Cloud Workload Security (CWS) Events

Cloud Workload Security (CWS) Events

When activity matches a Cloud Workload Security (CWS) Agent expression, a CWS log will be collected from the system containing all the relevant context about the activity.

This log is sent to Datadog, where it is analyzed. Based on analysis, CWS logs can trigger Security Signals or they can be stored as logs for audit, threat investigation purposes.

CWS logs have the following JSON schema:

BACKEND_EVENT_JSON_SCHEMA

{
    "properties": {
        "evt": {
            "$ref": "#/definitions/EventContext"
        },
        "file": {
            "$ref": "#/definitions/FileEvent"
        },
        "selinux": {
            "$ref": "#/definitions/SELinuxEvent"
        },
        "bpf": {
            "$ref": "#/definitions/BPFEvent"
        },
        "usr": {
            "$ref": "#/definitions/UserContext"
        },
        "process": {
            "$ref": "#/definitions/ProcessContext"
        },
        "dd": {
            "$ref": "#/definitions/DDContext"
        },
        "container": {
            "$ref": "#/definitions/ContainerContext"
        },
        "date": {
            "type": "string",
            "format": "date-time"
        }
    },
    "additionalProperties": false,
    "type": "object"
}
ParameterTypeDescription
evt$refPlease see EventContext
file$refPlease see FileEvent
selinux$refPlease see SELinuxEvent
bpf$refPlease see BPFEvent
usr$refPlease see UserContext
process$refPlease see ProcessContext
dd$refPlease see DDContext
container$refPlease see ContainerContext
datestring

BPFEvent

{
    "required": [
        "cmd"
    ],
    "properties": {
        "cmd": {
            "type": "string",
            "description": "BPF command"
        },
        "map": {
            "$ref": "#/definitions/BPFMap",
            "description": "BPF map"
        },
        "program": {
            "$ref": "#/definitions/BPFProgram",
            "description": "BPF program"
        }
    },
    "additionalProperties": false,
    "type": "object"
}
FieldDescription
cmdBPF command
mapBPF map
programBPF program
References
BPFMap
BPFProgram

BPFMap

{
    "properties": {
        "name": {
            "type": "string",
            "description": "Name of the BPF map"
        },
        "map_type": {
            "type": "string",
            "description": "Type of the BPF map"
        }
    },
    "additionalProperties": false,
    "type": "object"
}
FieldDescription
nameName of the BPF map
map_typeType of the BPF map

BPFProgram

{
    "properties": {
        "name": {
            "type": "string",
            "description": "Name of the BPF program"
        },
        "program_type": {
            "type": "string",
            "description": "Type of the BPF program"
        },
        "attach_type": {
            "type": "string",
            "description": "Attach type of the BPF program"
        },
        "helpers": {
            "items": {
                "type": "string"
            },
            "type": "array",
            "description": "List of helpers used by the BPF program"
        }
    },
    "additionalProperties": false,
    "type": "object"
}
FieldDescription
nameName of the BPF program
program_typeType of the BPF program
attach_typeAttach type of the BPF program
helpersList of helpers used by the BPF program

ContainerContext

{
    "properties": {
        "id": {
            "type": "string",
            "description": "Container ID"
        }
    },
    "additionalProperties": false,
    "type": "object"
}
FieldDescription
idContainer ID

DDContext

{
    "properties": {
        "span_id": {
            "type": "integer",
            "description": "Span ID used for APM correlation"
        },
        "trace_id": {
            "type": "integer",
            "description": "Trace ID used for APM correlation"
        }
    },
    "additionalProperties": false,
    "type": "object"
}
FieldDescription
span_idSpan ID used for APM correlation
trace_idTrace ID used for APM correlation

EventContext

{
    "properties": {
        "name": {
            "type": "string",
            "description": "Event name"
        },
        "category": {
            "type": "string",
            "description": "Event category"
        },
        "outcome": {
            "type": "string",
            "description": "Event outcome"
        }
    },
    "additionalProperties": false,
    "type": "object"
}
FieldDescription
nameEvent name
categoryEvent category
outcomeEvent outcome

