
---|
BPFMap |
BPFProgram |
BPFMap
{
"properties": {
"name": {
"type": "string",
"description": "Name of the BPF map"
},
"map_type": {
"type": "string",
"description": "Type of the BPF map"
}
},
"additionalProperties": false,
"type": "object",
"description": "BPFMapSerializer serializes a BPF map to JSON"
}
Field | Description |
---|---|
name | Name of the BPF map |
map_type | Type of the BPF map |
BPFProgram
{
"properties": {
"name": {
"type": "string",
"description": "Name of the BPF program"
},
"tag": {
"type": "string",
"description": "Hash (sha1) of the BPF program"
},
"program_type": {
"type": "string",
"description": "Type of the BPF program"
},
"attach_type": {
"type": "string",
"description": "Attach type of the BPF program"
},
"helpers": {
"items": {
"type": "string"
},
"type": "array",
"description": "List of helpers used by the BPF program"
}
},
"additionalProperties": false,
"type": "object",
"description": "BPFProgramSerializer serializes a BPF map to JSON"
}
Field | Description |
---|---|
name | Name of the BPF program |
tag | Hash (sha1) of the BPF program |
program_type | Type of the BPF program |
attach_type | Attach type of the BPF program |
helpers | List of helpers used by the BPF program |
BindEvent
{
"properties": {
"addr": {
"$ref": "#/$defs/IPPortFamily",
"description": "Bound address (if any)"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"addr"
],
"description": "BindEventSerializer serializes a bind event to JSON"
}
Field | Description |
---|---|
addr | Bound address (if any) |
References |
---|
IPPortFamily |
CGroupContext
{
"properties": {
"id": {
"type": "string",
"description": "CGroup ID"
},
"manager": {
"type": "string",
"description": "CGroup manager"
}
},
"additionalProperties": false,
"type": "object",
"description": "CGroupContextSerializer serializes a cgroup context to JSON"
}
Field | Description |
---|---|
id | CGroup ID |
manager | CGroup manager |
ContainerContext
{
"properties": {
"id": {
"type": "string",
"description": "Container ID"
},
"created_at": {
"type": "string",
"format": "date-time",
"description": "Creation time of the container"
},
"variables": {
"$ref": "#/$defs/Variables",
"description": "Variables values"
}
},
"additionalProperties": false,
"type": "object",
"description": "ContainerContextSerializer serializes a container context to JSON"
}
Field | Description |
---|---|
id | Container ID |
created_at | Creation time of the container |
variables | Variables values |
References |
---|
Variables |
DDContext
{
"properties": {
"span_id": {
"type": "string",
"description": "Span ID used for APM correlation"
},
"trace_id": {
"type": "string",
"description": "Trace ID used for APM correlation"
}
},
"additionalProperties": false,
"type": "object",
"description": "DDContextSerializer serializes a span context to JSON"
}
Field | Description |
---|---|
span_id | Span ID used for APM correlation |
trace_id | Trace ID used for APM correlation |
DNSEvent
{
"properties": {
"id": {
"type": "integer",
"description": "id is the unique identifier of the DNS request"
},
"question": {
"$ref": "#/$defs/DNSQuestion",
"description": "question is a DNS question for the DNS request"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"id",
"question"
],
"description": "DNSEventSerializer serializes a DNS event to JSON"
}
Field | Description |
---|---|
id | id is the unique identifier of the DNS request |
question | question is a DNS question for the DNS request |
References |
---|
DNSQuestion |
DNSQuestion
{
"properties": {
"class": {
"type": "string",
"description": "class is the class looked up by the DNS question"
},
"type": {
"type": "string",
"description": "type is a two octet code which specifies the DNS question type"
},
"name": {
"type": "string",
"description": "name is the queried domain name"
},
"size": {
"type": "integer",
"description": "size is the total DNS request size in bytes"
},
"count": {
"type": "integer",
"description": "count is the total count of questions in the DNS request"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"class",
"type",
"name",
"size",
"count"
],
"description": "DNSQuestionSerializer serializes a DNS question to JSON"
}
Field | Description |
---|---|
class | class is the class looked up by the DNS question |
type | type is a two octet code which specifies the DNS question type |
name | name is the queried domain name |
size | size is the total DNS request size in bytes |
count | count is the total count of questions in the DNS request |
EventContext
{
"properties": {
"name": {
"type": "string",
"description": "Event name"
},
"category": {
"type": "string",
"description": "Event category"
},
"outcome": {
"type": "string",
"description": "Event outcome"
