--- title: Workload Protection Linux Events Formats description: JSON schema documentation of the Workload Protection Linux backend event breadcrumbs: >- Docs > Datadog Security > Workload Protection > Workload Protection Linux Events Formats --- # Workload Protection Linux Events Formats Workload Protection events for Linux systems have the following JSON schema: In the `BACKEND_EVENT_JSON_SCHEMA` file: ```json { "$id": "https://github.com/DataDog/datadog-agent/tree/main/pkg/security/serializers", "$defs": { "AWSIMDSEvent": { "properties": { "is_imds_v2": { "type": "boolean", "description": "is_imds_v2 reports if the IMDS event follows IMDSv1 or IMDSv2 conventions" }, "security_credentials": { "$ref": "#/$defs/AWSSecurityCredentials", "description": "SecurityCredentials holds the scrubbed data collected on the security credentials" } }, "additionalProperties": false, "type": "object", "required": [ "is_imds_v2" ], "description": "AWSIMDSEventSerializer serializes an AWS IMDS event to JSON" }, "AWSSecurityCredentials": { "properties": { "code": { "type": "string", "description": "code is the IMDS server code response" }, "type": { "type": "string", "description": "type is the security credentials type" }, "access_key_id": { "type": "string", "description": "access_key_id is the unique access key ID of the credentials" }, "last_updated": { "type": "string", "description": "last_updated is the last time the credentials were updated" }, "expiration": { "type": "string", "description": "expiration is the expiration date of the credentials" } }, "additionalProperties": false, "type": "object", "required": [ "code", "type", "access_key_id", "last_updated", "expiration" ], "description": "AWSSecurityCredentialsSerializer serializes the security credentials from an AWS IMDS request" }, "AcceptEvent": { "properties": { "addr": { "$ref": "#/$defs/IPPortFamily", "description": "Bound address (if any)" }, "hostnames": { "items": { "type": "string" }, "type": "array" } }, "additionalProperties": false, "type": "object", "required": [ "addr", "hostnames" ], "description": "AcceptEventSerializer serializes a bind event to JSON" }, "AgentContext": { "properties": { "rule_id": { "type": "string" }, "original_rule_id": { "type": "string" }, "rule_version": { "type": "string" }, "rule_actions": { "items": true, "type": "array" }, "policy_name": { "type": "string" }, "policy_version": { "type": "string" }, "version": { "type": "string" }, "os": { "type": "string" }, "arch": { "type": "string" }, "origin": { "type": "string" }, "kernel_version": { "type": "string" }, "distribution": { "type": "string" } }, "additionalProperties": false, "type": "object", "required": [ "rule_id", "original_rule_id" ] }, "BPFEvent": { "properties": { "cmd": { "type": "string", "description": "BPF command" }, "map": { "$ref": "#/$defs/BPFMap", "description": "BPF map" }, "program": { "$ref": "#/$defs/BPFProgram", "description": "BPF program" } }, "additionalProperties": false, "type": "object", "required": [ "cmd" ], "description": "BPFEventSerializer serializes a BPF event to JSON" }, "BPFMap": { "properties": { "name": { "type": "string", "description": "Name of the BPF map" }, "map_type": { "type": "string", "description": "Type of the BPF map" } }, "additionalProperties": false, "type": "object", "description": "BPFMapSerializer serializes a BPF map to JSON" }, "BPFProgram": { "properties": { "name": { "type": "string", "description": "Name of the BPF program" }, "tag": { "type": "string", "description": "Hash (sha1) of the BPF program" }, "program_type": { "type": "string", "description": "Type of the BPF program" }, "attach_type": { "type": "string", "description": "Attach type of the BPF program" }, "helpers": { "items": { "type": "string" }, "type": "array", "description": "List of helpers used by the BPF program" } }, "additionalProperties": false, "type": "object", "description": "BPFProgramSerializer serializes a BPF map to JSON" }, "BindEvent": { "properties": { "addr": { "$ref": "#/$defs/IPPortFamily", "description": "Bound address (if any)" }, "protocol": { "type": "string" } }, "additionalProperties": false, "type": "object", "required": [ "addr", "protocol" ], "description": "BindEventSerializer serializes a bind event to JSON" }, "CGroupContext": { "properties": { "id": { "type": "string", "description": "CGroup ID" }, "manager": { "type": "string", "description": "CGroup manager" }, "variables": { "$ref": "#/$defs/Variables", "description": "Variables values" } }, "additionalProperties": false, "type": "object", "description": "CGroupContextSerializer serializes a cgroup context to JSON" }, "CGroupWriteEvent": { "properties": { "file": { "$ref": "#/$defs/File", "description": "File pointing to the cgroup" }, "pid": { "type": "integer", "description": "PID of the process added to the cgroup" } }, "additionalProperties": false, "type": "object", "description": "CGroupWriteEventSerializer serializes a cgroup_write event" }, "CapabilitiesEvent": { "properties": { "caps_attempted": { "items": { "type": "string" }, "type": "array", "description": "Capabilities that the process attempted to use since it started running" }, "caps_used": { "items": { "type": "string" }, "type": "array", "description": "Capabilities that the process successfully used since it started running" } }, "additionalProperties": false, "type": "object", "description": "CapabilitiesEventSerializer serializes a capabilities usage event" }, "ConnectEvent": { "properties": { "addr": { "$ref": "#/$defs/IPPortFamily" }, "hostnames": { "items": { "type": "string" }, "type": "array" }, "protocol": { "type": "string" } }, "additionalProperties": false, "type": "object", "required": [ "addr", "hostnames", "protocol" ], "description": "ConnectEventSerializer serializes a connect event to JSON" }, "ContainerContext": { "properties": { "id": { "type": "string", "description": "Container ID" }, "created_at": { "type": "string", "format": "date-time", "description": "Creation time of the container" }, "variables": { "$ref": "#/$defs/Variables", "description": "Variables values" } }, "additionalProperties": false, "type": "object", "description": "ContainerContextSerializer serializes a container context to JSON" }, "DDContext": { "properties": { "span_id": { "type": "string", "description": "Span ID used for APM correlation" }, "trace_id": { "type": "string", "description": "Trace ID used for APM correlation" } }, "additionalProperties": false, "type": "object", "description": "DDContextSerializer serializes a span context to JSON" }, "DNSEvent": { "properties": { "id": { "type": "integer", "description": "id is the unique identifier of the DNS request" }, "is_query": { "type": "boolean", "description": "is_query if true means it's a question, if false is a response" }, "question": { "$ref": "#/$defs/DNSQuestion", "description": "question is a DNS question for the DNS request" }, "response": { "$ref": "#/$defs/DNSResponseEvent", "description": "response is a DNS response for the DNS request" } }, "additionalProperties": false, "type": "object", "required": [ "id", "is_query", "question", "response" ], "description": "DNSEventSerializer serializes a DNS event to JSON" }, "DNSQuestion": { "properties": { "class": { "type": "string", "description": "class is the class looked up by the DNS question" }, "type": { "type": "string", "description": "type is a two octet code which specifies the DNS question type" }, "name": { "type": "string", "description": "name is the queried domain name" }, "size": { "type": "integer", "description": "size is the total DNS request size in bytes" }, "count": { "type": "integer", "description": "count is the total count of questions in the DNS request" } }, "additionalProperties": false, "type": "object", "required": [ "class", "type", "name", "size", "count" ], "description": "DNSQuestionSerializer serializes a DNS question to JSON" }, "DNSResponseEvent": { "properties": { "code": { "type": "integer", "description": "RCode is the response code present in the response" } }, "additionalProperties": false, "type": "object", "required": [ "code" ], "description": "DNSResponseEventSerializer serializes a DNS response event to JSON" }, "EventContext": { "properties": { "name": { "type": "string", "description": "Event name" }, "category": { "type": "string", "description": "Event category" }, "outcome": { "type": "string", "description": "Event outcome" }, "async": { "type": "boolean", "description": "True if the event was asynchronous" }, "matched_rules": { "items": { "$ref": "#/$defs/MatchedRule" }, "type": "array", "description": "The list of rules that the event matched (only valid in the context of an anomaly)" }, "variables": { "$ref": "#/$defs/Variables", "description": "Variables values" }, "rule_context": { "$ref": "#/$defs/RuleContext", "description": "RuleContext rule context" }, "source": { "type": "string", "description": "Source of the event" } }, "additionalProperties": false, "type": "object", "description": "EventContextSerializer serializes an event context to JSON" }, "ExitEvent": { "properties": { "cause": { "type": "string", "description": "Cause of the process termination (one of EXITED, SIGNALED, COREDUMPED)" }, "code": { "type": "integer", "description": "Exit code of the process or number of the signal that caused the process to terminate" } }, "additionalProperties": false, "type": "object", "required": [ "cause", "code" ], "description": "ExitEventSerializer serializes an exit event to JSON" }, "File": { "properties": { "path": { "type": "string", "description": "File path" }, "name": { "type": "string", "description": "File basename" }, "extension": { "type": "string", "description": "File extension" }, "path_resolution_error": { "type": "string", "description": "Error message from path resolution" }, "inode": { "type": "integer", "description": "File inode number" }, "mode": { "type": "integer", "description": "File mode" }, "in_upper_layer": { "type": "boolean", "description": "Indicator of file OverlayFS layer" }, "mount_id": { "type": "integer", "description": "File mount ID" }, "filesystem": { "type": "string", "description": "File filesystem name" }, "uid": { "type": "integer", "description": "File User ID" }, "gid": { "type": "integer", "description": "File Group ID" }, "user": { "type": "string", "description": "File user" }, "group": { "type": "string", "description": "File group" }, "attribute_name": { "type": "string", "description": "File extended attribute name" }, "attribute_namespace": { "type": "string", "description": "File extended attribute namespace" }, "flags": { "items": { "type": "string" }, "type": "array", "description": "File flags" }, "access_time": { "type": "string", "format": "date-time", "description": "File access time" }, "modification_time": { "type": "string", "format": "date-time", "description": "File modified time" }, "change_time": { "type": "string", "format": "date-time", "description": "File change time" }, "package_name": { "type": "string", "description": "System package name" }, "package_version": { "type": "string", "description": "System package version" }, "package_epoch": { "type": "integer", "description": "System package epoch" }, "package_release": { "type": "string", "description": "System package release" }, "package_source_version": { "type": "string", "description": "System package source version" }, "package_source_epoch": { "type": "integer", "description": "System package source epoch" }, "package_source_release": { "type": "string", "description": "System package source release" }, "hashes": { "items": { "type": "string" }, "type": "array", "description": "List of cryptographic hashes of the file" }, "hash_state": { "type": "string", "description": "State of the hashes or reason why they weren't computed" }, "mount_path": { "type": "string", "description": "MountPath path of the mount" }, "mount_source": { "type": "string", "description": "MountSource source of the mount" }, "mount_origin": { "type": "string", "description": "MountOrigin origin of the mount" }, "mount_visible": { "type": "boolean", "description": "MountVisible origin of the mount" }, "mount_detached": { "type": "boolean", "description": "MountDetached origin of the mount" }, "metadata": { "$ref": "#/$defs/FileMetadata" } }, "additionalProperties": false, "type": "object", "required": [ "uid", "gid" ], "description": "FileSerializer serializes a file to JSON" }, "FileEvent": { "properties": { "path": { "type": "string", "description": "File path" }, "name": { "type": "string", "description": "File basename" }, "extension": { "type": "string", "description": "File extension" }, "path_resolution_error": { "type": "string", "description": "Error message from path resolution" }, "inode": { "type": "integer", "description": "File inode number" }, "mode": { "type": "integer", "description": "File mode" }, "in_upper_layer": { "type": "boolean", "description": "Indicator of file OverlayFS layer" }, "mount_id": { "type": "integer", "description": "File mount ID" }, "filesystem": { "type": "string", "description": "File filesystem name" }, "uid": { "type": "integer", "description": "File User ID" }, "gid": { "type": "integer", "description": "File Group ID" }, "user": { "type": "string", "description": "File user" }, "group": { "type": "string", "description": "File group" }, "attribute_name": { "type": "string", "description": "File extended attribute name" }, "attribute_namespace": { "type": "string", "description": "File extended attribute namespace" }, "flags": { "items": { "type": "string" }, "type": "array", "description": "File flags" }, "access_time": { "type": "string", "format": "date-time", "description": "File access time" }, "modification_time": { "type": "string", "format": "date-time", "description": "File modified time" }, "change_time": { "type": "string", "format": "date-time", "description": "File change time" }, "package_name": { "type": "string", "description": "System package name" }, "package_version": { "type": "string", "description": "System package version" }, "package_epoch": { "type": "integer", "description": "System package epoch" }, "package_release": { "type": "string", "description": "System package release" }, "package_source_version": { "type": "string", "description": "System package source version" }, "package_source_epoch": { "type": "integer", "description": "System package source epoch" }, "package_source_release": { "type": "string", "description": "System package source release" }, "hashes": { "items": { "type": "string" }, "type": "array", "description": "List of cryptographic hashes of the file" }, "hash_state": { "type": "string", "description": "State of the hashes or reason why they weren't computed" }, "mount_path": { "type": "string", "description": "MountPath path of the mount" }, "mount_source": { "type": "string", "description": "MountSource source of the mount" }, "mount_origin": { "type": "string", "description": "MountOrigin origin of the