{
"$id": "https://github.com/DataDog/datadog-agent/pkg/security/serializers/event",
"$defs": {
"AnomalyDetectionSyscallEvent": {
"properties": {
"syscall": {
"type": "string",
"description": "Name of the syscall that triggered the anomaly detection event"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"syscall"
],
"description": "AnomalyDetectionSyscallEventSerializer serializes an anomaly detection for a syscall event"
},
"BPFEvent": {
"properties": {
"cmd": {
"type": "string",
"description": "BPF command"
},
"map": {
"$ref": "#/$defs/BPFMap",
"description": "BPF map"
},
"program": {
"$ref": "#/$defs/BPFProgram",
"description": "BPF program"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"cmd"
],
"description": "BPFEventSerializer serializes a BPF event to JSON"
},
"BPFMap": {
"properties": {
"name": {
"type": "string",
"description": "Name of the BPF map"
},
"map_type": {
"type": "string",
"description": "Type of the BPF map"
}
},
"additionalProperties": false,
"type": "object",
"description": "BPFMapSerializer serializes a BPF map to JSON"
},
"BPFProgram": {
"properties": {
"name": {
"type": "string",
"description": "Name of the BPF program"
},
"tag": {
"type": "string",
"description": "Hash (sha1) of the BPF program"
},
"program_type": {
"type": "string",
"description": "Type of the BPF program"
},
"attach_type": {
"type": "string",
"description": "Attach type of the BPF program"
},
"helpers": {
"items": {
"type": "string"
},
"type": "array",
"description": "List of helpers used by the BPF program"
}
},
"additionalProperties": false,
"type": "object",
"description": "BPFProgramSerializer serializes a BPF map to JSON"
},
"BindEvent": {
"properties": {
"addr": {
"$ref": "#/$defs/IPPortFamily",
"description": "Bound address (if any)"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"addr"
],
"description": "BindEventSerializer serializes a bind event to JSON"
},
"ContainerContext": {
"properties": {
"id": {
"type": "string",
"description": "Container ID"
},
"created_at": {
"type": "string",
"format": "date-time",
"description": "Creation time of the container"
}
},
"additionalProperties": false,
"type": "object",
"description": "ContainerContextSerializer serializes a container context to JSON"
},
"DDContext": {
"properties": {
"span_id": {
"type": "integer",
"description": "Span ID used for APM correlation"
},
"trace_id": {
"type": "integer",
"description": "Trace ID used for APM correlation"
}
},
"additionalProperties": false,
"type": "object",
"description": "DDContextSerializer serializes a span context to JSON"
},
"DNSEvent": {
"properties": {
"id": {
"type": "integer",
"description": "id is the unique identifier of the DNS request"
},
"question": {
"$ref": "#/$defs/DNSQuestion",
"description": "question is a DNS question for the DNS request"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"id",
"question"
],
"description": "DNSEventSerializer serializes a DNS event to JSON"
},
"DNSQuestion": {
"properties": {
"class": {
"type": "string",
"description": "class is the class looked up by the DNS question"
},
"type": {
"type": "string",
"description": "type is a two octet code which specifies the DNS question type"
},
"name": {
"type": "string",
"description": "name is the queried domain name"
},
"size": {
"type": "integer",
"description": "size is the total DNS request size in bytes"
},
"count": {
"type": "integer",
"description": "count is the total count of questions in the DNS request"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"class",
"type",
"name",
"size",
"count"
],
"description": "DNSQuestionSerializer serializes a DNS question to JSON"
},
"EventContext": {
"properties": {
"name": {
"type": "string",
"description": "Event name"
},
"category": {
"type": "string",
"description": "Event category"
},
"outcome": {
"type": "string",
"description": "Event outcome"
},
"async": {
"type": "boolean",
"description": "True if the event was asynchronous"