},
"async": {
"type": "boolean",
"description": "True if the event was asynchronous"
},
"matched_rules": {
"items": {
"$ref": "#/$defs/MatchedRule"
},
"type": "array",
"description": "The list of rules that the event matched (only valid in the context of an anomaly)"
},
"variables": {
"$ref": "#/$defs/Variables",
"description": "Variables values"
}
},
"additionalProperties": false,
"type": "object",
"description": "EventContextSerializer serializes an event context to JSON"
}
Field | Description |
---|---|
name | Event name |
category | Event category |
outcome | Event outcome |
async | True if the event was asynchronous |
matched_rules | The list of rules that the event matched (only valid in the context of an anomaly) |
variables | Variables values |
References |
---|
Variables |
ExitEvent
{
"properties": {
"cause": {
"type": "string",
"description": "Cause of the process termination (one of EXITED, SIGNALED, COREDUMPED)"
},
"code": {
"type": "integer",
"description": "Exit code of the process or number of the signal that caused the process to terminate"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"cause",
"code"
],
"description": "ExitEventSerializer serializes an exit event to JSON"
}
Field | Description |
---|---|
cause | Cause of the process termination (one of EXITED, SIGNALED, COREDUMPED) |
code | Exit code of the process or number of the signal that caused the process to terminate |
File
{
"properties": {
"path": {
"type": "string",
"description": "File path"
},
"name": {
"type": "string",
"description": "File basename"
},
"path_resolution_error": {
"type": "string",
"description": "Error message from path resolution"
},
"inode": {
"type": "integer",
"description": "File inode number"
},
"mode": {
"type": "integer",
"description": "File mode"
},
"in_upper_layer": {
"type": "boolean",
"description": "Indicator of file OverlayFS layer"
},
"mount_id": {
"type": "integer",
"description": "File mount ID"
},
"filesystem": {
"type": "string",
"description": "File filesystem name"
},
"uid": {
"type": "integer",
"description": "File User ID"
},
"gid": {
"type": "integer",
"description": "File Group ID"
},
"user": {
"type": "string",
"description": "File user"
},
"group": {
"type": "string",
"description": "File group"
},
"attribute_name": {
"type": "string",
"description": "File extended attribute name"
},
"attribute_namespace": {
"type": "string",
"description": "File extended attribute namespace"
},
"flags": {
"items": {
"type": "string"
},
"type": "array",
"description": "File flags"
},
"access_time": {
"type": "string",
"format": "date-time",
"description": "File access time"
},
"modification_time": {
"type": "string",
"format": "date-time",
"description": "File modified time"
},
"change_time": {
"type": "string",
"format": "date-time",
"description": "File change time"
},
"package_name": {
"type": "string",
"description": "System package name"
},
"package_version": {
"type": "string",
"description": "System package version"
},
"hashes": {
"items": {
"type": "string"
},
"type": "array",
"description": "List of cryptographic hashes of the file"
},
"hash_state": {
"type": "string",
"description": "State of the hashes or reason why they weren't computed"
},
"mount_path": {
"type": "string",
"description": "MountPath path of the mount"
},
"mount_source": {
"type": "string",
"description": "MountSource source of the mount"
},
"mount_origin": {
"type": "string",
"description": "MountOrigin origin of the mount"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"uid",
"gid"
],
"description": "FileSerializer serializes a file to JSON"
}
Field | Description |
---|---|
path | File path |
name | File basename |
path_resolution_error | Error message from path resolution |
inode | File inode number |
mode | File mode |
in_upper_layer | Indicator of file OverlayFS layer |
mount_id | File mount ID |
filesystem | File filesystem name |
uid | File User ID |
gid | File Group ID |
user | File user |
group | File group |
attribute_name | File extended attribute name |
attribute_namespace | File extended attribute namespace |
flags | File flags |
access_time | File access time |
modification_time | File modified time |
change_time | File change time |
package_name | System package name |
package_version | System package version |
hashes | List of cryptographic hashes of the file |
hash_state | State of the hashes or reason why they weren’t computed |
mount_path | MountPath path of the mount |
mount_source | MountSource source of the mount |
mount_origin | MountOrigin origin of the mount |
FileEvent
{
"properties": {
"path": {
"type": "string",
"description": "File path"
},
"name": {
"type": "string",
"description": "File basename"
},
