Supported Keys and Operators

 

Events that enter the Threat Stack Cloud Security PlatformⓇ (CSP) are keyword searchable. You can use any field in the event's metadata as a search keyword. You can also use a predetermined set of operators to combine keywords into a refined search query. 

The following sections list keyword searchable fields by event type and the operators you can use to refine search queries. For more information on searching for events, see Search for Events.

Audit Events: Supported Keywords
Field Name Field Definition Subfield Name
event_type The overarching type of the event, as defined by Threat Stack.
agent_id The Threat Stack Agent's ID that sent the event to the Threat Stack CSP.
arguments List of all arguments in the event.
auid The audit user identification (ID) of the user who triggered the event. This ID is assigned at user login and is inherited by every process, even when the user's identity changes.
command The command run that triggered the event.
connection A description of the socket connection made to or from the monitored instance. addr
dst_addr
dst_port
port
src_addr
src_port
version
containerId If the event is from a container, then the ID of the container from which the event triggered.
containerImage If the event is from a container, then the title of the container image from which the event triggered.
cwd The path to the directory that invoked the system call that triggered the event.
egid The effective group ID of the user who triggered the event.
euid The effective user ID of the user who triggered the event.
eventId The Threat Stack-generated ID of the event.
exe The path to the executable used to trigger the event.
exit The value that specifies the exit code returned by the system call. The returned value depends on the type of system call.
exit_status The value that specifies the exit code returned by the system call. The returned value depends on the type of system call. code
termination
fd If set, then the file descriptor of the socket that opened for a network connection.
gid The group ID of the user who triggered the event.
group The group of the user who triggered the event.
header The information in the header of the audit message that triggered the event. id
milliseconds
timestamp
eventTime The UNIX timestamp of when the event triggered.
is_agent_2 Indicated whether or not the Agent sending the event is a Threat Stack version 1.x Agent event or a Threat Stack version 2.x Agent event.
loginuid The user ID logged in at the time the event triggered.
organization_id The ID that describes the Threat Stack customer organization that reported the event.
path The information about any paths which were passed as an argument to the system call that triggered the event.
pid The process ID attached to the event, as reported by your operating system (OS).
pod_name If the event is a Kubernetes event, then the name of the Kubernetes pod from which the system call that triggered the event originated.
pod_uid If the event is a Kubernetes event, then the UID of the Kubernetes pod from which the system call that triggered the event originated.
ppid The parent process ID attached to the event, as reported by your OS.
rule_name The name of the Threat Stack rule applied to the event.
session The Shell session from which the event triggered. 
success A Boolean value that indicates whether or not the action that triggered the event was successful.
syscall The type of system call sent to the kernel.
tty The terminal from which the system call was invoked.
uid The user ID of the user who triggered the event.
user The username of the user who triggered the event.
CloudTrail Events: Supported Keywords
Field Name Field Definition Subfield Name Subfield Name Subfield Name Subfield Name
agent_id The Threat Stack Agent's ID that sent the event to the Threat Stack CSP.
organization_id The ID that describes the Threat Stack customer organization that reported the event.
eventTime The UNIX timestamp of when the event triggered.
_insert_time The UNIX timestamp of the time the event reached the edge of the Threat Stack CSP.
event_type The overarching type of the event, as defined by Threat Stack.
eventVersion The version of the log event format.
userIdentity Information about the user that made the request.
type
userName
principalId
arn
accountId
accessKeyId
sessionContext attributes creationDate
mfaAuthenticated
invokedBy
sessionIssuer
webIdFederationData federatedProvider
attributes
eventSource The service to which the request was made. The format is typically the short form of the service name + .amazonaws.com, such as cloudformation.amazonaws.com.
eventSourceType
eventName The requested action. The value returned depends on the actions available through the API for the service.
accountId The account that owns the entity that granted permissions for the request. If the request was made with temporary security credentials, then this is the account that owns the IAM user/role used to obtain credentials.
arn
awsRegion The AWS region to which the request was made.
userAgent The agent through which the request was made, such as the AWS Management Console, an AWS service, the AWS SDKs, or the AWS CLI.
bucketName
error
errorCode If the request returns an error, then the AWS service error number. 
errorMessage If the request returns an error, then the AWS service error description.