mount" }, "mount_visible": { "type": "boolean", "description": "MountVisible origin of the mount" }, "mount_detached": { "type": "boolean", "description": "MountDetached origin of the mount" }, "metadata": { "$ref": "#/$defs/FileMetadata" }, "destination": { "$ref": "#/$defs/File", "description": "Target file information" }, "new_mount_id": { "type": "integer", "description": "New Mount ID" }, "device": { "type": "integer", "description": "Device associated with the file" }, "fstype": { "type": "string", "description": "Filesystem type" } }, "additionalProperties": false, "type": "object", "required": [ "uid", "gid" ], "description": "FileEventSerializer serializes a file event to JSON" }, "FileMetadata": { "properties": { "size": { "type": "integer" }, "type": { "type": "string" }, "is_executable": { "type": "boolean" }, "architecture": { "type": "string" }, "abi": { "type": "string" }, "is_upx_packed": { "type": "boolean" }, "compression": { "type": "string" }, "is_garble_obfuscated": { "type": "boolean" } }, "additionalProperties": false, "type": "object", "description": "FileMetadataSerializer serializes a file metadata" }, "Flow": { "properties": { "l3_protocol": { "type": "string", "description": "l3_protocol is the layer 3 protocol name" }, "l4_protocol": { "type": "string", "description": "l4_protocol is the layer 4 protocol name" }, "source": { "$ref": "#/$defs/IPPort", "description": "source is the emitter of the network event" }, "destination": { "$ref": "#/$defs/IPPort", "description": "destination is the receiver of the network event" }, "ingress": { "$ref": "#/$defs/NetworkStats", "description": "ingress holds the network statistics for ingress traffic" }, "egress": { "$ref": "#/$defs/NetworkStats", "description": "egress holds the network statistics for egress traffic" } }, "additionalProperties": false, "type": "object", "required": [ "l3_protocol", "l4_protocol", "source", "destination" ], "description": "FlowSerializer defines a new flow serializer" }, "IMDSEvent": { "properties": { "type": { "type": "string", "description": "type is the type of IMDS event" }, "cloud_provider": { "type": "string", "description": "cloud_provider is the intended cloud provider of the IMDS event" }, "url": { "type": "string", "description": "url is the url of the IMDS request" }, "host": { "type": "string", "description": "host is the host of the HTTP protocol" }, "user_agent": { "type": "string", "description": "user_agent is the user agent of the HTTP client" }, "server": { "type": "string", "description": "server is the server header of a response" }, "aws": { "$ref": "#/$defs/AWSIMDSEvent", "description": "AWS holds the AWS specific data parsed from the IMDS event" } }, "additionalProperties": false, "type": "object", "required": [ "type", "cloud_provider" ], "description": "IMDSEventSerializer serializes an IMDS event to JSON" }, "IPPort": { "properties": { "ip": { "type": "string", "description": "IP address" }, "port": { "type": "integer", "description": "Port number" } }, "additionalProperties": false, "type": "object", "required": [ "ip", "port" ], "description": "IPPortSerializer is used to serialize an IP and Port context to JSON" }, "IPPortFamily": { "properties": { "family": { "type": "string", "description": "Address family" }, "ip": { "type": "string", "description": "IP address" }, "port": { "type": "integer", "description": "Port number" } }, "additionalProperties": false, "type": "object", "required": [ "family", "ip", "port" ], "description": "IPPortFamilySerializer is used to serialize an IP, port, and address family context to JSON" }, "Layer": { "properties": { "type": { "type": "string" }, "Layer": { "$ref": "#/$defs/Layer" } }, "additionalProperties": false, "type": "object", "required": [ "type", "Layer" ], "description": "LayerSerializer defines a layer serializer" }, "MMapEvent": { "properties": { "address": { "type": "string", "description": "memory segment address" }, "offset": { "type": "integer", "description": "file offset" }, "length": { "type": "integer", "description": "memory segment length" }, "protection": { "type": "string", "description": "memory segment protection" }, "flags": { "type": "string", "description": "memory segment flags" } }, "additionalProperties": false, "type": "object", "required": [ "address", "offset", "length", "protection", "flags" ], "description": "MMapEventSerializer serializes a mmap event to JSON" }, "MProtectEvent": { "properties": { "vm_start": { "type": "string", "description": "memory segment start address" }, "vm_end": { "type": "string", "description": "memory segment end address" }, "vm_protection": { "type": "string", "description": "initial memory segment protection" }, "req_protection": { "type": "string", "description": "new memory segment protection" } }, "additionalProperties": false, "type": "object", "required": [ "vm_start", "vm_end", "vm_protection", "req_protection" ], "description": "MProtectEventSerializer serializes a mmap event to JSON" }, "MatchedRule": { "properties": { "id": { "type": "string", "description": "ID of the rule" }, "version": { "type": "string", "description": "Version of the rule" }, "tags": { "items": { "type": "string" }, "type": "array", "description": "Tags of the rule" }, "policy_name": { "type": "string", "description": "Name of the policy that introduced the rule" }, "policy_version": { "type": "string", "description": "Version of the policy that introduced the rule" } }, "additionalProperties": false, "type": "object", "description": "MatchedRuleSerializer serializes a rule" }, "MatchingSubExpr": { "properties": { "offset": { "type": "integer" }, "length": { "type": "integer" }, "value": { "type": "string" }, "field": { "type": "string" } }, "additionalProperties": false, "type": "object", "required": [ "offset", "length", "value" ], "description": "MatchingSubExpr serializes matching sub expression to JSON" }, "ModuleEvent": { "properties": { "name": { "type": "string", "description": "module name" }, "loaded_from_memory": { "type": "boolean", "description": "indicates if a module was loaded from memory, as opposed to a file" }, "argv": { "items": { "type": "string" }, "type": "array" }, "args_truncated": { "type": "boolean" } }, "additionalProperties": false, "type": "object", "required": [ "name" ], "description": "ModuleEventSerializer serializes a module event to JSON" }, "MountEvent": { "properties": { "mp": { "$ref": "#/$defs/File", "description": "Mount point file information" }, "root": { "$ref": "#/$defs/File", "description": "Root file information" }, "mount_id": { "type": "integer", "description": "Mount ID of the new mount" }, "parent_mount_id": { "type": "integer", "description": "Mount ID of the parent mount" }, "bind_src_mount_id": { "type": "integer", "description": "Mount ID of the source of a bind mount" }, "device": { "type": "integer", "description": "Device associated with the file" }, "fs_type": { "type": "string", "description": "Filesystem type" }, "mountpoint.path": { "type": "string", "description": "Mount point path" }, "source.path": { "type": "string", "description": "Mount source path" }, "mountpoint.path_error": { "type": "string", "description": "Mount point path error" }, "source.path_error": { "type": "string", "description": "Mount source path error" }, "detached": { "type": "boolean", "description": "Mount is not attached to the VFS tree" }, "visible": { "type": "boolean", "description": "Mount is not visible in the VFS tree" } }, "additionalProperties": false, "type": "object", "required": [ "mount_id", "parent_mount_id", "bind_src_mount_id", "device" ], "description": "MountEventSerializer serializes a mount event to JSON" }, "NetworkContext": { "properties": { "device": { "$ref": "#/$defs/NetworkDevice", "description": "device is the network device on which the event was captured" }, "l3_protocol": { "type": "string", "description": "l3_protocol is the layer 3 protocol name" }, "l4_protocol": { "type": "string", "description": "l4_protocol is the layer 4 protocol name" }, "source": { "$ref": "#/$defs/IPPort", "description": "source is the emitter of the network event" }, "destination": { "$ref": "#/$defs/IPPort", "description": "destination is the receiver of the network event" }, "size": { "type": "integer", "description": "size is the size in bytes of the network event" }, "network_direction": { "type": "string", "description": "network_direction indicates if the packet was captured on ingress or egress" }, "type": { "type": "string", "description": "type is the type of the protocol of the network event" } }, "additionalProperties": false, "type": "object", "required": [ "l3_protocol", "l4_protocol", "source", "destination", "size" ], "description": "NetworkContextSerializer serializes the network context to JSON" }, "NetworkDevice": { "properties": { "netns": { "type": "integer", "description": "netns is the interface ifindex" }, "ifindex": { "type": "integer", "description": "ifindex is the network interface ifindex" }, "ifname": { "type": "string", "description": "ifname is the network interface name" } }, "additionalProperties": false, "type": "object", "required": [ "netns", "ifindex", "ifname" ], "description": "NetworkDeviceSerializer serializes the network device context to JSON" }, "NetworkFlowMonitor": { "properties": { "device": { "$ref": "#/$defs/NetworkDevice", "description": "device is the network device on which the event was captured" }, "flows": { "items": { "$ref": "#/$defs/Flow" }, "type": "array", "description": "flows is the list of flows with network statistics that were captured" } }, "additionalProperties": false, "type": "object", "description": "NetworkFlowMonitorSerializer defines a network monitor event serializer" }, "NetworkStats": { "properties": { "data_size": { "type": "integer", "description": "data_size is the total count of bytes sent or received" }, "packet_count": { "type": "integer", "description": "packet_count is the total count of packets sent or received" } }, "additionalProperties": false, "type": "object", "description": "NetworkStatsSerializer defines a new network stats serializer" }, "PTraceEvent": { "properties": { "request": { "type": "string", "description": "ptrace request" }, "address": { "type": "string", "description": "address at which the ptrace request was executed" }, "tracee": { "$ref": "#/$defs/ProcessContext", "description": "process context of the tracee" } }, "additionalProperties": false, "type": "object", "required": [ "request", "address" ], "description": "PTraceEventSerializer serializes a mmap event to JSON" }, "PrCtlEvent": { "properties": { "option": { "type": "string", "description": "PrCtl Option" }, "new_name": { "type": "string", "description": "New name of the process" }, "is_name_truncated": { "type": "boolean", "description": "Name truncated" } }, "additionalProperties": false, "type": "object", "required": [ "option" ], "description": "PrCtlEventSerializer serializes a prctl event" }, "Process": { "properties": { "pid": { "type": "integer", "description": "Process ID" }, "ppid": { "type": "integer", "description": "Parent Process ID" }, "tid": { "type": "integer", "description": "Thread ID" }, "uid": { "type": "integer", "description": "User ID" }, "gid": { "type": "integer", "description": "Group ID" }, "user": { "type": "string", "description": "User name" }, "group": { "type": "string", "description": "Group name" }, "path_resolution_error": { "type": "string", "description": "Description of an error in the path resolution" }, "comm": { "type": "string", "description": "Command name" }, "tty": { "type": "string", "description": "TTY associated with the process" }, "fork_time": { "type": "string", "format": "date-time", "description": "Fork time of the process" }, "exec_time": { "type": "string", "format": "date-time", "description": "Exec time of the process" }, "exit_time": { "type": "string", "format": "date-time", "description": "Exit time of the process" }, "credentials": { "$ref": "#/$defs/ProcessCredentials", "description": "Credentials associated with the process" }, "caps_attempted": { "items": { "type": "string" }, "type": "array", "description": "CapsAttempted lists the capabilities that this process tried to use" }, "caps_used": { "items": { "type": "string" }, "type": "array", "description": "CapsUsed lists the capabilities that this process effectively made use of" }, "user_session": { "$ref": "#/$defs/UserSessionContext", "description": "Context of the user session for this event" }, "executable": { "$ref": "#/$defs/File", "description": "File information of the executable" }, "interpreter": { "$ref": "#/$defs/File", "description": "File information of the interpreter" }, "cgroup": { "$ref": "#/$defs/CGroupContext", "description": "CGroup context" }, "container": { "$ref": "#/$defs/ContainerContext", "description": "Container context" }, "argv0": { "type": "string", "description": "First command line argument" }, "args": { "items": { "type": "string" }, "type": "array", "description": "Command line arguments" }, "args_truncated": { "type": "boolean", "description": "Indicator of arguments truncation" }, "envs": { "items": { "type": "string" }, "type": "array", "description": "Environment variables of the process" }, "envs_truncated": { "type": "boolean", "description": "Indicator of environments variable truncation" }, "is_thread": { "type": "boolean", "description": "Indicates whether the process is considered a thread (that is, a child process that hasn't executed another program)" }, "is_kworker": { "type": "boolean", "description": "Indicates whether the process is a kworker" }, "is_exec_child": { "type": "boolean", "description": "Indicates whether the process is an exec following another exec" }, "source": { "type": "string", "description": "Process source" }, "syscalls": { "$ref": "#/$defs/SyscallsEvent", "description": "List of syscalls captured to generate the event" }, "aws_security_credentials": { "items": { "$ref": "#/$defs/AWSSecurityCredentials" }, "type": "array", "description": "List of AWS Security Credentials that the process had access to" } }, "additionalProperties": false, "type": "object", "required": [ "uid", "gid" ], "description": "ProcessSerializer serializes a process to JSON" }, "ProcessContext": { "properties": { "pid": { "type": "integer", "description": "Process ID" }, "ppid": { "type": "integer", "description": "Parent Process ID" }, "tid": { "type": "integer", "description": "Thread ID" }, "uid": { "type": "integer", "description": "User ID" }, "gid": { "type": "integer", "description": "Group ID" }, "user": { "type": "string", "description": "User name" }, "group": { "type": "string", "description": "Group name" }, "path_resolution_error": { "type": "string", "description": "Description of an error in the path resolution" }, "comm": { "type": "string", "description": "Command name" }, "tty": { "type": "string", "description": "TTY associated with the process" }, "fork_time": { "type": "string", "format": "date-time", "description": "Fork