"path_resolution_error": {
"type": "string",
"description": "Error message from path resolution"
},
"inode": {
"type": "integer",
"description": "File inode number"
},
"mode": {
"type": "integer",
"description": "File mode"
},
"in_upper_layer": {
"type": "boolean",
"description": "Indicator of file OverlayFS layer"
},
"mount_id": {
"type": "integer",
"description": "File mount ID"
},
"filesystem": {
"type": "string",
"description": "File filesystem name"
},
"uid": {
"type": "integer",
"description": "File User ID"
},
"gid": {
"type": "integer",
"description": "File Group ID"
},
"user": {
"type": "string",
"description": "File user"
},
"group": {
"type": "string",
"description": "File group"
},
"attribute_name": {
"type": "string",
"description": "File extended attribute name"
},
"attribute_namespace": {
"type": "string",
"description": "File extended attribute namespace"
},
"flags": {
"items": {
"type": "string"
},
"type": "array",
"description": "File flags"
},
"access_time": {
"type": "string",
"format": "date-time",
"description": "File access time"
},
"modification_time": {
"type": "string",
"format": "date-time",
"description": "File modified time"
},
"change_time": {
"type": "string",
"format": "date-time",
"description": "File change time"
},
"package_name": {
"type": "string",
"description": "System package name"
},
"package_version": {
"type": "string",
"description": "System package version"
},
"hashes": {
"items": {
"type": "string"
},
"type": "array",
"description": "List of cryptographic hashes of the file"
},
"hash_state": {
"type": "string",
"description": "State of the hashes or reason why they weren't computed"
},
"mount_path": {
"type": "string",
"description": "MountPath path of the mount"
},
"mount_source": {
"type": "string",
"description": "MountSource source of the mount"
},
"mount_origin": {
"type": "string",
"description": "MountOrigin origin of the mount"
},
"destination": {
"$ref": "#/$defs/File",
"description": "Target file information"
},
"new_mount_id": {
"type": "integer",
"description": "New Mount ID"
},
"device": {
"type": "integer",
"description": "Device associated with the file"
},
"fstype": {
"type": "string",
"description": "Filesystem type"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"uid",
"gid"
],
"description": "FileEventSerializer serializes a file event to JSON"
}
Field | Description |
---|---|
path | File path |
name | File basename |
path_resolution_error | Error message from path resolution |
inode | File inode number |
mode | File mode |
in_upper_layer | Indicator of file OverlayFS layer |
mount_id | File mount ID |
filesystem | File filesystem name |
uid | File User ID |
gid | File Group ID |
user | File user |
group | File group |
attribute_name | File extended attribute name |
attribute_namespace | File extended attribute namespace |
flags | File flags |
access_time | File access time |
modification_time | File modified time |
change_time | File change time |
package_name | System package name |
package_version | System package version |
hashes | List of cryptographic hashes of the file |
hash_state | State of the hashes or reason why they weren’t computed |
mount_path | MountPath path of the mount |
mount_source | MountSource source of the mount |
mount_origin | MountOrigin origin of the mount |
destination | Target file information |
new_mount_id | New Mount ID |
device | Device associated with the file |
fstype | Filesystem type |
References |
---|
File |
IMDSEvent
{
"properties": {
"type": {
"type": "string",
"description": "type is the type of IMDS event"
},
"cloud_provider": {
"type": "string",
"description": "cloud_provider is the intended cloud provider of the IMDS event"
},
"url": {
"type": "string",
"description": "url is the url of the IMDS request"
},
"host": {
"type": "string",
"description": "host is the host of the HTTP protocol"
},
"user_agent": {
"type": "string",
"description": "user_agent is the user agent of the HTTP client"
},
"server": {
"type": "string",
"description": "server is the server header of a response"
},
"aws": {
"$ref": "#/$defs/AWSIMDSEvent",
"description": "AWS holds the AWS specific data parsed from the IMDS event"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"type",
"cloud_provider"
],
"description": "IMDSEventSerializer serializes an IMDS event to JSON"
}
Field | Description |
---|---|
type | type is the type of IMDS event |
cloud_provider | cloud_provider is the intended cloud provider of the IMDS event |
url | url is the url of the IMDS request |
host | host is the host of the HTTP protocol |
user_agent | user_agent is the user agent of the HTTP client |
server | server is the server header of a response |
aws | AWS holds the AWS specific data parsed from the IMDS event |