File

{
    "required": [
        "uid",
        "gid"
    ],
    "properties": {
        "path": {
            "type": "string",
            "description": "File path"
        },
        "name": {
            "type": "string",
            "description": "File basename"
        },
        "path_resolution_error": {
            "type": "string",
            "description": "Error message from path resolution"
        },
        "inode": {
            "type": "integer",
            "description": "File inode number"
        },
        "mode": {
            "type": "integer",
            "description": "File mode"
        },
        "in_upper_layer": {
            "type": "boolean",
            "description": "Indicator of file OverlayFS layer"
        },
        "mount_id": {
            "type": "integer",
            "description": "File mount ID"
        },
        "filesystem": {
            "type": "string",
            "description": "File filesystem name"
        },
        "uid": {
            "type": "integer",
            "description": "File User ID"
        },
        "gid": {
            "type": "integer",
            "description": "File Group ID"
        },
        "user": {
            "type": "string",
            "description": "File user"
        },
        "group": {
            "type": "string",
            "description": "File group"
        },
        "attribute_name": {
            "type": "string",
            "description": "File extended attribute name"
        },
        "attribute_namespace": {
            "type": "string",
            "description": "File extended attribute namespace"
        },
        "flags": {
            "items": {
                "type": "string"
            },
            "type": "array",
            "description": "File flags"
        },
        "access_time": {
            "type": "string",
            "format": "date-time"
        },
        "modification_time": {
            "type": "string",
            "description": "File modified time",
            "format": "date-time"
        },
        "change_time": {
            "type": "string",
            "description": "File change time",
            "format": "date-time"
        }
    },
    "additionalProperties": false,
    "type": "object"
}
FieldDescription
pathFile path
nameFile basename
path_resolution_errorError message from path resolution
inodeFile inode number
modeFile mode
in_upper_layerIndicator of file OverlayFS layer
mount_idFile mount ID
filesystemFile filesystem name
uidFile User ID
gidFile Group ID
userFile user
groupFile group
attribute_nameFile extended attribute name
attribute_namespaceFile extended attribute namespace
flagsFile flags
modification_timeFile modified time
change_timeFile change time

FileEvent

{
    "required": [
        "uid",
        "gid"
    ],
    "properties": {
        "path": {
            "type": "string",
            "description": "File path"
        },
        "name": {
            "type": "string",
            "description": "File basename"
        },
        "path_resolution_error": {
            "type": "string",
            "description": "Error message from path resolution"
        },
        "inode": {
            "type": "integer",
            "description": "File inode number"
        },
        "mode": {
            "type": "integer",
            "description": "File mode"
        },
        "in_upper_layer": {
            "type": "boolean",
            "description": "Indicator of file OverlayFS layer"
        },
        "mount_id": {
            "type": "integer",
            "description": "File mount ID"
        },
        "filesystem": {
            "type": "string",
            "description": "File filesystem name"
        },
        "uid": {
            "type": "integer",
            "description": "File User ID"
        },
        "gid": {
            "type": "integer",
            "description": "File Group ID"
        },
        "user": {
            "type": "string",
            "description": "File user"
        },
        "group": {
            "type": "string",
            "description": "File group"
        },
        "attribute_name": {
            "type": "string",
            "description": "File extended attribute name"
        },
        "attribute_namespace": {
            "type": "string",
            "description": "File extended attribute namespace"
        },
        "flags": {
            "items": {
                "type": "string"
            },
            "type": "array",
            "description": "File flags"
        },
        "access_time": {
            "type": "string",
            "format": "date-time"
        },
        "modification_time": {
            "type": "string",
            "description": "File modified time",
            "format": "date-time"
        },
        "change_time": {
            "type": "string",
            "description": "File change time",
            "format": "date-time"
        },
        "destination": {
            "$ref": "#/definitions/File",
            "description": "Target file information"
        },
        "new_mount_id": {
            "type": "integer",
            "description": "New Mount ID"
        },
        "group_id": {
            "type": "integer",
            "description": "Group ID"
        },
        "device": {
            "type": "integer",
            "description": "Device associated with the file"
        },
        "fstype": {
            "type": "string",
            "description": "Filesystem type"
        }
    },
    "additionalProperties": false,
    "type": "object"
}
FieldDescription
pathFile path
nameFile basename
path_resolution_errorError message from path resolution
inodeFile inode number
modeFile mode
in_upper_layerIndicator of file OverlayFS layer
mount_idFile mount ID
filesystemFile filesystem name
uidFile User ID
gidFile Group ID
userFile user
groupFile group
attribute_nameFile extended attribute name
attribute_namespaceFile extended attribute namespace
flagsFile flags
modification_timeFile modified time
change_timeFile change time
destinationTarget file information
new_mount_idNew Mount ID
group_idGroup ID
deviceDevice associated with the file
fstypeFilesystem type
References
File