time of the process" }, "exec_time": { "type": "string", "format": "date-time", "description": "Exec time of the process" }, "exit_time": { "type": "string", "format": "date-time", "description": "Exit time of the process" }, "credentials": { "$ref": "#/$defs/ProcessCredentials", "description": "Credentials associated with the process" }, "caps_attempted": { "items": { "type": "string" }, "type": "array", "description": "CapsAttempted lists the capabilities that this process tried to use" }, "caps_used": { "items": { "type": "string" }, "type": "array", "description": "CapsUsed lists the capabilities that this process effectively made use of" }, "user_session": { "$ref": "#/$defs/UserSessionContext", "description": "Context of the user session for this event" }, "executable": { "$ref": "#/$defs/File", "description": "File information of the executable" }, "interpreter": { "$ref": "#/$defs/File", "description": "File information of the interpreter" }, "cgroup": { "$ref": "#/$defs/CGroupContext", "description": "CGroup context" }, "container": { "$ref": "#/$defs/ContainerContext", "description": "Container context" }, "argv0": { "type": "string", "description": "First command line argument" }, "args": { "items": { "type": "string" }, "type": "array", "description": "Command line arguments" }, "args_truncated": { "type": "boolean", "description": "Indicator of arguments truncation" }, "envs": { "items": { "type": "string" }, "type": "array", "description": "Environment variables of the process" }, "envs_truncated": { "type": "boolean", "description": "Indicator of environments variable truncation" }, "is_thread": { "type": "boolean", "description": "Indicates whether the process is considered a thread (that is, a child process that hasn't executed another program)" }, "is_kworker": { "type": "boolean", "description": "Indicates whether the process is a kworker" }, "is_exec_child": { "type": "boolean", "description": "Indicates whether the process is an exec following another exec" }, "source": { "type": "string", "description": "Process source" }, "syscalls": { "$ref": "#/$defs/SyscallsEvent", "description": "List of syscalls captured to generate the event" }, "aws_security_credentials": { "items": { "$ref": "#/$defs/AWSSecurityCredentials" }, "type": "array", "description": "List of AWS Security Credentials that the process had access to" }, "parent": { "$ref": "#/$defs/Process", "description": "Parent process" }, "ancestors": { "items": { "$ref": "#/$defs/Process" }, "type": "array", "description": "Ancestor processes" }, "variables": { "$ref": "#/$defs/Variables", "description": "Variables values" }, "truncated_ancestors": { "type": "boolean", "description": "True if the ancestors list was truncated because it was too big" } }, "additionalProperties": false, "type": "object", "required": [ "uid", "gid" ], "description": "ProcessContextSerializer serializes a process context to JSON" }, "ProcessCredentials": { "properties": { "uid": { "type": "integer", "description": "User ID" }, "user": { "type": "string", "description": "User name" }, "gid": { "type": "integer", "description": "Group ID" }, "group": { "type": "string", "description": "Group name" }, "euid": { "type": "integer", "description": "Effective User ID" }, "euser": { "type": "string", "description": "Effective User name" }, "egid": { "type": "integer", "description": "Effective Group ID" }, "egroup": { "type": "string", "description": "Effective Group name" }, "fsuid": { "type": "integer", "description": "Filesystem User ID" }, "fsuser": { "type": "string", "description": "Filesystem User name" }, "fsgid": { "type": "integer", "description": "Filesystem Group ID" }, "fsgroup": { "type": "string", "description": "Filesystem Group name" }, "auid": { "type": "integer", "description": "Login UID" }, "cap_effective": { "items": { "type": "string" }, "type": "array", "description": "Effective Capability set" }, "cap_permitted": { "items": { "type": "string" }, "type": "array", "description": "Permitted Capability set" }, "destination": { "description": "Credentials after the operation" } }, "additionalProperties": false, "type": "object", "required": [ "uid", "gid", "euid", "egid", "fsuid", "fsgid", "auid", "cap_effective", "cap_permitted" ], "description": "ProcessCredentialsSerializer serializes the process credentials to JSON" }, "RawPacket": { "properties": { "device": { "$ref": "#/$defs/NetworkDevice", "description": "device is the network device on which the event was captured" }, "l3_protocol": { "type": "string", "description": "l3_protocol is the layer 3 protocol name" }, "l4_protocol": { "type": "string", "description": "l4_protocol is the layer 4 protocol name" }, "source": { "$ref": "#/$defs/IPPort", "description": "source is the emitter of the network event" }, "destination": { "$ref": "#/$defs/IPPort", "description": "destination is the receiver of the network event" }, "size": { "type": "integer", "description": "size is the size in bytes of the network event" }, "network_direction": { "type": "string", "description": "network_direction indicates if the packet was captured on ingress or egress" }, "type": { "type": "string", "description": "type is the type of the protocol of the network event" }, "tls": { "$ref": "#/$defs/TLSContext" }, "dropped": { "type": "boolean" }, "layers": { "items": { "$ref": "#/$defs/Layer" }, "type": "array" } }, "additionalProperties": false, "type": "object", "required": [ "l3_protocol", "l4_protocol", "source", "destination", "size" ], "description": "RawPacketSerializer defines a raw packet serializer" }, "RuleContext": { "properties": { "matching_subexprs": { "items": { "$ref": "#/$defs/MatchingSubExpr" }, "type": "array" }, "expression": { "type": "string" } }, "additionalProperties": false, "type": "object", "description": "RuleContext serializes rule context to JSON" }, "SELinuxBoolChange": { "properties": { "name": { "type": "string", "description": "SELinux boolean name" }, "state": { "type": "string", "description": "SELinux boolean state ('on' or 'off')" } }, "additionalProperties": false, "type": "object", "description": "SELinuxBoolChangeSerializer serializes a SELinux boolean change to JSON" }, "SELinuxBoolCommit": { "properties": { "state": { "type": "boolean", "description": "SELinux boolean commit operation" } }, "additionalProperties": false, "type": "object", "description": "SELinuxBoolCommitSerializer serializes a SELinux boolean commit to JSON" }, "SELinuxEnforceStatus": { "properties": { "status": { "type": "string", "description": "SELinux enforcement status (one of 'enforcing', 'permissive' or 'disabled')" } }, "additionalProperties": false, "type": "object", "description": "SELinuxEnforceStatusSerializer serializes a SELinux enforcement status change to JSON" }, "SELinuxEvent": { "properties": { "bool": { "$ref": "#/$defs/SELinuxBoolChange", "description": "SELinux boolean operation" }, "enforce": { "$ref": "#/$defs/SELinuxEnforceStatus", "description": "SELinux enforcement change" }, "bool_commit": { "$ref": "#/$defs/SELinuxBoolCommit", "description": "SELinux boolean commit" } }, "additionalProperties": false, "type": "object", "description": "SELinuxEventSerializer serializes a SELinux context to JSON" }, "SecurityProfileContext": { "properties": { "name": { "type": "string", "description": "Name of the security profile" }, "version": { "type": "string", "description": "Version of the profile in use" }, "tags": { "items": { "type": "string" }, "type": "array", "description": "List of tags associated to this profile" }, "event_in_profile": { "type": "boolean", "description": "True if the corresponding event is part of this profile" }, "event_type_state": { "type": "string", "description": "State of the event type in this profile" } }, "additionalProperties": false, "type": "object", "required": [ "name", "version", "tags", "event_in_profile", "event_type_state" ], "description": "SecurityProfileContextSerializer serializes the security profile context in an event" }, "SetSockOptEvent": { "properties": { "socket_type": { "type": "string", "description": "Socket file descriptor" }, "socket_family": { "type": "string", "description": "Socket family" }, "filter_len": { "type": "integer", "description": "Length of the filter" }, "socket_protocol": { "type": "string", "description": "Socket protocol" }, "level": { "type": "string", "description": "Level at which the option is defined" }, "optname": { "type": "string", "description": "Name of the option being set" }, "is_filter_truncated": { "type": "boolean", "description": "Filter truncated" }, "filter": { "type": "string", "description": "Filter instructions" }, "filter_hash": { "type": "string", "description": "Filter hash" } }, "additionalProperties": false, "type": "object", "required": [ "socket_type", "socket_family", "socket_protocol", "level", "optname" ], "description": "SetSockOptEventSerializer defines a setsockopt event serializer" }, "SetrlimitEvent": { "properties": { "resource": { "type": "string", "description": "Resource being limited" }, "rlim_cur": { "type": "integer", "description": "Current limit" }, "rlim_max": { "type": "integer", "description": "Maximum limit" }, "target": { "$ref": "#/$defs/ProcessContext", "description": "process context of the setrlimit target" } }, "additionalProperties": false, "type": "object", "required": [ "resource", "rlim_cur", "rlim_max" ], "description": "SetrlimitEventSerializer serializes a setrlimit event" }, "SignalEvent": { "properties": { "type": { "type": "string", "description": "signal type" }, "pid": { "type": "integer", "description": "signal target pid" }, "target": { "$ref": "#/$defs/ProcessContext", "description": "process context of the signal target" } }, "additionalProperties": false, "type": "object", "required": [ "type", "pid" ], "description": "SignalEventSerializer serializes a signal event to JSON" }, "SpliceEvent": { "properties": { "pipe_entry_flag": { "type": "string", "description": "Entry flag of the fd_out pipe passed to the splice syscall" }, "pipe_exit_flag": { "type": "string", "description": "Exit flag of the fd_out pipe passed to the splice syscall" } }, "additionalProperties": false, "type": "object", "required": [ "pipe_entry_flag", "pipe_exit_flag" ], "description": "SpliceEventSerializer serializes a splice event to JSON" }, "SysCtlEvent": { "properties": { "proc": { "type": "object", "description": "Proc contains the /proc system control parameters and their values" }, "action": { "type": "string", "description": "action performed on the system control parameter" }, "file_position": { "type": "integer", "description": "file_position is the position in the sysctl control parameter file at which the action occurred" }, "name": { "type": "string", "description": "name is the name of the system control parameter" }, "name_truncated": { "type": "boolean", "description": "name_truncated indicates if the name field is truncated" }, "value": { "type": "string", "description": "value is the new and/or current value for the system control parameter depending on the action type" }, "value_truncated": { "type": "boolean", "description": "value_truncated indicates if the value field is truncated" }, "old_value": { "type": "string", "description": "old_value is the old value of the system control parameter" }, "old_value_truncated": { "type": "boolean", "description": "old_value_truncated indicates if the old_value field is truncated" } }, "additionalProperties": false, "type": "object", "description": "SysCtlEventSerializer defines a sysctl event serializer" }, "Syscall": { "properties": { "name": { "type": "string", "description": "Name of the syscall" }, "id": { "type": "integer", "description": "ID of the syscall in the host architecture" } }, "additionalProperties": false, "type": "object", "required": [ "name", "id" ], "description": "SyscallSerializer serializes a syscall" }, "SyscallArgs": { "properties": { "path": { "type": "string", "description": "Path argument" }, "flags": { "type": "integer", "description": "Flags argument" }, "mode": { "type": "integer", "description": "Mode argument" }, "uid": { "type": "integer", "description": "UID argument" }, "gid": { "type": "integer", "description": "GID argument" }, "dirfd": { "type": "integer", "description": "Directory file descriptor argument" }, "destination_path": { "type": "string", "description": "Destination path argument" }, "fs_type": { "type": "string", "description": "File system type argument" } }, "additionalProperties": false, "type": "object", "description": "SyscallArgsSerializer args serializer" }, "SyscallContext": { "properties": { "chmod": { "$ref": "#/$defs/SyscallArgs" }, "chown": { "$ref": "#/$defs/SyscallArgs" }, "chdir": { "$ref": "#/$defs/SyscallArgs" }, "exec": { "$ref": "#/$defs/SyscallArgs" }, "open": { "$ref": "#/$defs/SyscallArgs" }, "unlink": { "$ref": "#/$defs/SyscallArgs" }, "link": { "$ref": "#/$defs/SyscallArgs" }, "rename": { "$ref": "#/$defs/SyscallArgs" }, "utimes": { "$ref": "#/$defs/SyscallArgs" }, "mount": { "$ref": "#/$defs/SyscallArgs" }, "mkdir": { "$ref": "#/$defs/SyscallArgs" }, "rmdir": { "$ref": "#/$defs/SyscallArgs" }, "setsockopt": { "$ref": "#/$defs/SyscallArgs" }, "prctl": { "$ref": "#/$defs/SyscallArgs" } }, "additionalProperties": false, "type": "object", "description": "SyscallContextSerializer serializes syscall context" }, "SyscallsEvent": { "items": { "$ref": "#/$defs/Syscall" }, "type": "array", "description": "SyscallsEventSerializer serializes the syscalls from a syscalls event" }, "TLSContext": { "properties": { "version": { "type": "string" } }, "additionalProperties": false, "type": "object", "description": "TLSContextSerializer defines a tls context serializer" }, "UserContext": { "properties": { "id": { "type": "string", "description": "User name" }, "group": { "type": "string", "description": "Group name" } }, "additionalProperties": false, "type": "object", "description": "UserContextSerializer serializes a user context to JSON" }, "UserSessionContext": { "properties": { "session_type": { "type": "string", "description": "Type of the user session" }, "id": { "type": "string", "description": "Unique identifier of the user session on the host" }, "identity": { "type": "string", "description": "Identity of the user session" }, "k8s_session_id": { "type": "string", "description": "Unique identifier of the user session on the host" }, "k8s_username": { "type": "string", "description": "Username of the Kubernetes \"kubectl exec\" session" }, "k8s_uid": { "type": "string", "description": "UID of the Kubernetes \"kubectl exec\" session" }, "k8s_groups": { "items": { "type": "string" }, "type": "array", "description": "Groups of the Kubernetes \"kubectl exec\" session" }, "k8s_extra": { "additionalProperties": { "items": { "type": "string" }, "type": "array" }, "type": "object", "description": "Extra of the Kubernetes \"kubectl exec\" session" }, "ssh_session_id": { "type": "string", "description": "Unique identifier of the SSH