responseElements The response element for actions that make changes, such as createdelete, or update. assumedRoleUser arn
assumedRoleId
credentials accessKeyId
requestParameters The parameters sent with the request. The parameters are documented in each AWS service's API documentation. groupId
ipPermissions items fromPort
ipProtocol
toPort
ipv6Ranges items (This field is a list of IP addresses)
roleSessionName
additionalEventData Additional information about the event that is not part of the request or the response.
requestId The value that identifies the request. The serviced called generates this value.
eventId The Threat Stack-generated ID of the event.
eventType The ID of the type of the event that triggered the event.
apiVersion The API version associated with the AwsApiCall eventType value.
arnRole
accessKey
cidrIP
consoleLogin
managementEvent A Boolean value that indicates whether or not the event is a management event.
MFAUsed
readonly A Boolean value that indicates whether or not the event is a read-only event.
resourceName
resourceType
resources A list of resources accessed in the event. ARN
accountId
type
recipientAccountID The account ID that received the event.
serviceEventDetails The service event, including the trigger for the event and the result.
sharedEventID The GUID generated by CloudTrail to uniquely identify CloudTrail events from the same AWS action that is sent to different AWS accounts.
subnetId
iamInstanceProfileArn
iamInstanceProfileId
ip
imageId
keyId
sourceIPAddress The IP address from which the request was made.
permission
profileId
policyArn
feed
user The username of the user who triggered the event.
userType
vpcID The VPC endpoint in which requests were made from a VPC to another AWS service.
File Integrity Monitoring (FIM) Events: Supported Keywords
Field Name Field Definition Subfield Name
event_type The overarching type of the event, as defined by Threat Stack.
agent_id The Threat Stack Agent's ID that sent the event to the Threat Stack CSP.
arguments List of all arguments of the command executed that resulted in the filesystem event that triggered the event.
auid The audit user identification (ID) of the user who triggered the event. This ID is assigned at user login and is inherited by every process, even when the user's identity changes.
command The command run that triggered the event.
containerId If the event is from a container, then the ID of the container from which the event triggered.
containerImage If the event is from a container, then the title of the container image from which the event triggered.
eventId The Threat Stack-generated ID of the event.
events The strings that represent the type of event that occurred, such as ACCESS, CLOSE, DELETE, MODIFY, and so on.
exe The path to the executable used to trigger the event.
exit The value that specifies the exit code returned by the system call. The returned value depends on the type of system call.
filename The name of the file that triggered the event.
gid The group ID of the user who triggered the event.
group The group of the user who triggered the event.
eventTime The UNIX timestamp of when the event triggered.
organization_id The ID that describes the Threat Stack customer organization that reported the event.
pid The process ID attached to the event, as reported by your operating system (OS).
pod_name If the event is a Kubernetes event, then the name of the Kubernetes pod from which the system call that triggered the event originated.
pod_uid If the event is a Kubernetes event, then the UID of the Kubernetes pod from which the system call that triggered the event originated.
ppid The parent process ID attached to the event, as reported by your OS.
rule_id The id of the rule applied to the event.
session The Shell session from which the event triggered.
tty The terminal from which the system call was invoked.
uid The user ID of the user who triggered the event.
user The username of the user who triggered the event.
Kubernetes Audit Events: Supported Keywords
Field Name Field Definition Subfield Name Subfield Definition
agent_id The Threat Stack Agent's ID that sent the event to the Threat Stack CSP.
organization_id The ID that describes the Threat Stack customer organization that reported the event.
event_type The overarching type of the event, as defined by Threat Stack.
action The type of event.
eventId The Threat Stack-generated ID of the event.
eventTime The UNIX timestamp of when the event triggered.
name The namespace in which the object exists.
node_name The name of the node (server) on which the event triggered.
namespace The Kubernetes namespace in which the event triggered.
resource The object on which the event triggered. name
type
namespace
type The type of record, as reported by either auditd or the OS.