}
},
"additionalProperties": false,
"type": "object",
"description": "EventContextSerializer serializes an event context to JSON"
},
"ExitEvent": {
"properties": {
"cause": {
"type": "string",
"description": "Cause of the process termination (one of EXITED, SIGNALED, COREDUMPED)"
},
"code": {
"type": "integer",
"description": "Exit code of the process or number of the signal that caused the process to terminate"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"cause",
"code"
],
"description": "ExitEventSerializer serializes an exit event to JSON"
},
"File": {
"properties": {
"path": {
"type": "string",
"description": "File path"
},
"name": {
"type": "string",
"description": "File basename"
},
"path_resolution_error": {
"type": "string",
"description": "Error message from path resolution"
},
"inode": {
"type": "integer",
"description": "File inode number"
},
"mode": {
"type": "integer",
"description": "File mode"
},
"in_upper_layer": {
"type": "boolean",
"description": "Indicator of file OverlayFS layer"
},
"mount_id": {
"type": "integer",
"description": "File mount ID"
},
"filesystem": {
"type": "string",
"description": "File filesystem name"
},
"uid": {
"type": "integer",
"description": "File User ID"
},
"gid": {
"type": "integer",
"description": "File Group ID"
},
"user": {
"type": "string",
"description": "File user"
},
"group": {
"type": "string",
"description": "File group"
},
"attribute_name": {
"type": "string",
"description": "File extended attribute name"
},
"attribute_namespace": {
"type": "string",
"description": "File extended attribute namespace"
},
"flags": {
"items": {
"type": "string"
},
"type": "array",
"description": "File flags"
},
"access_time": {
"type": "string",
"format": "date-time",
"description": "File access time"
},
"modification_time": {
"type": "string",
"format": "date-time",
"description": "File modified time"
},
"change_time": {
"type": "string",
"format": "date-time",
"description": "File change time"
},
"package_name": {
"type": "string",
"description": "System package name"
},
"package_version": {
"type": "string",
"description": "System package version"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"uid",
"gid"
],
"description": "FileSerializer serializes a file to JSON"
},
"FileEvent": {
"properties": {
"path": {
"type": "string",
"description": "File path"
},
"name": {
"type": "string",
"description": "File basename"
},
"path_resolution_error": {
"type": "string",
"description": "Error message from path resolution"
},
"inode": {
"type": "integer",
"description": "File inode number"
},
"mode": {
"type": "integer",
"description": "File mode"
},
"in_upper_layer": {
"type": "boolean",
"description": "Indicator of file OverlayFS layer"
},
"mount_id": {
"type": "integer",
"description": "File mount ID"
},
"filesystem": {
"type": "string",
"description": "File filesystem name"
},
"uid": {
"type": "integer",
"description": "File User ID"
},
"gid": {
"type": "integer",
"description": "File Group ID"
},
"user": {
"type": "string",
"description": "File user"
},
"group": {
"type": "string",
"description": "File group"
},
"attribute_name": {
"type": "string",
"description": "File extended attribute name"
},
"attribute_namespace": {
"type": "string",
"description": "File extended attribute namespace"
},
"flags": {
"items": {
"type": "string"
},
"type": "array",
"description": "File flags"
},
"access_time": {
"type": "string",
"format": "date-time",
"description": "File access time"
},
"modification_time": {
"type": "string",
"format": "date-time",
"description": "File modified time"
},
"change_time": {
"type": "string",
"format": "date-time",
"description": "File change time"
},
"package_name": {
"type": "string",
"description": "System package name"
},
"package_version": {
"type": "string",
"description": "System package version"
},
"destination": {
"$ref": "#/$defs/File",
"description": "Target file information"
},