session" }, "ssh_client_port": { "type": "integer", "description": "Port of the SSH session" }, "ssh_client_ip": { "type": "string", "description": "Client IP of the SSH session" }, "ssh_auth_method": { "type": "string", "description": "Authentication method of the SSH session" }, "ssh_public_key": { "type": "string", "description": "Public key of the SSH session" } }, "additionalProperties": false, "type": "object", "description": "UserSessionContextSerializer serializes the user session context to JSON" }, "Variables": { "type": "object", "description": "Variables serializes the variable values" } }, "properties": { "agent": { "$ref": "#/$defs/AgentContext" }, "title": { "type": "string" }, "evt": { "$ref": "#/$defs/EventContext" }, "date": { "type": "string", "format": "date-time" }, "file": { "$ref": "#/$defs/FileEvent" }, "exit": { "$ref": "#/$defs/ExitEvent" }, "process": { "$ref": "#/$defs/ProcessContext" }, "container": { "$ref": "#/$defs/ContainerContext" }, "signature": { "type": "string" }, "network": { "$ref": "#/$defs/NetworkContext" }, "dd": { "$ref": "#/$defs/DDContext" }, "security_profile": { "$ref": "#/$defs/SecurityProfileContext" }, "cgroup": { "$ref": "#/$defs/CGroupContext" }, "selinux": { "$ref": "#/$defs/SELinuxEvent" }, "bpf": { "$ref": "#/$defs/BPFEvent" }, "mmap": { "$ref": "#/$defs/MMapEvent" }, "mprotect": { "$ref": "#/$defs/MProtectEvent" }, "ptrace": { "$ref": "#/$defs/PTraceEvent" }, "module": { "$ref": "#/$defs/ModuleEvent" }, "signal": { "$ref": "#/$defs/SignalEvent" }, "splice": { "$ref": "#/$defs/SpliceEvent" }, "dns": { "$ref": "#/$defs/DNSEvent" }, "imds": { "$ref": "#/$defs/IMDSEvent" }, "accept": { "$ref": "#/$defs/AcceptEvent" }, "bind": { "$ref": "#/$defs/BindEvent" }, "connect": { "$ref": "#/$defs/ConnectEvent" }, "mount": { "$ref": "#/$defs/MountEvent" }, "syscalls": { "$ref": "#/$defs/SyscallsEvent" }, "usr": { "$ref": "#/$defs/UserContext" }, "syscall": { "$ref": "#/$defs/SyscallContext" }, "packet": { "$ref": "#/$defs/RawPacket" }, "network_flow_monitor": { "$ref": "#/$defs/NetworkFlowMonitor" }, "sysctl": { "$ref": "#/$defs/SysCtlEvent" }, "setsockopt": { "$ref": "#/$defs/SetSockOptEvent" }, "cgroup_write": { "$ref": "#/$defs/CGroupWriteEvent" }, "capabilities": { "$ref": "#/$defs/CapabilitiesEvent" }, "prctl": { "$ref": "#/$defs/PrCtlEvent" }, "setrlimit": { "$ref": "#/$defs/SetrlimitEvent" } }, "additionalProperties": false, "type": "object", "required": [ "agent", "title" ] } ``` | Parameter | Type | Description | | ---------------------- | ------ | --------------------------------- | | `agent` | $ref | Please see AgentContext | | `title` | string | | `evt` | $ref | Please see EventContext | | `date` | string | | `file` | $ref | Please see FileEvent | | `exit` | $ref | Please see ExitEvent | | `process` | $ref | Please see ProcessContext | | `container` | $ref | Please see ContainerContext | | `signature` | string | | `network` | $ref | Please see NetworkContext | | `dd` | $ref | Please see DDContext | | `security_profile` | $ref | Please see SecurityProfileContext | | `cgroup` | $ref | Please see CGroupContext | | `selinux` | $ref | Please see SELinuxEvent | | `bpf` | $ref | Please see BPFEvent | | `mmap` | $ref | Please see MMapEvent | | `mprotect` | $ref | Please see MProtectEvent | | `ptrace` | $ref | Please see PTraceEvent | | `module` | $ref | Please see ModuleEvent | | `signal` | $ref | Please see SignalEvent | | `splice` | $ref | Please see SpliceEvent | | `dns` | $ref | Please see DNSEvent | | `imds` | $ref | Please see IMDSEvent | | `accept` | $ref | Please see AcceptEvent | | `bind` | $ref | Please see BindEvent | | `connect` | $ref | Please see ConnectEvent | | `mount` | $ref | Please see MountEvent | | `syscalls` | $ref | Please see SyscallsEvent | | `usr` | $ref | Please see UserContext | | `syscall` | $ref | Please see SyscallContext | | `packet` | $ref | Please see RawPacket | | `network_flow_monitor` | $ref | Please see NetworkFlowMonitor | | `sysctl` | $ref | Please see SysCtlEvent | | `setsockopt` | $ref | Please see SetSockOptEvent | | `cgroup_write` | $ref | Please see CGroupWriteEvent | | `capabilities` | $ref | Please see CapabilitiesEvent | | `prctl` | $ref | Please see PrCtlEvent | | `setrlimit` | $ref | Please see SetrlimitEvent | ## `AWSIMDSEvent`{% #awsimdsevent %} ```json { "properties": { "is_imds_v2": { "type": "boolean", "description": "is_imds_v2 reports if the IMDS event follows IMDSv1 or IMDSv2 conventions" }, "security_credentials": { "$ref": "#/$defs/AWSSecurityCredentials", "description": "SecurityCredentials holds the scrubbed data collected on the security credentials" } }, "additionalProperties": false, "type": "object", "required": [ "is_imds_v2" ], "description": "AWSIMDSEventSerializer serializes an AWS IMDS event to JSON" } ``` | Field | Description | | ---------------------- | --------------------------------------------------------------------------------- | | `is_imds_v2` | is_imds_v2 reports if the IMDS event follows IMDSv1 or IMDSv2 conventions | | `security_credentials` | SecurityCredentials holds the scrubbed data collected on the security credentials | | References | | ---------------------- | | AWSSecurityCredentials | ## `AWSSecurityCredentials`{% #awssecuritycredentials %} ```json { "properties": { "code": { "type": "string", "description": "code is the IMDS server code response" }, "type": { "type": "string", "description": "type is the security credentials type" }, "access_key_id": { "type": "string", "description": "access_key_id is the unique access key ID of the credentials" }, "last_updated": { "type": "string", "description": "last_updated is the last time the credentials were updated" }, "expiration": { "type": "string", "description": "expiration is the expiration date of the credentials" } }, "additionalProperties": false, "type": "object", "required": [ "code", "type", "access_key_id", "last_updated", "expiration" ], "description": "AWSSecurityCredentialsSerializer serializes the security credentials from an AWS IMDS request" } ``` | Field | Description | | --------------- | ------------------------------------------------------------ | | `code` | code is the IMDS server code response | | `type` | type is the security credentials type | | `access_key_id` | access_key_id is the unique access key ID of the credentials | | `last_updated` | last_updated is the last time the credentials were updated | | `expiration` | expiration is the expiration date of the credentials | ## `AcceptEvent`{% #acceptevent %} ```json { "properties": { "addr": { "$ref": "#/$defs/IPPortFamily", "description": "Bound address (if any)" }, "hostnames": { "items": { "type": "string" }, "type": "array" } }, "additionalProperties": false, "type": "object", "required": [ "addr", "hostnames" ], "description": "AcceptEventSerializer serializes a bind event to JSON" } ``` | Field | Description | | ------ | ---------------------- | | `addr` | Bound address (if any) | | References | | ------------ | | IPPortFamily | ## `AgentContext`{% #agentcontext %} ```json { "properties": { "rule_id": { "type": "string" }, "original_rule_id": { "type": "string" }, "rule_version": { "type": "string" }, "rule_actions": { "items": true, "type": "array" }, "policy_name": { "type": "string" }, "policy_version": { "type": "string" }, "version": { "type": "string" }, "os": { "type": "string" }, "arch": { "type": "string" }, "origin": { "type": "string" }, "kernel_version": { "type": "string" }, "distribution": { "type": "string" } }, "additionalProperties": false, "type": "object", "required": [ "rule_id", "original_rule_id" ] } ``` ## `BPFEvent`{% #bpfevent %} ```json { "properties": { "cmd": { "type": "string", "description": "BPF command" }, "map": { "$ref": "#/$defs/BPFMap", "description": "BPF map" }, "program": { "$ref": "#/$defs/BPFProgram", "description": "BPF program" } }, "additionalProperties": false, "type": "object", "required": [ "cmd" ], "description": "BPFEventSerializer serializes a BPF event to JSON" } ``` | Field | Description | | --------- | ----------- | | `cmd` | BPF command | | `map` | BPF map | | `program` | BPF program | | References | | ---------- | | BPFMap | | BPFProgram | ## `BPFMap`{% #bpfmap %} ```json { "properties": { "name": { "type": "string", "description": "Name of the BPF map" }, "map_type": { "type": "string", "description": "Type of the BPF map" } }, "additionalProperties": false, "type": "object", "description": "BPFMapSerializer serializes a BPF map to JSON" } ``` | Field | Description | | ---------- | ------------------- | | `name` | Name of the BPF map | | `map_type` | Type of the BPF map | ## `BPFProgram`{% #bpfprogram %} ```json { "properties": { "name": { "type": "string", "description": "Name of the BPF program" }, "tag": { "type": "string", "description": "Hash (sha1) of the BPF program" }, "program_type": { "type": "string", "description": "Type of the BPF program" }, "attach_type": { "type": "string", "description": "Attach type of the BPF program" }, "helpers": { "items": { "type": "string" }, "type": "array", "description": "List of helpers used by the BPF program" } }, "additionalProperties": false, "type": "object", "description": "BPFProgramSerializer serializes a BPF map to JSON" } ``` | Field | Description | | -------------- | --------------------------------------- | | `name` | Name of the BPF program | | `tag` | Hash (sha1) of the BPF program | | `program_type` | Type of the BPF program | | `attach_type` | Attach type of the BPF program | | `helpers` | List of helpers used by the BPF program | ## `BindEvent`{% #bindevent %} ```json { "properties": { "addr": { "$ref": "#/$defs/IPPortFamily", "description": "Bound address (if any)" }, "protocol": { "type": "string" } }, "additionalProperties": false, "type": "object", "required": [ "addr", "protocol" ], "description": "BindEventSerializer serializes a bind event to JSON" } ``` | Field | Description | | ------ | ---------------------- | | `addr` | Bound address (if any) | | References | | ------------ | | IPPortFamily | ## `CGroupContext`{% #cgroupcontext %} ```json { "properties": { "id": { "type": "string", "description": "CGroup ID" }, "manager": { "type": "string", "description": "CGroup manager" }, "variables": { "$ref": "#/$defs/Variables", "description": "Variables values" } }, "additionalProperties": false, "type": "object", "description": "CGroupContextSerializer serializes a cgroup context to JSON" } ``` | Field | Description | | ----------- | ---------------- | | `id` | CGroup ID | | `manager` | CGroup manager | | `variables` | Variables values | | References | | ---------- | | Variables | ## `CGroupWriteEvent`{% #cgroupwriteevent %} ```json { "properties": { "file": { "$ref": "#/$defs/File", "description": "File pointing to the cgroup" }, "pid": { "type": "integer", "description": "PID of the process added to the cgroup" } }, "additionalProperties": false, "type": "object", "description": "CGroupWriteEventSerializer serializes a cgroup_write event" } ``` | Field | Description | | ------ | -------------------------------------- | | `file` | File pointing to the cgroup | | `pid` | PID of the process added to the cgroup | | References | | ---------- | | File | ## `CapabilitiesEvent`{% #capabilitiesevent %} ```json { "properties": { "caps_attempted": { "items": { "type": "string" }, "type": "array", "description": "Capabilities that the process attempted to use since it started running" }, "caps_used": { "items": { "type": "string" }, "type": "array", "description": "Capabilities that the process successfully used since it started running" } }, "additionalProperties": false, "type": "object", "description": "CapabilitiesEventSerializer serializes a capabilities usage event" } ``` | Field | Description | | ---------------- | ------------------------------------------------------------------------ | | `caps_attempted` | Capabilities that the process attempted to use since it started running | | `caps_used` | Capabilities that the process successfully used since it started running | ## `ConnectEvent`{% #connectevent %} ```json { "properties": { "addr": { "$ref": "#/$defs/IPPortFamily" }, "hostnames": { "items": { "type": "string" }, "type": "array" }, "protocol": { "type": "string" } }, "additionalProperties": false, "type": "object", "required": [ "addr", "hostnames", "protocol" ], "description": "ConnectEventSerializer serializes a connect event to JSON" } ``` | References | | ------------ | | IPPortFamily | ## `ContainerContext`{% #containercontext %} ```json { "properties": { "id": { "type": "string", "description": "Container ID" }, "created_at": { "type": "string", "format": "date-time", "description": "Creation time of the container" }, "variables": { "$ref": "#/$defs/Variables", "description": "Variables values" } }, "additionalProperties": false, "type": "object", "description": "ContainerContextSerializer serializes a container context to JSON" } ``` | Field | Description | | ------------ | ------------------------------ | | `id` | Container ID | | `created_at` | Creation time of the container | | `variables` | Variables values | | References | | ---------- | | Variables | ## `DDContext`{% #ddcontext %} ```json { "properties": { "span_id": { "type": "string", "description": "Span ID used for APM correlation" }, "trace_id": { "type": "string", "description": "Trace ID used for APM correlation" } }, "additionalProperties": false, "type": "object", "description": "DDContextSerializer serializes a span context to JSON" } ``` | Field | Description | | ---------- | --------------------------------- | | `span_id` | Span ID used for APM correlation | | `trace_id` | Trace ID used for APM correlation | ## `DNSEvent`{% #dnsevent %} ```json { "properties": { "id": { "type": "integer", "description": "id is the unique identifier of the DNS request" }, "is_query": { "type": "boolean", "description": "is_query if true means it's a question, if false is a response" }, "question": { "$ref": "#/$defs/DNSQuestion", "description": "question is a DNS question for the DNS request" }, "response": { "$ref": "#/$defs/DNSResponseEvent", "description": "response is a DNS response for the DNS request" } }, "additionalProperties": false, "type": "object", "required": [ "id", "is_query", "question", "response" ], "description": "DNSEventSerializer serializes a DNS event to JSON" } ``` | Field | Description | | ---------- | -------------------------------------------------------------- | | `id` | id is the unique identifier of the DNS request | | `is_query` | is_query if true means it's a question, if false is a response | | `question` | question is a DNS question for the DNS request | | `response` | response is a DNS response for the DNS request | | References | | ---------------- | | DNSQuestion | | DNSResponseEvent | ## `DNSQuestion`{% #dnsquestion %} ```json { "properties": { "class": { "type": "string", "description": "class is the class looked up by the DNS question" }, "type": { "type": "string", "description": "type is a two octet code which specifies