Kubernetes Config Events: Supported Keywords
Field Name Field Definition Subfield Name Subfield Definition Subfield Name Subfield Definition Subfield Name Subfield Definition
agent_id The Threat Stack Agent's ID that sent the event to the Threat Stack CSP.
organization_id The ID that describes the Threat Stack customer organization that reported the event.
event_type The overarching type of the event, as defined by Threat Stack.
action The type of event.
eventId The Threat Stack-generated ID of the event.
eventTime The UNIX timestamp of when the event triggered.
name The namespace in which the object exists.
namespace The Kubernetes namespace in which the event triggered.
type The type of record, as reported by either auditd or the OS.
spec The configuration of the object. role_bindings targets name
type
namespace
role_name
role_type
role_policies verbs
api_groups
resources
resource_names
Linux Host Events: Supported Keywords
Field Name Field Definition Subfield Name
event_type The overarching type of the event, as defined by Threat Stack.
agent_id The Threat Stack Agent's ID that sent the event to the Threat Stack CSP.
arguments List of all arguments in the event.
auid The audit user identification (ID) of the user who triggered the event. This ID is assigned at user login and is inherited by every process, even when the user's identity changes.
caddr The address in memory from which the symbol for the event loads.
comment A text comment that attempts to provide additional information to the preloaded information for the event.
eventId The Threat Stack-generated ID of the event.
exe The path to the executable used to trigger the event.
function The symbol found to be overloaded.
group The group of the user who triggered the event.
eventTime The UNIX timestamp of when the event triggered.
level The level value from the rule applied to the event.
library
organization_id The ID that describes the Threat Stack customer organization that reported the event.
originalLibrary The shared object file from which the symbol for the event should have loaded.
overridingLibrary The shared object file from which the symbol for the event currently loads.
pid The process ID attached to the event, as reported by your operating system (OS).
raddr The address of the real symbol for the event that should have been loaded.
session The Shell session from which the event triggered.
sigid The rule ID of the rule applied to the event.
src_ip If set, then indicates the source IP address of the action that triggered the event.
subj
uid The user ID of the user who triggered the event.
user The username of the user who triggered the event.
Login Events: Supported Keywords
Field Name Field Definition Subfield Name
event_type The overarching type of the event, as defined by Threat Stack.
address The IP address from which the user who triggered the event originated.
agent_id The Threat Stack Agent's ID that sent the event to the Threat Stack CSP.
arguments List of all arguments in the event.
auid The audit user identification (ID) of the user who triggered the event. This ID is assigned at user login and is inherited by every process, even when the user's identity changes.
command The command run that triggered the event.
containerId If the event is from a container, then the ID of the container from which the event triggered.
containerImage If the event is from a container, then the title of the container image from which the event triggered.
eventId The Threat Stack-generated ID of the event.
exe The path to the executable used to trigger the event.
host
eventTime The UNIX timestamp of when the event triggered.
organization_id The ID that describes the Threat Stack customer organization that reported the event.
pid The process ID attached to the event, as reported by your operating system (OS).
pod_name If the event is a Kubernetes event, then the name of the Kubernetes pod from which the system call that triggered the event originated.
pod_uid If the event is a Kubernetes event, then the UID of the Kubernetes pod from which the system call that triggered the event originated.
session The Shell session from which the event triggered.
uid The user ID of the user who triggered the event.
user The username of the user who triggered the event.
Threat Intelligence (ThreatIntel) Events: Supported Keywords
Field Name Field Definition Subfield Name
event_type The overarching type of the event, as defined by Threat Stack.
agent_id The Threat Stack Agent's ID that sent the event to the Threat Stack CSP.
arguments List of all arguments in the event.
auid The audit user identification (ID) of the user who triggered the event. This ID is assigned at user login and is inherited by every process, even when the user's identity changes.
command The command run that triggered the event.
connection The description of the socket connection made to or from the monitored instance. addr
dst_addr
dst_port
port
src_addr
src_port
containerId If the event is from a container, then the ID of the container from which the event triggered.
containerImage If the event is from a container, then the title of the container image from which the event triggered.
cwd The path to the directory that invoked the system call that triggered the event.
egid The effective group ID of the user who triggered the event.
euid The effective user ID of the user who triggered the event.
eventId The Threat Stack-generated ID of the event.
exe The path to the executable used to trigger the event.
exit The value that specifies the exit code returned by the system call. The returned value depends on the type of system call.
exit_status The value that specifies the exit code returned by the system call. The returned value depends on the type of system call. code
termination
fd If set, then the file descriptor of the socket that opened for a network connection.
gid The group ID of the user who triggered the event.
group The group of the user who triggered the event.
header The information in the header of the audit message that triggered the event. id
milliseconds
timestamp
eventTime The UNIX timestamp of when the event triggered.