ProcessCacheEntry

{
    "required": [
        "uid",
        "gid"
    ],
    "properties": {
        "pid": {
            "type": "integer",
            "description": "Process ID"
        },
        "ppid": {
            "type": "integer",
            "description": "Parent Process ID"
        },
        "tid": {
            "type": "integer",
            "description": "Thread ID"
        },
        "uid": {
            "type": "integer",
            "description": "User ID"
        },
        "gid": {
            "type": "integer",
            "description": "Group ID"
        },
        "user": {
            "type": "string",
            "description": "User name"
        },
        "group": {
            "type": "string",
            "description": "Group name"
        },
        "path_resolution_error": {
            "type": "string",
            "description": "Description of an error in the path resolution"
        },
        "comm": {
            "type": "string",
            "description": "Command name"
        },
        "tty": {
            "type": "string",
            "description": "TTY associated with the process"
        },
        "fork_time": {
            "type": "string",
            "description": "Fork time of the process",
            "format": "date-time"
        },
        "exec_time": {
            "type": "string",
            "description": "Exec time of the process",
            "format": "date-time"
        },
        "exit_time": {
            "type": "string",
            "description": "Exit time of the process",
            "format": "date-time"
        },
        "credentials": {
            "$ref": "#/definitions/ProcessCredentials",
            "description": "Credentials associated with the process"
        },
        "executable": {
            "$ref": "#/definitions/File",
            "description": "File information of the executable"
        },
        "container": {
            "$ref": "#/definitions/ContainerContext",
            "description": "Container context"
        },
        "args": {
            "items": {
                "type": "string"
            },
            "type": "array",
            "description": "Command line arguments"
        },
        "args_truncated": {
            "type": "boolean",
            "description": "Indicator of arguments truncation"
        },
        "envs": {
            "items": {
                "type": "string"
            },
            "type": "array",
            "description": "Environment variables of the process"
        },
        "envs_truncated": {
            "type": "boolean",
            "description": "Indicator of environments variable truncation"
        }
    },
    "additionalProperties": false,
    "type": "object"
}
FieldDescription
pidProcess ID
ppidParent Process ID
tidThread ID
uidUser ID
gidGroup ID
userUser name
groupGroup name
path_resolution_errorDescription of an error in the path resolution
commCommand name
ttyTTY associated with the process
fork_timeFork time of the process
exec_timeExec time of the process
exit_timeExit time of the process
credentialsCredentials associated with the process
executableFile information of the executable
containerContainer context
argsCommand line arguments
args_truncatedIndicator of arguments truncation
envsEnvironment variables of the process
envs_truncatedIndicator of environments variable truncation
References
ProcessCredentials
File
ContainerContext

ProcessContext

{
    "required": [
        "uid",
        "gid"
    ],
    "properties": {
        "pid": {
            "type": "integer",
            "description": "Process ID"
        },
        "ppid": {
            "type": "integer",
            "description": "Parent Process ID"
        },
        "tid": {
            "type": "integer",
            "description": "Thread ID"
        },
        "uid": {
            "type": "integer",
            "description": "User ID"
        },
        "gid": {
            "type": "integer",
            "description": "Group ID"
        },
        "user": {
            "type": "string",
            "description": "User name"
        },
        "group": {
            "type": "string",
            "description": "Group name"
        },
        "path_resolution_error": {
            "type": "string",
            "description": "Description of an error in the path resolution"
        },
        "comm": {
            "type": "string",
            "description": "Command name"
        },
        "tty": {
            "type": "string",
            "description": "TTY associated with the process"
        },
        "fork_time": {
            "type": "string",
            "description": "Fork time of the process",
            "format": "date-time"
        },
        "exec_time": {
            "type": "string",
            "description": "Exec time of the process",
            "format": "date-time"
        },
        "exit_time": {
            "type": "string",
            "description": "Exit time of the process",
            "format": "date-time"
        },
        "credentials": {
            "$ref": "#/definitions/ProcessCredentials",
            "description": "Credentials associated with the process"
        },
        "executable": {
            "$ref": "#/definitions/File",
            "description": "File information of the executable"
        },
        "container": {
            "$ref": "#/definitions/ContainerContext",
            "description": "Container context"
        },
        "args": {
            "items": {
                "type": "string"
            },
            "type": "array",
            "description": "Command line arguments"
        },
        "args_truncated": {
            "type": "boolean",
            "description": "Indicator of arguments truncation"
        },
        "envs": {
            "items": {
                "type": "string"
            },
            "type": "array",
            "description": "Environment variables of the process"
        },
        "envs_truncated": {
            "type": "boolean",
            "description": "Indicator of environments variable truncation"
        },
        "parent": {
            "$ref": "#/definitions/ProcessCacheEntry",
            "description": "Parent process"
        },
        "ancestors": {
            "items": {
                "$ref": "#/definitions/ProcessCacheEntry"
            },
            "type": "array",
            "description": "Ancestor processes"
        }
    },
    "additionalProperties": false,
    "type": "object"
}
FieldDescription
pidProcess ID
ppidParent Process ID
tidThread ID
uidUser ID
gidGroup ID
userUser name
groupGroup name
path_resolution_errorDescription of an error in the path resolution
commCommand name
ttyTTY associated with the process
fork_timeFork time of the process
exec_timeExec time of the process
exit_timeExit time of the process
credentialsCredentials associated with the process
executableFile information of the executable
containerContainer context
argsCommand line arguments
args_truncatedIndicator of arguments truncation
envsEnvironment variables of the process
envs_truncatedIndicator of environments variable truncation
parentParent process
ancestorsAncestor processes
References
ProcessCredentials
File
ContainerContext
ProcessCacheEntry