the DNS question type" }, "name": { "type": "string", "description": "name is the queried domain name" }, "size": { "type": "integer", "description": "size is the total DNS request size in bytes" }, "count": { "type": "integer", "description": "count is the total count of questions in the DNS request" } }, "additionalProperties": false, "type": "object", "required": [ "class", "type", "name", "size", "count" ], "description": "DNSQuestionSerializer serializes a DNS question to JSON" } ``` | Field | Description | | ------- | -------------------------------------------------------------- | | `class` | class is the class looked up by the DNS question | | `type` | type is a two octet code which specifies the DNS question type | | `name` | name is the queried domain name | | `size` | size is the total DNS request size in bytes | | `count` | count is the total count of questions in the DNS request | ## `DNSResponseEvent`{% #dnsresponseevent %} ```json { "properties": { "code": { "type": "integer", "description": "RCode is the response code present in the response" } }, "additionalProperties": false, "type": "object", "required": [ "code" ], "description": "DNSResponseEventSerializer serializes a DNS response event to JSON" } ``` | Field | Description | | ------ | -------------------------------------------------- | | `code` | RCode is the response code present in the response | ## `EventContext`{% #eventcontext %} ```json { "properties": { "name": { "type": "string", "description": "Event name" }, "category": { "type": "string", "description": "Event category" }, "outcome": { "type": "string", "description": "Event outcome" }, "async": { "type": "boolean", "description": "True if the event was asynchronous" }, "matched_rules": { "items": { "$ref": "#/$defs/MatchedRule" }, "type": "array", "description": "The list of rules that the event matched (only valid in the context of an anomaly)" }, "variables": { "$ref": "#/$defs/Variables", "description": "Variables values" }, "rule_context": { "$ref": "#/$defs/RuleContext", "description": "RuleContext rule context" }, "source": { "type": "string", "description": "Source of the event" } }, "additionalProperties": false, "type": "object", "description": "EventContextSerializer serializes an event context to JSON" } ``` | Field | Description | | --------------- | ---------------------------------------------------------------------------------- | | `name` | Event name | | `category` | Event category | | `outcome` | Event outcome | | `async` | True if the event was asynchronous | | `matched_rules` | The list of rules that the event matched (only valid in the context of an anomaly) | | `variables` | Variables values | | `rule_context` | RuleContext rule context | | `source` | Source of the event | | References | | ----------- | | Variables | | RuleContext | ## `ExitEvent`{% #exitevent %} ```json { "properties": { "cause": { "type": "string", "description": "Cause of the process termination (one of EXITED, SIGNALED, COREDUMPED)" }, "code": { "type": "integer", "description": "Exit code of the process or number of the signal that caused the process to terminate" } }, "additionalProperties": false, "type": "object", "required": [ "cause", "code" ], "description": "ExitEventSerializer serializes an exit event to JSON" } ``` | Field | Description | | ------- | ------------------------------------------------------------------------------------- | | `cause` | Cause of the process termination (one of EXITED, SIGNALED, COREDUMPED) | | `code` | Exit code of the process or number of the signal that caused the process to terminate | ## `File`{% #file %} ```json { "properties": { "path": { "type": "string", "description": "File path" }, "name": { "type": "string", "description": "File basename" }, "extension": { "type": "string", "description": "File extension" }, "path_resolution_error": { "type": "string", "description": "Error message from path resolution" }, "inode": { "type": "integer", "description": "File inode number" }, "mode": { "type": "integer", "description": "File mode" }, "in_upper_layer": { "type": "boolean", "description": "Indicator of file OverlayFS layer" }, "mount_id": { "type": "integer", "description": "File mount ID" }, "filesystem": { "type": "string", "description": "File filesystem name" }, "uid": { "type": "integer", "description": "File User ID" }, "gid": { "type": "integer", "description": "File Group ID" }, "user": { "type": "string", "description": "File user" }, "group": { "type": "string", "description": "File group" }, "attribute_name": { "type": "string", "description": "File extended attribute name" }, "attribute_namespace": { "type": "string", "description": "File extended attribute namespace" }, "flags": { "items": { "type": "string" }, "type": "array", "description": "File flags" }, "access_time": { "type": "string", "format": "date-time", "description": "File access time" }, "modification_time": { "type": "string", "format": "date-time", "description": "File modified time" }, "change_time": { "type": "string", "format": "date-time", "description": "File change time" }, "package_name": { "type": "string", "description": "System package name" }, "package_version": { "type": "string", "description": "System package version" }, "package_epoch": { "type": "integer", "description": "System package epoch" }, "package_release": { "type": "string", "description": "System package release" }, "package_source_version": { "type": "string", "description": "System package source version" }, "package_source_epoch": { "type": "integer", "description": "System package source epoch" }, "package_source_release": { "type": "string", "description": "System package source release" }, "hashes": { "items": { "type": "string" }, "type": "array", "description": "List of cryptographic hashes of the file" }, "hash_state": { "type": "string", "description": "State of the hashes or reason why they weren't computed" }, "mount_path": { "type": "string", "description": "MountPath path of the mount" }, "mount_source": { "type": "string", "description": "MountSource source of the mount" }, "mount_origin": { "type": "string", "description": "MountOrigin origin of the mount" }, "mount_visible": { "type": "boolean", "description": "MountVisible origin of the mount" }, "mount_detached": { "type": "boolean", "description": "MountDetached origin of the mount" }, "metadata": { "$ref": "#/$defs/FileMetadata" } }, "additionalProperties": false, "type": "object", "required": [ "uid", "gid" ], "description": "FileSerializer serializes a file to JSON" } ``` | Field | Description | | ------------------------ | ------------------------------------------------------- | | `path` | File path | | `name` | File basename | | `extension` | File extension | | `path_resolution_error` | Error message from path resolution | | `inode` | File inode number | | `mode` | File mode | | `in_upper_layer` | Indicator of file OverlayFS layer | | `mount_id` | File mount ID | | `filesystem` | File filesystem name | | `uid` | File User ID | | `gid` | File Group ID | | `user` | File user | | `group` | File group | | `attribute_name` | File extended attribute name | | `attribute_namespace` | File extended attribute namespace | | `flags` | File flags | | `access_time` | File access time | | `modification_time` | File modified time | | `change_time` | File change time | | `package_name` | System package name | | `package_version` | System package version | | `package_epoch` | System package epoch | | `package_release` | System package release | | `package_source_version` | System package source version | | `package_source_epoch` | System package source epoch | | `package_source_release` | System package source release | | `hashes` | List of cryptographic hashes of the file | | `hash_state` | State of the hashes or reason why they weren't computed | | `mount_path` | MountPath path of the mount | | `mount_source` | MountSource source of the mount | | `mount_origin` | MountOrigin origin of the mount | | `mount_visible` | MountVisible origin of the mount | | `mount_detached` | MountDetached origin of the mount | | References | | ------------ | | FileMetadata | ## `FileEvent`{% #fileevent %} ```json { "properties": { "path": { "type": "string", "description": "File path" }, "name": { "type": "string", "description": "File basename" }, "extension": { "type": "string", "description": "File extension" }, "path_resolution_error": { "type": "string", "description": "Error message from path resolution" }, "inode": { "type": "integer", "description": "File inode number" }, "mode": { "type": "integer", "description": "File mode" }, "in_upper_layer": { "type": "boolean", "description": "Indicator of file OverlayFS layer" }, "mount_id": { "type": "integer", "description": "File mount ID" }, "filesystem": { "type": "string", "description": "File filesystem name" }, "uid": { "type": "integer", "description": "File User ID" }, "gid": { "type": "integer", "description": "File Group ID" }, "user": { "type": "string", "description": "File user" }, "group": { "type": "string", "description": "File group" }, "attribute_name": { "type": "string", "description": "File extended attribute name" }, "attribute_namespace": { "type": "string", "description": "File extended attribute namespace" }, "flags": { "items": { "type": "string" }, "type": "array", "description": "File flags" }, "access_time": { "type": "string", "format": "date-time", "description": "File access time" }, "modification_time": { "type": "string", "format": "date-time", "description": "File modified time" }, "change_time": { "type": "string", "format": "date-time", "description": "File change time" }, "package_name": { "type": "string", "description": "System package name" }, "package_version": { "type": "string", "description": "System package version" }, "package_epoch": { "type": "integer", "description": "System package epoch" }, "package_release": { "type": "string", "description": "System package release" }, "package_source_version": { "type": "string", "description": "System package source version" }, "package_source_epoch": { "type": "integer", "description": "System package source epoch" }, "package_source_release": { "type": "string", "description": "System package source release" }, "hashes": { "items": { "type": "string" }, "type": "array", "description": "List of cryptographic hashes of the file" }, "hash_state": { "type": "string", "description": "State of the hashes or reason why they weren't computed" }, "mount_path": { "type": "string", "description": "MountPath path of the mount" }, "mount_source": { "type": "string", "description": "MountSource source of the mount" }, "mount_origin": { "type": "string", "description": "MountOrigin origin of the mount" }, "mount_visible": { "type": "boolean", "description": "MountVisible origin of the mount" }, "mount_detached": { "type": "boolean", "description": "MountDetached origin of the mount" }, "metadata": { "$ref": "#/$defs/FileMetadata" }, "destination": { "$ref": "#/$defs/File", "description": "Target file information" }, "new_mount_id": { "type": "integer", "description": "New Mount ID" }, "device": { "type": "integer", "description": "Device associated with the file" }, "fstype": { "type": "string", "description": "Filesystem type" } }, "additionalProperties": false, "type": "object", "required": [ "uid", "gid" ], "description": "FileEventSerializer serializes a file event to JSON" } ``` | Field | Description | | ------------------------ | ------------------------------------------------------- | | `path` | File path | | `name` | File basename | | `extension` | File extension | | `path_resolution_error` | Error message from path resolution | | `inode` | File inode number | | `mode` | File mode | | `in_upper_layer` | Indicator of file OverlayFS layer | | `mount_id` | File mount ID | | `filesystem` | File filesystem name | | `uid` | File User ID | | `gid` | File Group ID | | `user` | File user | | `group` | File group | | `attribute_name` | File extended attribute name | | `attribute_namespace` | File extended attribute namespace | | `flags` | File flags | | `access_time` | File access time | | `modification_time` | File modified time | | `change_time` | File change time | | `package_name` | System package name | | `package_version` | System package version | | `package_epoch` | System package epoch | | `package_release` | System package release | | `package_source_version` | System package source version | | `package_source_epoch` | System package source epoch | | `package_source_release` | System package source release | | `hashes` | List of cryptographic hashes of the file | | `hash_state` | State of the hashes or reason why they weren't computed | | `mount_path` | MountPath path of the mount | | `mount_source` | MountSource source of the mount | | `mount_origin` | MountOrigin origin of the mount | | `mount_visible` | MountVisible origin of the mount | | `mount_detached` | MountDetached origin of the mount | | `destination` | Target file information | | `new_mount_id` | New Mount ID | | `device` | Device associated with the file | | `fstype` | Filesystem type | | References | | ------------ | | FileMetadata | | File | ## `FileMetadata`{% #filemetadata %} ```json { "properties": { "size": { "type": "integer" }, "type": { "type": "string" }, "is_executable": { "type": "boolean" }, "architecture": { "type": "string" }, "abi": { "type": "string" }, "is_upx_packed": { "type": "boolean" }, "compression": { "type": "string" }, "is_garble_obfuscated": { "type": "boolean" } }, "additionalProperties": false, "type": "object", "description": "FileMetadataSerializer serializes a file metadata" } ``` ## `Flow`{% #flow %} ```json { "properties": { "l3_protocol": { "type": "string", "description": "l3_protocol is the layer 3 protocol name" }, "l4_protocol": { "type": "string", "description": "l4_protocol is the layer 4 protocol name" }, "source": { "$ref": "#/$defs/IPPort", "description": "source is the emitter of the network event" }, "destination": { "$ref": "#/$defs/IPPort", "description": "destination is the receiver of the network event" }, "ingress": { "$ref": "#/$defs/NetworkStats", "description": "ingress holds the network statistics for ingress traffic" }, "egress": { "$ref": "#/$defs/NetworkStats", "description": "egress holds the network statistics for egress traffic" } }, "additionalProperties": false, "type": "object", "required": [ "l3_protocol", "l4_protocol", "source", "destination" ], "description": "FlowSerializer defines a new flow serializer" } ``` | Field | Description | | ------------- | -------------------------------------------------------- | | `l3_protocol` | l3_protocol is the layer 3 protocol name | | `l4_protocol` | l4_protocol is the layer 4 protocol name | | `source` | source is the emitter of the network event | | `destination` | destination is the receiver of the network event | | `ingress` | ingress holds the network statistics for ingress traffic | | `egress` | egress holds the network