"new_mount_id": {
"type": "integer",
"description": "New Mount ID"
},
"group_id": {
"type": "integer",
"description": "Group ID"
},
"device": {
"type": "integer",
"description": "Device associated with the file"
},
"fstype": {
"type": "string",
"description": "Filesystem type"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"uid",
"gid"
],
"description": "FileEventSerializer serializes a file event to JSON"
},
"IPPort": {
"properties": {
"ip": {
"type": "string",
"description": "IP address"
},
"port": {
"type": "integer",
"description": "Port number"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"ip",
"port"
],
"description": "IPPortSerializer is used to serialize an IP and Port context to JSON"
},
"IPPortFamily": {
"properties": {
"family": {
"type": "string",
"description": "Address family"
},
"ip": {
"type": "string",
"description": "IP address"
},
"port": {
"type": "integer",
"description": "Port number"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"family",
"ip",
"port"
],
"description": "IPPortFamilySerializer is used to serialize an IP, port, and address family context to JSON"
},
"MMapEvent": {
"properties": {
"address": {
"type": "string",
"description": "memory segment address"
},
"offset": {
"type": "integer",
"description": "file offset"
},
"length": {
"type": "integer",
"description": "memory segment length"
},
"protection": {
"type": "string",
"description": "memory segment protection"
},
"flags": {
"type": "string",
"description": "memory segment flags"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"address",
"offset",
"length",
"protection",
"flags"
],
"description": "MMapEventSerializer serializes a mmap event to JSON"
},
"MProtectEvent": {
"properties": {
"vm_start": {
"type": "string",
"description": "memory segment start address"
},
"vm_end": {
"type": "string",
"description": "memory segment end address"
},
"vm_protection": {
"type": "string",
"description": "initial memory segment protection"
},
"req_protection": {
"type": "string",
"description": "new memory segment protection"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"vm_start",
"vm_end",
"vm_protection",
"req_protection"
],
"description": "MProtectEventSerializer serializes a mmap event to JSON"
},
"ModuleEvent": {
"properties": {
"name": {
"type": "string",
"description": "module name"
},
"loaded_from_memory": {
"type": "boolean",
"description": "indicates if a module was loaded from memory, as opposed to a file"
},
"argv": {
"items": {
"type": "string"
},
"type": "array"
},
"args_truncated": {
"type": "boolean"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"name"
],
"description": "ModuleEventSerializer serializes a module event to JSON"
},
"MountEvent": {
"properties": {
"mp": {
"$ref": "#/$defs/File"
},
"root": {
"$ref": "#/$defs/File"
},
"mount_id": {
"type": "integer"
},
"group_id": {
"type": "integer"
},
"parent_mount_id": {
"type": "integer"
},
"bind_src_mount_id": {
"type": "integer"
},
"device": {
"type": "integer"
},
"fs_type": {
"type": "string"
},
"mountpoint.path": {
"type": "string"
},
"source.path": {
"type": "string"
},
"mountpoint.path_error": {
"type": "string"
},
"source.path_error": {
"type": "string"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"mount_id",
"group_id",
"parent_mount_id",
"bind_src_mount_id",
"device"
],
"description": "MountEventSerializer serializes a mount event to JSON"
},
"NetworkContext": {
"properties": {
"device": {
"$ref": "#/$defs/NetworkDevice",
"description": "device is the network device on which the event was captured"
},
"l3_protocol": {
"type": "string",
"description": "l3_protocol is the layer 3 protocol name"
},
"l4_protocol": {
"type": "string",
"description": "l4_protocol is the layer 4 protocol name"
},
"source": {
"$ref": "#/$defs/IPPort",
"description": "source is the emitter of the network event"
},
"destination": {
"$ref": "#/$defs/IPPort",
"description": "destination is the receiver of the network event"