is_agent_2 Indicated whether or not the Agent sending the event is a Threat Stack version 1.x Agent event or a Threat Stack version 2.x Agent event.
loginuid
organization_id The ID that describes the Threat Stack customer organization that reported the event.
path The information about any paths which were passed as an argument to the system call that triggered the event.
pid The process ID attached to the event, as reported by your operating system (OS).
pod_name If the event is a Kubernetes event, then the name of the Kubernetes pod from which the system call that triggered the event originated.
pod_uid If the event is a Kubernetes event, then the UID of the Kubernetes pod from which the system call that triggered the event originated.
ppid The parent process ID attached to the event, as reported by your OS.
rule_name The name of the Threat Stack rule applied to the event.
session The Shell session from which the event triggered.
success A Boolean value that indicates whether or not the action that triggered the event was successful.
syscall The type of system call sent to the kernel.
threatintelEventId The ID of the event.
threatintel_reason The reason the IP address is marked as malicious.
threatintel_source The source of information used to determined that the IP address is malicious.
threatintel_type The hardcoded value of the IP address.
tty The terminal from which the system call was invoked.
type The type of record, as reported by either auditd or the OS.
uid The user ID of the user who triggered the event.
user The username of the user who triggered the event.
Windows Events: Supported Keywords
Field Name Field Definition
organization_id The ID that describes the Threat Stack customer organization that reported the event.
agent_id The Threat Stack Agent's ID that sent the event to the Threat Stack CSP.
event_type
eventTime The time at which the event triggered.
addr
command The cli command that triggered the event.
correlation The GUID of the activity that triggered the event.
dns_host The name of the computer as registered in DNS.
dst_host Sysmon: The hostname of the network connection's destination.
dst_ip Sysmon: The destination IP address of the network connection.
dstIpv6 Sysmon: A Boolean value which indicates whether or not the IP address in an IPv6 address.
dst_port Sysmon: The port used by the network connection's destination.
domain
eventId The Threat Stack-generated ID of the event.
exe The filename of the event's triggering or target application.
guid Sysmon: The GUID of a newly-created process. A unique universal identifier.
hash Sysmon: A hash value.
linked_logon_id The ID of a paired login.
logon_process
logon_type Login type as an INT.
parent_command Sysmon: The cli command used to invoke a new event's parent.
parent_guid Sysmon: The GUID of a new process's parent.
parent_name The name of a new process's parent.
pid The ID attached of an event's triggering or newly created process.
ppid Used for events that create new processes.
reg_event Sysmon: The type of operation performed on the target registry key.
sam_account The SAM account associated with the event, usually account management.
sid A security identifier.
signature Sysmon: The signature of a driver.
signature_validity Sysmon: Integrity of a driver's signature.
signed A Boolean value that indicates whether or not the driver is signed.
src_ip Sysmon: The IP address of a network connection source.
src_ipv6 Sysmon: A Boolean value that indicates whether or not a network connection's IP address is IPv6.
src_port Sysmon: The source's port in a network connection.
target_exe Sysmon: The executable affected by this event.
target_file
target_guid Sysmon: The GUID of a target process.
target_reg_key Sysmon: The registry key affected by this event.
target_user Sysmon: The username of the account affected by this event.
user The name of the user who triggered the event.
win_event_id
Supported Operators
Operator Operator Definition Example
= include anything that exactly matches the keyword exe = "/bin/ls"
!= exclude anything that exactly matches the keyword tty != NULL
< include anything fewer than the keyword pid < 999
<= include anything fewer than or equal to the keyword pid <= 1000
> include anything greater than the keyword pid > 999
>= include anything greater than or equal to the keyword pid >= 1000
starts_with include anything that begins with the information in the keyword filename starts_with "etc/group"
ends_with include anything that ends with the information in the keyword arguments ends_with "22"
like include anything that matches a string within the keyword arguments like "BECOME-SUCCESS"
and
&&
include anything that matches both the first condition and the second condition of the query tty != NULL and tty != ""
tty != NULL && tty != ""
or
||
include anything that matches either the first condition or the second condition of the query tty != NULL or tty != ""
tty != NULL || tty != ""

Related Articles

Was this article helpful?
1 out of 2 found this helpful
Have more questions? Submit a request