statistics for egress traffic | | References | | ------------ | | IPPort | | NetworkStats | ## `IMDSEvent`{% #imdsevent %} ```json { "properties": { "type": { "type": "string", "description": "type is the type of IMDS event" }, "cloud_provider": { "type": "string", "description": "cloud_provider is the intended cloud provider of the IMDS event" }, "url": { "type": "string", "description": "url is the url of the IMDS request" }, "host": { "type": "string", "description": "host is the host of the HTTP protocol" }, "user_agent": { "type": "string", "description": "user_agent is the user agent of the HTTP client" }, "server": { "type": "string", "description": "server is the server header of a response" }, "aws": { "$ref": "#/$defs/AWSIMDSEvent", "description": "AWS holds the AWS specific data parsed from the IMDS event" } }, "additionalProperties": false, "type": "object", "required": [ "type", "cloud_provider" ], "description": "IMDSEventSerializer serializes an IMDS event to JSON" } ``` | Field | Description | | ---------------- | --------------------------------------------------------------- | | `type` | type is the type of IMDS event | | `cloud_provider` | cloud_provider is the intended cloud provider of the IMDS event | | `url` | url is the url of the IMDS request | | `host` | host is the host of the HTTP protocol | | `user_agent` | user_agent is the user agent of the HTTP client | | `server` | server is the server header of a response | | `aws` | AWS holds the AWS specific data parsed from the IMDS event | | References | | ------------ | | AWSIMDSEvent | ## `IPPort`{% #ipport %} ```json { "properties": { "ip": { "type": "string", "description": "IP address" }, "port": { "type": "integer", "description": "Port number" } }, "additionalProperties": false, "type": "object", "required": [ "ip", "port" ], "description": "IPPortSerializer is used to serialize an IP and Port context to JSON" } ``` | Field | Description | | ------ | ----------- | | `ip` | IP address | | `port` | Port number | ## `IPPortFamily`{% #ipportfamily %} ```json { "properties": { "family": { "type": "string", "description": "Address family" }, "ip": { "type": "string", "description": "IP address" }, "port": { "type": "integer", "description": "Port number" } }, "additionalProperties": false, "type": "object", "required": [ "family", "ip", "port" ], "description": "IPPortFamilySerializer is used to serialize an IP, port, and address family context to JSON" } ``` | Field | Description | | -------- | -------------- | | `family` | Address family | | `ip` | IP address | | `port` | Port number | ## `Layer`{% #layer %} ```json { "properties": { "type": { "type": "string" }, "Layer": { "$ref": "#/$defs/Layer" } }, "additionalProperties": false, "type": "object", "required": [ "type", "Layer" ], "description": "LayerSerializer defines a layer serializer" } ``` | References | | ---------- | | Layer | ## `MMapEvent`{% #mmapevent %} ```json { "properties": { "address": { "type": "string", "description": "memory segment address" }, "offset": { "type": "integer", "description": "file offset" }, "length": { "type": "integer", "description": "memory segment length" }, "protection": { "type": "string", "description": "memory segment protection" }, "flags": { "type": "string", "description": "memory segment flags" } }, "additionalProperties": false, "type": "object", "required": [ "address", "offset", "length", "protection", "flags" ], "description": "MMapEventSerializer serializes a mmap event to JSON" } ``` | Field | Description | | ------------ | ------------------------- | | `address` | memory segment address | | `offset` | file offset | | `length` | memory segment length | | `protection` | memory segment protection | | `flags` | memory segment flags | ## `MProtectEvent`{% #mprotectevent %} ```json { "properties": { "vm_start": { "type": "string", "description": "memory segment start address" }, "vm_end": { "type": "string", "description": "memory segment end address" }, "vm_protection": { "type": "string", "description": "initial memory segment protection" }, "req_protection": { "type": "string", "description": "new memory segment protection" } }, "additionalProperties": false, "type": "object", "required": [ "vm_start", "vm_end", "vm_protection", "req_protection" ], "description": "MProtectEventSerializer serializes a mmap event to JSON" } ``` | Field | Description | | ---------------- | --------------------------------- | | `vm_start` | memory segment start address | | `vm_end` | memory segment end address | | `vm_protection` | initial memory segment protection | | `req_protection` | new memory segment protection | ## `MatchedRule`{% #matchedrule %} ```json { "properties": { "id": { "type": "string", "description": "ID of the rule" }, "version": { "type": "string", "description": "Version of the rule" }, "tags": { "items": { "type": "string" }, "type": "array", "description": "Tags of the rule" }, "policy_name": { "type": "string", "description": "Name of the policy that introduced the rule" }, "policy_version": { "type": "string", "description": "Version of the policy that introduced the rule" } }, "additionalProperties": false, "type": "object", "description": "MatchedRuleSerializer serializes a rule" } ``` | Field | Description | | ---------------- | ---------------------------------------------- | | `id` | ID of the rule | | `version` | Version of the rule | | `tags` | Tags of the rule | | `policy_name` | Name of the policy that introduced the rule | | `policy_version` | Version of the policy that introduced the rule | ## `MatchingSubExpr`{% #matchingsubexpr %} ```json { "properties": { "offset": { "type": "integer" }, "length": { "type": "integer" }, "value": { "type": "string" }, "field": { "type": "string" } }, "additionalProperties": false, "type": "object", "required": [ "offset", "length", "value" ], "description": "MatchingSubExpr serializes matching sub expression to JSON" } ``` ## `ModuleEvent`{% #moduleevent %} ```json { "properties": { "name": { "type": "string", "description": "module name" }, "loaded_from_memory": { "type": "boolean", "description": "indicates if a module was loaded from memory, as opposed to a file" }, "argv": { "items": { "type": "string" }, "type": "array" }, "args_truncated": { "type": "boolean" } }, "additionalProperties": false, "type": "object", "required": [ "name" ], "description": "ModuleEventSerializer serializes a module event to JSON" } ``` | Field | Description | | -------------------- | ------------------------------------------------------------------ | | `name` | module name | | `loaded_from_memory` | indicates if a module was loaded from memory, as opposed to a file | ## `MountEvent`{% #mountevent %} ```json { "properties": { "mp": { "$ref": "#/$defs/File", "description": "Mount point file information" }, "root": { "$ref": "#/$defs/File", "description": "Root file information" }, "mount_id": { "type": "integer", "description": "Mount ID of the new mount" }, "parent_mount_id": { "type": "integer", "description": "Mount ID of the parent mount" }, "bind_src_mount_id": { "type": "integer", "description": "Mount ID of the source of a bind mount" }, "device": { "type": "integer", "description": "Device associated with the file" }, "fs_type": { "type": "string", "description": "Filesystem type" }, "mountpoint.path": { "type": "string", "description": "Mount point path" }, "source.path": { "type": "string", "description": "Mount source path" }, "mountpoint.path_error": { "type": "string", "description": "Mount point path error" }, "source.path_error": { "type": "string", "description": "Mount source path error" }, "detached": { "type": "boolean", "description": "Mount is not attached to the VFS tree" }, "visible": { "type": "boolean", "description": "Mount is not visible in the VFS tree" } }, "additionalProperties": false, "type": "object", "required": [ "mount_id", "parent_mount_id", "bind_src_mount_id", "device" ], "description": "MountEventSerializer serializes a mount event to JSON" } ``` | Field | Description | | ----------------------- | -------------------------------------- | | `mp` | Mount point file information | | `root` | Root file information | | `mount_id` | Mount ID of the new mount | | `parent_mount_id` | Mount ID of the parent mount | | `bind_src_mount_id` | Mount ID of the source of a bind mount | | `device` | Device associated with the file | | `fs_type` | Filesystem type | | `mountpoint.path` | Mount point path | | `source.path` | Mount source path | | `mountpoint.path_error` | Mount point path error | | `source.path_error` | Mount source path error | | `detached` | Mount is not attached to the VFS tree | | `visible` | Mount is not visible in the VFS tree | | References | | ---------- | | File | ## `NetworkContext`{% #networkcontext %} ```json { "properties": { "device": { "$ref": "#/$defs/NetworkDevice", "description": "device is the network device on which the event was captured" }, "l3_protocol": { "type": "string", "description": "l3_protocol is the layer 3 protocol name" }, "l4_protocol": { "type": "string", "description": "l4_protocol is the layer 4 protocol name" }, "source": { "$ref": "#/$defs/IPPort", "description": "source is the emitter of the network event" }, "destination": { "$ref": "#/$defs/IPPort", "description": "destination is the receiver of the network event" }, "size": { "type": "integer", "description": "size is the size in bytes of the network event" }, "network_direction": { "type": "string", "description": "network_direction indicates if the packet was captured on ingress or egress" }, "type": { "type": "string", "description": "type is the type of the protocol of the network event" } }, "additionalProperties": false, "type": "object", "required": [ "l3_protocol", "l4_protocol", "source", "destination", "size" ], "description": "NetworkContextSerializer serializes the network context to JSON" } ``` | Field | Description | | ------------------- | --------------------------------------------------------------------------- | | `device` | device is the network device on which the event was captured | | `l3_protocol` | l3_protocol is the layer 3 protocol name | | `l4_protocol` | l4_protocol is the layer 4 protocol name | | `source` | source is the emitter of the network event | | `destination` | destination is the receiver of the network event | | `size` | size is the size in bytes of the network event | | `network_direction` | network_direction indicates if the packet was captured on ingress or egress | | `type` | type is the type of the protocol of the network event | | References | | ------------- | | NetworkDevice | | IPPort | ## `NetworkDevice`{% #networkdevice %} ```json { "properties": { "netns": { "type": "integer", "description": "netns is the interface ifindex" }, "ifindex": { "type": "integer", "description": "ifindex is the network interface ifindex" }, "ifname": { "type": "string", "description": "ifname is the network interface name" } }, "additionalProperties": false, "type": "object", "required": [ "netns", "ifindex", "ifname" ], "description": "NetworkDeviceSerializer serializes the network device context to JSON" } ``` | Field | Description | | --------- | ---------------------------------------- | | `netns` | netns is the interface ifindex | | `ifindex` | ifindex is the network interface ifindex | | `ifname` | ifname is the network interface name | ## `NetworkFlowMonitor`{% #networkflowmonitor %} ```json { "properties": { "device": { "$ref": "#/$defs/NetworkDevice", "description": "device is the network device on which the event was captured" }, "flows": { "items": { "$ref": "#/$defs/Flow" }, "type": "array", "description": "flows is the list of flows with network statistics that were captured" } }, "additionalProperties": false, "type": "object", "description": "NetworkFlowMonitorSerializer defines a network monitor event serializer" } ``` | Field | Description | | -------- | --------------------------------------------------------------------- | | `device` | device is the network device on which the event was captured | | `flows` | flows is the list of flows with network statistics that were captured | | References | | ------------- | | NetworkDevice | ## `NetworkStats`{% #networkstats %} ```json { "properties": { "data_size": { "type": "integer", "description": "data_size is the total count of bytes sent or received" }, "packet_count": { "type": "integer", "description": "packet_count is the total count of packets sent or received" } }, "additionalProperties": false, "type": "object", "description": "NetworkStatsSerializer defines a new network stats serializer" } ``` | Field | Description | | -------------- | ----------------------------------------------------------- | | `data_size` | data_size is the total count of bytes sent or received | | `packet_count` | packet_count is the total count of packets sent or received | ## `PTraceEvent`{% #ptraceevent %} ```json { "properties": { "request": { "type": "string", "description": "ptrace request" }, "address": { "type": "string", "description": "address at which the ptrace request was executed" }, "tracee": { "$ref": "#/$defs/ProcessContext", "description": "process context of the tracee" } }, "additionalProperties": false, "type": "object", "required": [ "request", "address" ], "description": "PTraceEventSerializer serializes a mmap event to JSON" } ``` | Field | Description | | --------- | ------------------------------------------------ | | `request` | ptrace request | | `address` | address at which the ptrace request was executed | | `tracee` | process context of the tracee | | References | | -------------- | | ProcessContext | ## `PrCtlEvent`{% #prctlevent %} ```json { "properties": { "option": { "type": "string", "description": "PrCtl Option" }, "new_name": { "type": "string", "description": "New name of the process" }, "is_name_truncated": { "type": "boolean", "description": "Name truncated" } }, "additionalProperties": false, "type": "object", "required": [ "option" ], "description": "PrCtlEventSerializer serializes a prctl event" } ``` | Field | Description | | ------------------- | ----------------------- | | `option` | PrCtl Option | | `new_name` | New name of the process | | `is_name_truncated` | Name truncated | ## `Process`{% #process %} ```json { "properties": { "pid": { "type": "integer", "description": "Process ID" }, "ppid": { "type": "integer", "description": "Parent Process ID" }, "tid": { "type": "integer", "description": "Thread ID" }, "uid": { "type": "integer", "description": "User ID" }, "gid": { "type": "integer", "description": "Group ID" }, "user": { "type": "string", "description": "User name" }, "group": { "type": "string", "description": "Group name" }, "path_resolution_error": { "type": "string", "description": "Description of an error in the path resolution" }, "comm": { "type": "string", "description": "Command name" }, "tty": { "type": "string", "description": "TTY associated with the process" }, "fork_time": { "type": "string", "format": "date-time", "description": "Fork