ProcessCredentials

{
    "required": [
        "uid",
        "gid",
        "euid",
        "egid",
        "fsuid",
        "fsgid",
        "cap_effective",
        "cap_permitted"
    ],
    "properties": {
        "uid": {
            "type": "integer",
            "description": "User ID"
        },
        "user": {
            "type": "string",
            "description": "User name"
        },
        "gid": {
            "type": "integer",
            "description": "Group ID"
        },
        "group": {
            "type": "string",
            "description": "Group name"
        },
        "euid": {
            "type": "integer",
            "description": "Effective User ID"
        },
        "euser": {
            "type": "string",
            "description": "Effective User name"
        },
        "egid": {
            "type": "integer",
            "description": "Effective Group ID"
        },
        "egroup": {
            "type": "string",
            "description": "Effective Group name"
        },
        "fsuid": {
            "type": "integer",
            "description": "Filesystem User ID"
        },
        "fsuser": {
            "type": "string",
            "description": "Filesystem User name"
        },
        "fsgid": {
            "type": "integer",
            "description": "Filesystem Group ID"
        },
        "fsgroup": {
            "type": "string",
            "description": "Filesystem Group name"
        },
        "cap_effective": {
            "items": {
                "type": "string"
            },
            "type": "array",
            "description": "Effective Capacity set"
        },
        "cap_permitted": {
            "items": {
                "type": "string"
            },
            "type": "array",
            "description": "Permitted Capacity set"
        },
        "destination": {
            "additionalProperties": true,
            "description": "Credentials after the operation"
        }
    },
    "additionalProperties": false,
    "type": "object"
}
FieldDescription
uidUser ID
userUser name
gidGroup ID
groupGroup name
euidEffective User ID
euserEffective User name
egidEffective Group ID
egroupEffective Group name
fsuidFilesystem User ID
fsuserFilesystem User name
fsgidFilesystem Group ID
fsgroupFilesystem Group name
cap_effectiveEffective Capacity set
cap_permittedPermitted Capacity set
destinationCredentials after the operation

SELinuxBoolChange

{
    "properties": {
        "name": {
            "type": "string",
            "description": "SELinux boolean name"
        },
        "state": {
            "type": "string",
            "description": "SELinux boolean state ('on' or 'off')"
        }
    },
    "additionalProperties": false,
    "type": "object"
}
FieldDescription
nameSELinux boolean name
stateSELinux boolean state (‘on’ or ‘off’)

SELinuxBoolCommit

{
    "properties": {
        "state": {
            "type": "boolean",
            "description": "SELinux boolean commit operation"
        }
    },
    "additionalProperties": false,
    "type": "object"
}
FieldDescription
stateSELinux boolean commit operation

SELinuxEnforceStatus

{
    "properties": {
        "status": {
            "type": "string",
            "description": "SELinux enforcement status (one of 'enforcing', 'permissive' or 'disabled')"
        }
    },
    "additionalProperties": false,
    "type": "object"
}
FieldDescription
statusSELinux enforcement status (one of ‘enforcing’, ‘permissive’ or ‘disabled’)

SELinuxEvent

{
    "properties": {
        "bool": {
            "$ref": "#/definitions/SELinuxBoolChange",
            "description": "SELinux boolean operation"
        },
        "enforce": {
            "$ref": "#/definitions/SELinuxEnforceStatus",
            "description": "SELinux enforcement change"
        },
        "bool_commit": {
            "$ref": "#/definitions/SELinuxBoolCommit",
            "description": "SELinux boolean commit"
        }
    },
    "additionalProperties": false,
    "type": "object"
}
FieldDescription
boolSELinux boolean operation
enforceSELinux enforcement change
bool_commitSELinux boolean commit
References
SELinuxBoolChange
SELinuxEnforceStatus
SELinuxBoolCommit

UserContext

{
    "properties": {
        "id": {
            "type": "string",
            "description": "User name"
        },
        "group": {
            "type": "string",
            "description": "Group name"
        }
    },
    "additionalProperties": false,
    "type": "object"
}
FieldDescription
idUser name
groupGroup name