},
"size": {
"type": "integer",
"description": "size is the size in bytes of the network event"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"l3_protocol",
"l4_protocol",
"source",
"destination",
"size"
],
"description": "NetworkContextSerializer serializes the network context to JSON"
},
"NetworkDevice": {
"properties": {
"netns": {
"type": "integer",
"description": "netns is the interface ifindex"
},
"ifindex": {
"type": "integer",
"description": "ifindex is the network interface ifindex"
},
"ifname": {
"type": "string",
"description": "ifname is the network interface name"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"netns",
"ifindex",
"ifname"
],
"description": "NetworkDeviceSerializer serializes the network device context to JSON"
},
"PTraceEvent": {
"properties": {
"request": {
"type": "string",
"description": "ptrace request"
},
"address": {
"type": "string",
"description": "address at which the ptrace request was executed"
},
"tracee": {
"$ref": "#/$defs/ProcessContext",
"description": "process context of the tracee"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"request",
"address"
],
"description": "PTraceEventSerializer serializes a mmap event to JSON"
},
"Process": {
"properties": {
"pid": {
"type": "integer",
"description": "Process ID"
},
"ppid": {
"type": "integer",
"description": "Parent Process ID"
},
"tid": {
"type": "integer",
"description": "Thread ID"
},
"uid": {
"type": "integer",
"description": "User ID"
},
"gid": {
"type": "integer",
"description": "Group ID"
},
"user": {
"type": "string",
"description": "User name"
},
"group": {
"type": "string",
"description": "Group name"
},
"path_resolution_error": {
"type": "string",
"description": "Description of an error in the path resolution"
},
"comm": {
"type": "string",
"description": "Command name"
},
"tty": {
"type": "string",
"description": "TTY associated with the process"
},
"fork_time": {
"type": "string",
"format": "date-time",
"description": "Fork time of the process"
},
"exec_time": {
"type": "string",
"format": "date-time",
"description": "Exec time of the process"
},
"exit_time": {
"type": "string",
"format": "date-time",
"description": "Exit time of the process"
},
"credentials": {
"$ref": "#/$defs/ProcessCredentials",
"description": "Credentials associated with the process"
},
"executable": {
"$ref": "#/$defs/File",
"description": "File information of the executable"
},
"interpreter": {
"$ref": "#/$defs/File",
"description": "File information of the interpreter"
},
"container": {
"$ref": "#/$defs/ContainerContext",
"description": "Container context"
},
"argv0": {
"type": "string",
"description": "First command line argument"
},
"args": {
"items": {
"type": "string"
},
"type": "array",
"description": "Command line arguments"
},
"args_truncated": {
"type": "boolean",
"description": "Indicator of arguments truncation"
},
"envs": {
"items": {
"type": "string"
},
"type": "array",
"description": "Environment variables of the process"
},
"envs_truncated": {
"type": "boolean",
"description": "Indicator of environments variable truncation"
},
"is_thread": {
"type": "boolean",
"description": "Indicates whether the process is considered a thread (that is, a child process that hasn't executed another program)"
},
"is_kworker": {
"type": "boolean",
"description": "Indicates whether the process is a kworker"
},
"source": {
"type": "string",
"description": "Process source"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"uid",
"gid"
],
"description": "ProcessSerializer serializes a process to JSON"
},
"ProcessContext": {
"properties": {
"pid": {
"type": "integer",
"description": "Process ID"
},
"ppid": {
"type": "integer",
"description": "Parent Process ID"
},
"tid": {
"type": "integer",
"description": "Thread ID"
},
"uid": {
"type": "integer",
"description": "User ID"
},
"gid": {
"type": "integer",
"description": "Group ID"
},
"user": {
"type": "string",