time of the process" }, "exec_time": { "type": "string", "format": "date-time", "description": "Exec time of the process" }, "exit_time": { "type": "string", "format": "date-time", "description": "Exit time of the process" }, "credentials": { "$ref": "#/$defs/ProcessCredentials", "description": "Credentials associated with the process" }, "caps_attempted": { "items": { "type": "string" }, "type": "array", "description": "CapsAttempted lists the capabilities that this process tried to use" }, "caps_used": { "items": { "type": "string" }, "type": "array", "description": "CapsUsed lists the capabilities that this process effectively made use of" }, "user_session": { "$ref": "#/$defs/UserSessionContext", "description": "Context of the user session for this event" }, "executable": { "$ref": "#/$defs/File", "description": "File information of the executable" }, "interpreter": { "$ref": "#/$defs/File", "description": "File information of the interpreter" }, "cgroup": { "$ref": "#/$defs/CGroupContext", "description": "CGroup context" }, "container": { "$ref": "#/$defs/ContainerContext", "description": "Container context" }, "argv0": { "type": "string", "description": "First command line argument" }, "args": { "items": { "type": "string" }, "type": "array", "description": "Command line arguments" }, "args_truncated": { "type": "boolean", "description": "Indicator of arguments truncation" }, "envs": { "items": { "type": "string" }, "type": "array", "description": "Environment variables of the process" }, "envs_truncated": { "type": "boolean", "description": "Indicator of environments variable truncation" }, "is_thread": { "type": "boolean", "description": "Indicates whether the process is considered a thread (that is, a child process that hasn't executed another program)" }, "is_kworker": { "type": "boolean", "description": "Indicates whether the process is a kworker" }, "is_exec_child": { "type": "boolean", "description": "Indicates whether the process is an exec following another exec" }, "source": { "type": "string", "description": "Process source" }, "syscalls": { "$ref": "#/$defs/SyscallsEvent", "description": "List of syscalls captured to generate the event" }, "aws_security_credentials": { "items": { "$ref": "#/$defs/AWSSecurityCredentials" }, "type": "array", "description": "List of AWS Security Credentials that the process had access to" } }, "additionalProperties": false, "type": "object", "required": [ "uid", "gid" ], "description": "ProcessSerializer serializes a process to JSON" } ``` | Field | Description | | -------------------------- | -------------------------------------------------------------------------------------------------------------------- | | `pid` | Process ID | | `ppid` | Parent Process ID | | `tid` | Thread ID | | `uid` | User ID | | `gid` | Group ID | | `user` | User name | | `group` | Group name | | `path_resolution_error` | Description of an error in the path resolution | | `comm` | Command name | | `tty` | TTY associated with the process | | `fork_time` | Fork time of the process | | `exec_time` | Exec time of the process | | `exit_time` | Exit time of the process | | `credentials` | Credentials associated with the process | | `caps_attempted` | CapsAttempted lists the capabilities that this process tried to use | | `caps_used` | CapsUsed lists the capabilities that this process effectively made use of | | `user_session` | Context of the user session for this event | | `executable` | File information of the executable | | `interpreter` | File information of the interpreter | | `cgroup` | CGroup context | | `container` | Container context | | `argv0` | First command line argument | | `args` | Command line arguments | | `args_truncated` | Indicator of arguments truncation | | `envs` | Environment variables of the process | | `envs_truncated` | Indicator of environments variable truncation | | `is_thread` | Indicates whether the process is considered a thread (that is, a child process that hasn't executed another program) | | `is_kworker` | Indicates whether the process is a kworker | | `is_exec_child` | Indicates whether the process is an exec following another exec | | `source` | Process source | | `syscalls` | List of syscalls captured to generate the event | | `aws_security_credentials` | List of AWS Security Credentials that the process had access to | | References | | ------------------ | | ProcessCredentials | | UserSessionContext | | File | | CGroupContext | | ContainerContext | | SyscallsEvent | ## `ProcessContext`{% #processcontext %} ```json { "properties": { "pid": { "type": "integer", "description": "Process ID" }, "ppid": { "type": "integer", "description": "Parent Process ID" }, "tid": { "type": "integer", "description": "Thread ID" }, "uid": { "type": "integer", "description": "User ID" }, "gid": { "type": "integer", "description": "Group ID" }, "user": { "type": "string", "description": "User name" }, "group": { "type": "string", "description": "Group name" }, "path_resolution_error": { "type": "string", "description": "Description of an error in the path resolution" }, "comm": { "type": "string", "description": "Command name" }, "tty": { "type": "string", "description": "TTY associated with the process" }, "fork_time": { "type": "string", "format": "date-time", "description": "Fork time of the process" }, "exec_time": { "type": "string", "format": "date-time", "description": "Exec time of the process" }, "exit_time": { "type": "string", "format": "date-time", "description": "Exit time of the process" }, "credentials": { "$ref": "#/$defs/ProcessCredentials", "description": "Credentials associated with the process" }, "caps_attempted": { "items": { "type": "string" }, "type": "array", "description": "CapsAttempted lists the capabilities that this process tried to use" }, "caps_used": { "items": { "type": "string" }, "type": "array", "description": "CapsUsed lists the capabilities that this process effectively made use of" }, "user_session": { "$ref": "#/$defs/UserSessionContext", "description": "Context of the user session for this event" }, "executable": { "$ref": "#/$defs/File", "description": "File information of the executable" }, "interpreter": { "$ref": "#/$defs/File", "description": "File information of the interpreter" }, "cgroup": { "$ref": "#/$defs/CGroupContext", "description": "CGroup context" }, "container": { "$ref": "#/$defs/ContainerContext", "description": "Container context" }, "argv0": { "type": "string", "description": "First command line argument" }, "args": { "items": { "type": "string" }, "type": "array", "description": "Command line arguments" }, "args_truncated": { "type": "boolean", "description": "Indicator of arguments truncation" }, "envs": { "items": { "type": "string" }, "type": "array", "description": "Environment variables of the process" }, "envs_truncated": { "type": "boolean", "description": "Indicator of environments variable truncation" }, "is_thread": { "type": "boolean", "description": "Indicates whether the process is considered a thread (that is, a child process that hasn't executed another program)" }, "is_kworker": { "type": "boolean", "description": "Indicates whether the process is a kworker" }, "is_exec_child": { "type": "boolean", "description": "Indicates whether the process is an exec following another exec" }, "source": { "type": "string", "description": "Process source" }, "syscalls": { "$ref": "#/$defs/SyscallsEvent", "description": "List of syscalls captured to generate the event" }, "aws_security_credentials": { "items": { "$ref": "#/$defs/AWSSecurityCredentials" }, "type": "array", "description": "List of AWS Security Credentials that the process had access to" }, "parent": { "$ref": "#/$defs/Process", "description": "Parent process" }, "ancestors": { "items": { "$ref": "#/$defs/Process" }, "type": "array", "description": "Ancestor processes" }, "variables": { "$ref": "#/$defs/Variables", "description": "Variables values" }, "truncated_ancestors": { "type": "boolean", "description": "True if the ancestors list was truncated because it was too big" } }, "additionalProperties": false, "type": "object", "required": [ "uid", "gid" ], "description": "ProcessContextSerializer serializes a process context to JSON" } ``` | Field | Description | | -------------------------- | -------------------------------------------------------------------------------------------------------------------- | | `pid` | Process ID | | `ppid` | Parent Process ID | | `tid` | Thread ID | | `uid` | User ID | | `gid` | Group ID | | `user` | User name | | `group` | Group name | | `path_resolution_error` | Description of an error in the path resolution | | `comm` | Command name | | `tty` | TTY associated with the process | | `fork_time` | Fork time of the process | | `exec_time` | Exec time of the process | | `exit_time` | Exit time of the process | | `credentials` | Credentials associated with the process | | `caps_attempted` | CapsAttempted lists the capabilities that this process tried to use | | `caps_used` | CapsUsed lists the capabilities that this process effectively made use of | | `user_session` | Context of the user session for this event | | `executable` | File information of the executable | | `interpreter` | File information of the interpreter | | `cgroup` | CGroup context | | `container` | Container context | | `argv0` | First command line argument | | `args` | Command line arguments | | `args_truncated` | Indicator of arguments truncation | | `envs` | Environment variables of the process | | `envs_truncated` | Indicator of environments variable truncation | | `is_thread` | Indicates whether the process is considered a thread (that is, a child process that hasn't executed another program) | | `is_kworker` | Indicates whether the process is a kworker | | `is_exec_child` | Indicates whether the process is an exec following another exec | | `source` | Process source | | `syscalls` | List of syscalls captured to generate the event | | `aws_security_credentials` | List of AWS Security Credentials that the process had access to | | `parent` | Parent process | | `ancestors` | Ancestor processes | | `variables` | Variables values | | `truncated_ancestors` | True if the ancestors list was truncated because it was too big | | References | | ------------------ | | ProcessCredentials | | UserSessionContext | | File | | CGroupContext | | ContainerContext | | SyscallsEvent | | Process | | Variables | ## `ProcessCredentials`{% #processcredentials %} ```json { "properties": { "uid": { "type": "integer", "description": "User ID" }, "user": { "type": "string", "description": "User name" }, "gid": { "type": "integer", "description": "Group ID" }, "group": { "type": "string", "description": "Group name" }, "euid": { "type": "integer", "description": "Effective User ID" }, "euser": { "type": "string", "description": "Effective User name" }, "egid": { "type": "integer", "description": "Effective Group ID" }, "egroup": { "type": "string", "description": "Effective Group name" }, "fsuid": { "type": "integer", "description": "Filesystem User ID" }, "fsuser": { "type": "string", "description": "Filesystem User name" }, "fsgid": { "type": "integer", "description": "Filesystem Group ID" }, "fsgroup": { "type": "string", "description": "Filesystem Group name" }, "auid": { "type": "integer", "description": "Login UID" }, "cap_effective": { "items": { "type": "string" }, "type": "array", "description": "Effective Capability set" }, "cap_permitted": { "items": { "type": "string" }, "type": "array", "description": "Permitted Capability set" }, "destination": { "description": "Credentials after the operation" } }, "additionalProperties": false, "type": "object", "required": [ "uid", "gid", "euid", "egid", "fsuid", "fsgid", "auid", "cap_effective", "cap_permitted" ], "description": "ProcessCredentialsSerializer serializes the process credentials to JSON" } ``` | Field | Description | | --------------- | ------------------------------- | | `uid` | User ID | | `user` | User name | | `gid` | Group ID | | `group` | Group name | | `euid` | Effective User ID | | `euser` | Effective User name | | `egid` | Effective Group ID | | `egroup` | Effective Group name | | `fsuid` | Filesystem User ID | | `fsuser` | Filesystem User name | | `fsgid` | Filesystem Group ID | | `fsgroup` | Filesystem Group name | | `auid` | Login UID | | `cap_effective` | Effective Capability set | | `cap_permitted` | Permitted Capability set | | `destination` | Credentials after the operation | ## `RawPacket`{% #rawpacket %} ```json { "properties": { "device": { "$ref": "#/$defs/NetworkDevice", "description": "device is the network device on which the event was captured" }, "l3_protocol": { "type": "string", "description": "l3_protocol is the layer 3 protocol name" }, "l4_protocol": { "type": "string", "description": "l4_protocol is the layer 4 protocol name" }, "source": { "$ref": "#/$defs/IPPort", "description": "source is the emitter of the network event" }, "destination": { "$ref": "#/$defs/IPPort", "description": "destination is the receiver of the network event" }, "size": { "type": "integer", "description": "size is the size in bytes of the network event" }, "network_direction": { "type": "string", "description": "network_direction indicates if the packet was captured on ingress or egress" }, "type": { "type": "string", "description": "type is the type of the protocol of the network event" }, "tls": { "$ref": "#/$defs/TLSContext" }, "dropped": { "type": "boolean" }, "layers": { "items": { "$ref": "#/$defs/Layer" }, "type": "array" } }, "additionalProperties": false, "type": "object", "required": [ "l3_protocol", "l4_protocol", "source", "destination", "size" ], "description": "RawPacketSerializer defines a raw packet serializer" } ``` | Field | Description | | ------------------- | --------------------------------------------------------------------------- | | `device` | device is the network device on which the event was captured | | `l3_protocol` | l3_protocol is the layer 3 protocol name | | `l4_protocol` | l4_protocol is the layer 4 protocol name | | `source` | source is the emitter of the network event | | `destination` | destination is the receiver of the network event | | `size` | size is the size in bytes of the network event | | `network_direction` | network_direction indicates if the packet was captured on ingress or egress | | `type` | type is the type of the protocol of the network event | | References | | ------------- | | NetworkDevice | | IPPort | | TLSContext | ## `RuleContext`{% #rulecontext %} ```json { "properties": { "matching_subexprs": { "items": { "$ref": "#/$defs/MatchingSubExpr" }, "type": "array" }, "expression": { "type": "string" } }, "additionalProperties": false, "type": "object", "description": "RuleContext serializes rule context to JSON" } ``` ## `SELinuxBoolChange`{% #selinuxboolchange %} ```json { "properties": { "name": { "type": "string", "description": "SELinux boolean name" }, "state": { "type": "string", "description": "SELinux boolean