References |
---|
AWSIMDSEvent |
IPPort
{
"properties": {
"ip": {
"type": "string",
"description": "IP address"
},
"port": {
"type": "integer",
"description": "Port number"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"ip",
"port"
],
"description": "IPPortSerializer is used to serialize an IP and Port context to JSON"
}
Field | Description |
---|---|
ip | IP address |
port | Port number |
IPPortFamily
{
"properties": {
"family": {
"type": "string",
"description": "Address family"
},
"ip": {
"type": "string",
"description": "IP address"
},
"port": {
"type": "integer",
"description": "Port number"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"family",
"ip",
"port"
],
"description": "IPPortFamilySerializer is used to serialize an IP, port, and address family context to JSON"
}
Field | Description |
---|---|
family | Address family |
ip | IP address |
port | Port number |
MMapEvent
{
"properties": {
"address": {
"type": "string",
"description": "memory segment address"
},
"offset": {
"type": "integer",
"description": "file offset"
},
"length": {
"type": "integer",
"description": "memory segment length"
},
"protection": {
"type": "string",
"description": "memory segment protection"
},
"flags": {
"type": "string",
"description": "memory segment flags"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"address",
"offset",
"length",
"protection",
"flags"
],
"description": "MMapEventSerializer serializes a mmap event to JSON"
}
Field | Description |
---|---|
address | memory segment address |
offset | file offset |
length | memory segment length |
protection | memory segment protection |
flags | memory segment flags |
MProtectEvent
{
"properties": {
"vm_start": {
"type": "string",
"description": "memory segment start address"
},
"vm_end": {
"type": "string",
"description": "memory segment end address"
},
"vm_protection": {
"type": "string",
"description": "initial memory segment protection"
},
"req_protection": {
"type": "string",
"description": "new memory segment protection"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"vm_start",
"vm_end",
"vm_protection",
"req_protection"
],
"description": "MProtectEventSerializer serializes a mmap event to JSON"
}
Field | Description |
---|---|
vm_start | memory segment start address |
vm_end | memory segment end address |
vm_protection | initial memory segment protection |
req_protection | new memory segment protection |
MatchedRule
{
"properties": {
"id": {
"type": "string",
"description": "ID of the rule"
},
"version": {
"type": "string",
"description": "Version of the rule"
},
"tags": {
"items": {
"type": "string"
},
"type": "array",
"description": "Tags of the rule"
},
"policy_name": {
"type": "string",
"description": "Name of the policy that introduced the rule"
},
"policy_version": {
"type": "string",
"description": "Version of the policy that introduced the rule"
}
},
"additionalProperties": false,
"type": "object",
"description": "MatchedRuleSerializer serializes a rule"
}
Field | Description |
---|---|
id | ID of the rule |
version | Version of the rule |
tags | Tags of the rule |
policy_name | Name of the policy that introduced the rule |
policy_version | Version of the policy that introduced the rule |
ModuleEvent
{
"properties": {
"name": {
"type": "string",
"description": "module name"
},
"loaded_from_memory": {
"type": "boolean",
"description": "indicates if a module was loaded from memory, as opposed to a file"
},
"argv": {
"items": {
"type": "string"
},
"type": "array"
},
"args_truncated": {
"type": "boolean"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"name"
],
"description": "ModuleEventSerializer serializes a module event to JSON"
}
Field | Description |
---|---|
name | module name |
loaded_from_memory | indicates if a module was loaded from memory, as opposed to a file |
MountEvent
{
"properties": {
"mp": {
"$ref": "#/$defs/File",
"description": "Mount point file information"
},
"root": {
"$ref": "#/$defs/File",
"description": "Root file information"
},
"mount_id": {
"type": "integer",
"description": "Mount ID of the new mount"
},
"parent_mount_id": {
"type": "integer",
"description": "Mount ID of the parent mount"
},
"bind_src_mount_id": {
"type": "integer",
"description": "Mount ID of the source of a bind mount"
},
"device": {
"type": "integer",
"description": "Device associated with the file"
},
"fs_type": {
"type": "string",
"description": "Filesystem type"
},
"mountpoint.path": {
"type": "string",
"description": "Mount point path"
},
"source.path": {
"type": "string",
"description": "Mount source path"
},
"mountpoint.path_error": {
"type": "string",
"description": "Mount point path error"
},
"source.path_error": {
"type": "string",