"description": "User name"
},
"group": {
"type": "string",
"description": "Group name"
},
"path_resolution_error": {
"type": "string",
"description": "Description of an error in the path resolution"
},
"comm": {
"type": "string",
"description": "Command name"
},
"tty": {
"type": "string",
"description": "TTY associated with the process"
},
"fork_time": {
"type": "string",
"format": "date-time",
"description": "Fork time of the process"
},
"exec_time": {
"type": "string",
"format": "date-time",
"description": "Exec time of the process"
},
"exit_time": {
"type": "string",
"format": "date-time",
"description": "Exit time of the process"
},
"credentials": {
"$ref": "#/$defs/ProcessCredentials",
"description": "Credentials associated with the process"
},
"executable": {
"$ref": "#/$defs/File",
"description": "File information of the executable"
},
"interpreter": {
"$ref": "#/$defs/File",
"description": "File information of the interpreter"
},
"container": {
"$ref": "#/$defs/ContainerContext",
"description": "Container context"
},
"argv0": {
"type": "string",
"description": "First command line argument"
},
"args": {
"items": {
"type": "string"
},
"type": "array",
"description": "Command line arguments"
},
"args_truncated": {
"type": "boolean",
"description": "Indicator of arguments truncation"
},
"envs": {
"items": {
"type": "string"
},
"type": "array",
"description": "Environment variables of the process"
},
"envs_truncated": {
"type": "boolean",
"description": "Indicator of environments variable truncation"
},
"is_thread": {
"type": "boolean",
"description": "Indicates whether the process is considered a thread (that is, a child process that hasn't executed another program)"
},
"is_kworker": {
"type": "boolean",
"description": "Indicates whether the process is a kworker"
},
"source": {
"type": "string",
"description": "Process source"
},
"parent": {
"$ref": "#/$defs/Process",
"description": "Parent process"
},
"ancestors": {
"items": {
"$ref": "#/$defs/Process"
},
"type": "array",
"description": "Ancestor processes"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"uid",
"gid"
],
"description": "ProcessContextSerializer serializes a process context to JSON"
},
"ProcessCredentials": {
"properties": {
"uid": {
"type": "integer",
"description": "User ID"
},
"user": {
"type": "string",
"description": "User name"
},
"gid": {
"type": "integer",
"description": "Group ID"
},
"group": {
"type": "string",
"description": "Group name"
},
"euid": {
"type": "integer",
"description": "Effective User ID"
},
"euser": {
"type": "string",
"description": "Effective User name"
},
"egid": {
"type": "integer",
"description": "Effective Group ID"
},
"egroup": {
"type": "string",
"description": "Effective Group name"
},
"fsuid": {
"type": "integer",
"description": "Filesystem User ID"
},
"fsuser": {
"type": "string",
"description": "Filesystem User name"
},
"fsgid": {
"type": "integer",
"description": "Filesystem Group ID"
},
"fsgroup": {
"type": "string",
"description": "Filesystem Group name"
},
"cap_effective": {
"items": {
"type": "string"
},
"type": "array",
"description": "Effective Capability set"
},
"cap_permitted": {
"items": {
"type": "string"
},
"type": "array",
"description": "Permitted Capability set"
},
"destination": {
"description": "Credentials after the operation"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"uid",
"gid",
"euid",
"egid",
"fsuid",
"fsgid",
"cap_effective",
"cap_permitted"
],
"description": "ProcessCredentialsSerializer serializes the process credentials to JSON"
},
"SELinuxBoolChange": {
"properties": {
"name": {
"type": "string",
"description": "SELinux boolean name"
},
"state": {
"type": "string",
"description": "SELinux boolean state ('on' or 'off')"
}
},
"additionalProperties": false,
"type": "object",
"description": "SELinuxBoolChangeSerializer serializes a SELinux boolean change to JSON"
},
"SELinuxBoolCommit": {
"properties": {
"state": {