state ('on' or 'off')" } }, "additionalProperties": false, "type": "object", "description": "SELinuxBoolChangeSerializer serializes a SELinux boolean change to JSON" } ``` | Field | Description | | ------- | ------------------------------------- | | `name` | SELinux boolean name | | `state` | SELinux boolean state ('on' or 'off') | ## `SELinuxBoolCommit`{% #selinuxboolcommit %} ```json { "properties": { "state": { "type": "boolean", "description": "SELinux boolean commit operation" } }, "additionalProperties": false, "type": "object", "description": "SELinuxBoolCommitSerializer serializes a SELinux boolean commit to JSON" } ``` | Field | Description | | ------- | -------------------------------- | | `state` | SELinux boolean commit operation | ## `SELinuxEnforceStatus`{% #selinuxenforcestatus %} ```json { "properties": { "status": { "type": "string", "description": "SELinux enforcement status (one of 'enforcing', 'permissive' or 'disabled')" } }, "additionalProperties": false, "type": "object", "description": "SELinuxEnforceStatusSerializer serializes a SELinux enforcement status change to JSON" } ``` | Field | Description | | -------- | --------------------------------------------------------------------------- | | `status` | SELinux enforcement status (one of 'enforcing', 'permissive' or 'disabled') | ## `SELinuxEvent`{% #selinuxevent %} ```json { "properties": { "bool": { "$ref": "#/$defs/SELinuxBoolChange", "description": "SELinux boolean operation" }, "enforce": { "$ref": "#/$defs/SELinuxEnforceStatus", "description": "SELinux enforcement change" }, "bool_commit": { "$ref": "#/$defs/SELinuxBoolCommit", "description": "SELinux boolean commit" } }, "additionalProperties": false, "type": "object", "description": "SELinuxEventSerializer serializes a SELinux context to JSON" } ``` | Field | Description | | ------------- | -------------------------- | | `bool` | SELinux boolean operation | | `enforce` | SELinux enforcement change | | `bool_commit` | SELinux boolean commit | | References | | -------------------- | | SELinuxBoolChange | | SELinuxEnforceStatus | | SELinuxBoolCommit | ## `SecurityProfileContext`{% #securityprofilecontext %} ```json { "properties": { "name": { "type": "string", "description": "Name of the security profile" }, "version": { "type": "string", "description": "Version of the profile in use" }, "tags": { "items": { "type": "string" }, "type": "array", "description": "List of tags associated to this profile" }, "event_in_profile": { "type": "boolean", "description": "True if the corresponding event is part of this profile" }, "event_type_state": { "type": "string", "description": "State of the event type in this profile" } }, "additionalProperties": false, "type": "object", "required": [ "name", "version", "tags", "event_in_profile", "event_type_state" ], "description": "SecurityProfileContextSerializer serializes the security profile context in an event" } ``` | Field | Description | | ------------------ | ------------------------------------------------------- | | `name` | Name of the security profile | | `version` | Version of the profile in use | | `tags` | List of tags associated to this profile | | `event_in_profile` | True if the corresponding event is part of this profile | | `event_type_state` | State of the event type in this profile | ## `SetSockOptEvent`{% #setsockoptevent %} ```json { "properties": { "socket_type": { "type": "string", "description": "Socket file descriptor" }, "socket_family": { "type": "string", "description": "Socket family" }, "filter_len": { "type": "integer", "description": "Length of the filter" }, "socket_protocol": { "type": "string", "description": "Socket protocol" }, "level": { "type": "string", "description": "Level at which the option is defined" }, "optname": { "type": "string", "description": "Name of the option being set" }, "is_filter_truncated": { "type": "boolean", "description": "Filter truncated" }, "filter": { "type": "string", "description": "Filter instructions" }, "filter_hash": { "type": "string", "description": "Filter hash" } }, "additionalProperties": false, "type": "object", "required": [ "socket_type", "socket_family", "socket_protocol", "level", "optname" ], "description": "SetSockOptEventSerializer defines a setsockopt event serializer" } ``` | Field | Description | | --------------------- | ------------------------------------ | | `socket_type` | Socket file descriptor | | `socket_family` | Socket family | | `filter_len` | Length of the filter | | `socket_protocol` | Socket protocol | | `level` | Level at which the option is defined | | `optname` | Name of the option being set | | `is_filter_truncated` | Filter truncated | | `filter` | Filter instructions | | `filter_hash` | Filter hash | ## `SetrlimitEvent`{% #setrlimitevent %} ```json { "properties": { "resource": { "type": "string", "description": "Resource being limited" }, "rlim_cur": { "type": "integer", "description": "Current limit" }, "rlim_max": { "type": "integer", "description": "Maximum limit" }, "target": { "$ref": "#/$defs/ProcessContext", "description": "process context of the setrlimit target" } }, "additionalProperties": false, "type": "object", "required": [ "resource", "rlim_cur", "rlim_max" ], "description": "SetrlimitEventSerializer serializes a setrlimit event" } ``` | Field | Description | | ---------- | --------------------------------------- | | `resource` | Resource being limited | | `rlim_cur` | Current limit | | `rlim_max` | Maximum limit | | `target` | process context of the setrlimit target | | References | | -------------- | | ProcessContext | ## `SignalEvent`{% #signalevent %} ```json { "properties": { "type": { "type": "string", "description": "signal type" }, "pid": { "type": "integer", "description": "signal target pid" }, "target": { "$ref": "#/$defs/ProcessContext", "description": "process context of the signal target" } }, "additionalProperties": false, "type": "object", "required": [ "type", "pid" ], "description": "SignalEventSerializer serializes a signal event to JSON" } ``` | Field | Description | | -------- | ------------------------------------ | | `type` | signal type | | `pid` | signal target pid | | `target` | process context of the signal target | | References | | -------------- | | ProcessContext | ## `SpliceEvent`{% #spliceevent %} ```json { "properties": { "pipe_entry_flag": { "type": "string", "description": "Entry flag of the fd_out pipe passed to the splice syscall" }, "pipe_exit_flag": { "type": "string", "description": "Exit flag of the fd_out pipe passed to the splice syscall" } }, "additionalProperties": false, "type": "object", "required": [ "pipe_entry_flag", "pipe_exit_flag" ], "description": "SpliceEventSerializer serializes a splice event to JSON" } ``` | Field | Description | | ----------------- | ---------------------------------------------------------- | | `pipe_entry_flag` | Entry flag of the fd_out pipe passed to the splice syscall | | `pipe_exit_flag` | Exit flag of the fd_out pipe passed to the splice syscall | ## `SysCtlEvent`{% #sysctlevent %} ```json { "properties": { "proc": { "type": "object", "description": "Proc contains the /proc system control parameters and their values" }, "action": { "type": "string", "description": "action performed on the system control parameter" }, "file_position": { "type": "integer", "description": "file_position is the position in the sysctl control parameter file at which the action occurred" }, "name": { "type": "string", "description": "name is the name of the system control parameter" }, "name_truncated": { "type": "boolean", "description": "name_truncated indicates if the name field is truncated" }, "value": { "type": "string", "description": "value is the new and/or current value for the system control parameter depending on the action type" }, "value_truncated": { "type": "boolean", "description": "value_truncated indicates if the value field is truncated" }, "old_value": { "type": "string", "description": "old_value is the old value of the system control parameter" }, "old_value_truncated": { "type": "boolean", "description": "old_value_truncated indicates if the old_value field is truncated" } }, "additionalProperties": false, "type": "object", "description": "SysCtlEventSerializer defines a sysctl event serializer" } ``` | Field | Description | | --------------------- | --------------------------------------------------------------------------------------------------- | | `proc` | Proc contains the /proc system control parameters and their values | | `action` | action performed on the system control parameter | | `file_position` | file_position is the position in the sysctl control parameter file at which the action occurred | | `name` | name is the name of the system control parameter | | `name_truncated` | name_truncated indicates if the name field is truncated | | `value` | value is the new and/or current value for the system control parameter depending on the action type | | `value_truncated` | value_truncated indicates if the value field is truncated | | `old_value` | old_value is the old value of the system control parameter | | `old_value_truncated` | old_value_truncated indicates if the old_value field is truncated | ## `Syscall`{% #syscall %} ```json { "properties": { "name": { "type": "string", "description": "Name of the syscall" }, "id": { "type": "integer", "description": "ID of the syscall in the host architecture" } }, "additionalProperties": false, "type": "object", "required": [ "name", "id" ], "description": "SyscallSerializer serializes a syscall" } ``` | Field | Description | | ------ | ------------------------------------------ | | `name` | Name of the syscall | | `id` | ID of the syscall in the host architecture | ## `SyscallArgs`{% #syscallargs %} ```json { "properties": { "path": { "type": "string", "description": "Path argument" }, "flags": { "type": "integer", "description": "Flags argument" }, "mode": { "type": "integer", "description": "Mode argument" }, "uid": { "type": "integer", "description": "UID argument" }, "gid": { "type": "integer", "description": "GID argument" }, "dirfd": { "type": "integer", "description": "Directory file descriptor argument" }, "destination_path": { "type": "string", "description": "Destination path argument" }, "fs_type": { "type": "string", "description": "File system type argument" } }, "additionalProperties": false, "type": "object", "description": "SyscallArgsSerializer args serializer" } ``` | Field | Description | | ------------------ | ---------------------------------- | | `path` | Path argument | | `flags` | Flags argument | | `mode` | Mode argument | | `uid` | UID argument | | `gid` | GID argument | | `dirfd` | Directory file descriptor argument | | `destination_path` | Destination path argument | | `fs_type` | File system type argument | ## `SyscallContext`{% #syscallcontext %} ```json { "properties": { "chmod": { "$ref": "#/$defs/SyscallArgs" }, "chown": { "$ref": "#/$defs/SyscallArgs" }, "chdir": { "$ref": "#/$defs/SyscallArgs" }, "exec": { "$ref": "#/$defs/SyscallArgs" }, "open": { "$ref": "#/$defs/SyscallArgs" }, "unlink": { "$ref": "#/$defs/SyscallArgs" }, "link": { "$ref": "#/$defs/SyscallArgs" }, "rename": { "$ref": "#/$defs/SyscallArgs" }, "utimes": { "$ref": "#/$defs/SyscallArgs" }, "mount": { "$ref": "#/$defs/SyscallArgs" }, "mkdir": { "$ref": "#/$defs/SyscallArgs" }, "rmdir": { "$ref": "#/$defs/SyscallArgs" }, "setsockopt": { "$ref": "#/$defs/SyscallArgs" }, "prctl": { "$ref": "#/$defs/SyscallArgs" } }, "additionalProperties": false, "type": "object", "description": "SyscallContextSerializer serializes syscall context" } ``` | References | | ----------- | | SyscallArgs | ## `SyscallsEvent`{% #syscallsevent %} ```json { "items": { "$ref": "#/$defs/Syscall" }, "type": "array", "description": "SyscallsEventSerializer serializes the syscalls from a syscalls event" } ``` ## `TLSContext`{% #tlscontext %} ```json { "properties": { "version": { "type": "string" } }, "additionalProperties": false, "type": "object", "description": "TLSContextSerializer defines a tls context serializer" } ``` ## `UserContext`{% #usercontext %} ```json { "properties": { "id": { "type": "string", "description": "User name" }, "group": { "type": "string", "description": "Group name" } }, "additionalProperties": false, "type": "object", "description": "UserContextSerializer serializes a user context to JSON" } ``` | Field | Description | | ------- | ----------- | | `id` | User name | | `group` | Group name | ## `UserSessionContext`{% #usersessioncontext %} ```json { "properties": { "session_type": { "type": "string", "description": "Type of the user session" }, "id": { "type": "string", "description": "Unique identifier of the user session on the host" }, "identity": { "type": "string", "description": "Identity of the user session" }, "k8s_session_id": { "type": "string", "description": "Unique identifier of the user session on the host" }, "k8s_username": { "type": "string", "description": "Username of the Kubernetes \"kubectl exec\" session" }, "k8s_uid": { "type": "string", "description": "UID of the Kubernetes \"kubectl exec\" session" }, "k8s_groups": { "items": { "type": "string" }, "type": "array", "description": "Groups of the Kubernetes \"kubectl exec\" session" }, "k8s_extra": { "additionalProperties": { "items": { "type": "string" }, "type": "array" }, "type": "object", "description": "Extra of the Kubernetes \"kubectl exec\" session" }, "ssh_session_id": { "type": "string", "description": "Unique identifier of the SSH session" }, "ssh_client_port": { "type": "integer", "description": "Port of the SSH session" }, "ssh_client_ip": { "type": "string", "description": "Client IP of the SSH session" }, "ssh_auth_method": { "type": "string", "description": "Authentication method of the SSH session" }, "ssh_public_key": { "type": "string", "description": "Public key of the SSH session" } }, "additionalProperties": false, "type": "object", "description": "UserSessionContextSerializer serializes the user session context to JSON" } ``` | Field | Description | | ----------------- | ------------------------------------------------- | | `session_type` | Type of the user session | | `id` | Unique identifier of the user session on the host | | `identity` | Identity of the user session | | `k8s_session_id` | Unique identifier of the user session on the host | | `k8s_username` | Username of the Kubernetes "kubectl exec" session | | `k8s_uid` | UID of the Kubernetes "kubectl exec" session | | `k8s_groups` | Groups of the Kubernetes "kubectl exec" session | | `k8s_extra` | Extra of the Kubernetes "kubectl exec" session | | `ssh_session_id` | Unique identifier of the SSH session | | `ssh_client_port` | Port of the SSH session | | `ssh_client_ip` | Client IP of the SSH session | | `ssh_auth_method` | Authentication method of the SSH session | | `ssh_public_key` | Public key of the SSH session | ## `Variables`{% #variables %} ```json { "type": "object", "description": "Variables serializes the variable values" } ```