"description": "Mount source path error"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"mount_id",
"parent_mount_id",
"bind_src_mount_id",
"device"
],
"description": "MountEventSerializer serializes a mount event to JSON"
}
Field | Description |
---|---|
mp | Mount point file information |
root | Root file information |
mount_id | Mount ID of the new mount |
parent_mount_id | Mount ID of the parent mount |
bind_src_mount_id | Mount ID of the source of a bind mount |
device | Device associated with the file |
fs_type | Filesystem type |
mountpoint.path | Mount point path |
source.path | Mount source path |
mountpoint.path_error | Mount point path error |
source.path_error | Mount source path error |
References |
---|
File |
NetworkContext
{
"properties": {
"device": {
"$ref": "#/$defs/NetworkDevice",
"description": "device is the network device on which the event was captured"
},
"l3_protocol": {
"type": "string",
"description": "l3_protocol is the layer 3 protocol name"
},
"l4_protocol": {
"type": "string",
"description": "l4_protocol is the layer 4 protocol name"
},
"source": {
"$ref": "#/$defs/IPPort",
"description": "source is the emitter of the network event"
},
"destination": {
"$ref": "#/$defs/IPPort",
"description": "destination is the receiver of the network event"
},
"size": {
"type": "integer",
"description": "size is the size in bytes of the network event"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"l3_protocol",
"l4_protocol",
"source",
"destination",
"size"
],
"description": "NetworkContextSerializer serializes the network context to JSON"
}
Field | Description |
---|---|
device | device is the network device on which the event was captured |
l3_protocol | l3_protocol is the layer 3 protocol name |
l4_protocol | l4_protocol is the layer 4 protocol name |
source | source is the emitter of the network event |
destination | destination is the receiver of the network event |
size | size is the size in bytes of the network event |
References |
---|
NetworkDevice |
IPPort |
NetworkDevice
{
"properties": {
"netns": {
"type": "integer",
"description": "netns is the interface ifindex"
},
"ifindex": {
"type": "integer",
"description": "ifindex is the network interface ifindex"
},
"ifname": {
"type": "string",
"description": "ifname is the network interface name"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"netns",
"ifindex",
"ifname"
],
"description": "NetworkDeviceSerializer serializes the network device context to JSON"
}
Field | Description |
---|---|
netns | netns is the interface ifindex |
ifindex | ifindex is the network interface ifindex |
ifname | ifname is the network interface name |
PTraceEvent
{
"properties": {
"request": {
"type": "string",
"description": "ptrace request"
},
"address": {
"type": "string",
"description": "address at which the ptrace request was executed"
},
"tracee": {
"$ref": "#/$defs/ProcessContext",
"description": "process context of the tracee"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"request",
"address"
],
"description": "PTraceEventSerializer serializes a mmap event to JSON"
}
Field | Description |
---|---|
request | ptrace request |
address | address at which the ptrace request was executed |
tracee | process context of the tracee |
References |
---|
ProcessContext |
Process
{
"properties": {
"pid": {
"type": "integer",
"description": "Process ID"
},
"ppid": {
"type": "integer",
"description": "Parent Process ID"
},
"tid": {
"type": "integer",
"description": "Thread ID"
},
"uid": {
"type": "integer",
"description": "User ID"
},
"gid": {
"type": "integer",
"description": "Group ID"
},
"user": {
"type": "string",
"description": "User name"
},
"group": {
"type": "string",
"description": "Group name"
},
"path_resolution_error": {
"type": "string",
"description": "Description of an error in the path resolution"
},
"comm": {
"type": "string",
"description": "Command name"
},
"tty": {
"type": "string",
"description": "TTY associated with the process"
},
"fork_time": {
"type": "string",
"format": "date-time",
"description": "Fork time of the process"
},
"exec_time": {
"type": "string",
"format": "date-time",
"description": "Exec time of the process"
},
"exit_time": {
"type": "string",
"format": "date-time",
"description": "Exit time of the process"
},
"credentials": {
"$ref": "#/$defs/ProcessCredentials",
"description": "Credentials associated with the process"
},
"user_session": {
"$ref": "#/$defs/UserSessionContext",
"description": "Context of the user session for this event"
},
"executable": {
"$ref": "#/$defs/File",
"description": "File information of the executable"
},
"interpreter": {
"$ref": "#/$defs/File",
"description": "File information of the interpreter"
},