"type": "boolean",
"description": "SELinux boolean commit operation"
}
},
"additionalProperties": false,
"type": "object",
"description": "SELinuxBoolCommitSerializer serializes a SELinux boolean commit to JSON"
},
"SELinuxEnforceStatus": {
"properties": {
"status": {
"type": "string",
"description": "SELinux enforcement status (one of 'enforcing', 'permissive' or 'disabled')"
}
},
"additionalProperties": false,
"type": "object",
"description": "SELinuxEnforceStatusSerializer serializes a SELinux enforcement status change to JSON"
},
"SELinuxEvent": {
"properties": {
"bool": {
"$ref": "#/$defs/SELinuxBoolChange",
"description": "SELinux boolean operation"
},
"enforce": {
"$ref": "#/$defs/SELinuxEnforceStatus",
"description": "SELinux enforcement change"
},
"bool_commit": {
"$ref": "#/$defs/SELinuxBoolCommit",
"description": "SELinux boolean commit"
}
},
"additionalProperties": false,
"type": "object",
"description": "SELinuxEventSerializer serializes a SELinux context to JSON"
},
"SecurityProfileContext": {
"properties": {
"name": {
"type": "string",
"description": "Name of the security profile"
},
"status": {
"type": "string",
"description": "Status defines in which state the security profile was when the event was triggered"
},
"version": {
"type": "string",
"description": "Version of the profile in use"
},
"tags": {
"items": {
"type": "string"
},
"type": "array",
"description": "List of tags associated to this profile"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"name",
"status",
"version",
"tags"
],
"description": "SecurityProfileContextSerializer serializes the security profile context in an event"
},
"SignalEvent": {
"properties": {
"type": {
"type": "string",
"description": "signal type"
},
"pid": {
"type": "integer",
"description": "signal target pid"
},
"target": {
"$ref": "#/$defs/ProcessContext",
"description": "process context of the signal target"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"type",
"pid"
],
"description": "SignalEventSerializer serializes a signal event to JSON"
},
"SpliceEvent": {
"properties": {
"pipe_entry_flag": {
"type": "string",
"description": "Entry flag of the fd_out pipe passed to the splice syscall"
},
"pipe_exit_flag": {
"type": "string",
"description": "Exit flag of the fd_out pipe passed to the splice syscall"
}
},
"additionalProperties": false,
"type": "object",
"required": [
"pipe_entry_flag",
"pipe_exit_flag"
],
"description": "SpliceEventSerializer serializes a splice event to JSON"
},
"UserContext": {
"properties": {
"id": {
"type": "string",
"description": "User name"
},
"group": {
"type": "string",
"description": "Group name"
}
},
"additionalProperties": false,
"type": "object",
"description": "UserContextSerializer serializes a user context to JSON"
}
},
"properties": {
"evt": {
"$ref": "#/$defs/EventContext"
},
"file": {
"$ref": "#/$defs/FileEvent"
},
"selinux": {
"$ref": "#/$defs/SELinuxEvent"
},
"bpf": {
"$ref": "#/$defs/BPFEvent"
},
"mmap": {
"$ref": "#/$defs/MMapEvent"
},
"mprotect": {
"$ref": "#/$defs/MProtectEvent"
},
"ptrace": {
"$ref": "#/$defs/PTraceEvent"
},
"module": {
"$ref": "#/$defs/ModuleEvent"
},
"signal": {
"$ref": "#/$defs/SignalEvent"
},
"splice": {
"$ref": "#/$defs/SpliceEvent"
},
"dns": {
"$ref": "#/$defs/DNSEvent"
},
"network": {
"$ref": "#/$defs/NetworkContext"
},
"bind": {
"$ref": "#/$defs/BindEvent"
},
"exit": {
"$ref": "#/$defs/ExitEvent"
},
"mount": {
"$ref": "#/$defs/MountEvent"
},
"anomaly_detection_syscall": {
"$ref": "#/$defs/AnomalyDetectionSyscallEvent"
},
"usr": {
"$ref": "#/$defs/UserContext"
},
"process": {
"$ref": "#/$defs/ProcessContext"
},
"dd": {
"$ref": "#/$defs/DDContext"
},
"container": {
"$ref": "#/$defs/ContainerContext"
},
"security_profile": {
"$ref": "#/$defs/SecurityProfileContext"
},
"date": {
"type": "string",
"format": "date-time"
}
},
"additionalProperties": false,
"type": "object",
"description": "EventSerializer serializes an event to JSON"
}