"container": {
"$ref": "#/$defs/ContainerContext",
"description": "Container context"
},
"argv0": {
"type": "string",
"description": "First command line argument"
},
"args": {
"items": {
"type": "string"
},
"type": "array",
"description": "Command line arguments"
},
"args_truncated": {
"type": "boolean",
"description": "Indicator of arguments truncation"
},
"envs": {
"items": {
"type": "string"
},
"type": "array",
"description": "Environment variables of the process"
},
"envs_truncated": {
"type": "boolean",
"description": "Indicator of environments variable truncation"
},
"is_thread": {
"type": "boolean",
"description": "Indicates whether the process is considered a thread (that is, a child process that hasn't executed another program)"
},
"is_kworker": {
"type": "boolean",
"description": "Indicates whether the process is a kworker"
},
"is_exec_child": {
"type": "boolean",
"description": "Indicates whether the process is an exec following another exec"
},
"source": {
"type": "string",
"description": "Process source"
},
"syscalls": {
"$ref": "#/$defs/SyscallsEvent",
"description": "List of syscalls captured to generate the event"
},
"aws_security_credentials": {
"items": {
"$ref": "#/$defs/AWSSecurityCredentials"
},
"type": "array",
"description": "List of AWS Security Credentials that the process had access to"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"uid",
"gid"
],
"description": "ProcessSerializer serializes a process to JSON"
}
Field | Description |
---|---|
pid | Process ID |
ppid | Parent Process ID |
tid | Thread ID |
uid | User ID |
gid | Group ID |
user | User name |
group | Group name |
path_resolution_error | Description of an error in the path resolution |
comm | Command name |
tty | TTY associated with the process |
fork_time | Fork time of the process |
exec_time | Exec time of the process |
exit_time | Exit time of the process |
credentials | Credentials associated with the process |
user_session | Context of the user session for this event |
executable | File information of the executable |
interpreter | File information of the interpreter |
container | Container context |
argv0 | First command line argument |
args | Command line arguments |
args_truncated | Indicator of arguments truncation |
envs | Environment variables of the process |
envs_truncated | Indicator of environments variable truncation |
is_thread | Indicates whether the process is considered a thread (that is, a child process that hasn’t executed another program) |
is_kworker | Indicates whether the process is a kworker |
is_exec_child | Indicates whether the process is an exec following another exec |
source | Process source |
syscalls | List of syscalls captured to generate the event |
aws_security_credentials | List of AWS Security Credentials that the process had access to |
ProcessContext
{
"properties": {
"pid": {
"type": "integer",
"description": "Process ID"
},
"ppid": {
"type": "integer",
"description": "Parent Process ID"
},
"tid": {
"type": "integer",
"description": "Thread ID"
},
"uid": {
"type": "integer",
"description": "User ID"
},
"gid": {
"type": "integer",
"description": "Group ID"
},
"user": {
"type": "string",
"description": "User name"
},
"group": {
"type": "string",
"description": "Group name"
},
"path_resolution_error": {
"type": "string",
"description": "Description of an error in the path resolution"
},
"comm": {
"type": "string",
"description": "Command name"
},
"tty": {
"type": "string",
"description": "TTY associated with the process"
},
"fork_time": {
"type": "string",
"format": "date-time",
"description": "Fork time of the process"
},
"exec_time": {
"type": "string",
"format": "date-time",
"description": "Exec time of the process"
},
"exit_time": {
"type": "string",
"format": "date-time",
"description": "Exit time of the process"
},
"credentials": {
"$ref": "#/$defs/ProcessCredentials",
"description": "Credentials associated with the process"
},
"user_session": {
"$ref": "#/$defs/UserSessionContext",
"description": "Context of the user session for this event"
},
"executable": {
"$ref": "#/$defs/File",
"description": "File information of the executable"
},
"interpreter": {
"$ref": "#/$defs/File",
"description": "File information of the interpreter"
},
"container": {
"$ref": "#/$defs/ContainerContext",
"description": "Container context"
},
"argv0": {
"type": "string",
"description": "First command line argument"
},
"args": {
"items": {
"type": "string"
},
"type": "array",
"description": "Command line arguments"
},
"args_truncated": {
"type": "boolean",
"description": "Indicator of arguments truncation"
},
"envs": {
"items": {
"type": "string"
},
"type": "array",
"description": "Environment variables of the process"
},