Raw Event Format

Follow

The Threat Stack Cloud Security Platform (CSP) normalizes the structure of raw events received before batching them for export.

Agent 2.1

Threat Stack Agent 2.1 includes all of the raw event formats available in Agent 2.0, along with these additional formats.

Kubernetes Config Event Kubernetes Audit Link
Event Type Field Field Format Subfield Subfield Format Subfield Subfield Format Subfield Subfield Format Subfield Subfield Format
Kubernetes events array _id string
    _insert_time long
    _type* "kubernetesConfig"
    agent_id* string
    name string
    namespace string
    organization_id* string
    spec array role_bindings optional object targets optional array name string
    namespaces string
    type string
    role_name string
  role_type string
    role_policies optional array api_groups optional array items string
    resource_names optional array items string
    resources optional array items string
    verbs array items string
    timestamp* long
    type "ClusterRole"
"Role"
"ClusterRoleBindings"
"RoleBindings"
    uid string

*The field is searchable with Threat Stack Event Search.

Agent 2.0
Audit File Host Login ThreatIntel
Field Field Format Subfield Subfield Format Subfield Subfield Format
event array _id string
_insert_time long
_type "audit"
agent_id string
args array element string
arguments string
command* string
connection* struct addr string
dst_addr string
dst_port long
port long
src_addr string
src_port long
version long
containerId* string
containerImage* string
cwd* string
egid long
euid long
exe string
exit* string
fd* long
gid long
group string
loginuid long
organization_id string
path array element string
pid long
pod_name* string
pod_uid* string
ppid* long
session long
success* boolean
syscall string
timestamp long
tty* string
type string "accept"
"bind"
"connect"
"listen"
"start"
uid long
user string

* The value of "audit" > "type" determines whether or not this field displays.

Agent 1.9
Audit File Host Login ThreatIntel
Field Field Format Subfield Subfield Format Subfield Subfield Format
events array _id string
_insert_time long
_type "audit"
agent_id string
args array element string
arguments string
command* string
connection* struct addr string
dst_addr string
dst_port long
port long
src_addr string
src_port long
version long
containerId* string
containerImage* string
cwd* string
egid long
euid long
exe* string
exit* string
fd* long
gid long
group string
loginuid long
organization_id string
path array element string
pid long
pod_name* string
pod_uid* string
ppid* long
session long
success* boolean
syscall string
timestamp long
tty* string
type string "accept"
"access"
"adjtimex"
"bind"
"brk"
"chdir"
"chmod"
"chown"
"clock_gettime"
"clock_settime"
"close"
"connect"
"epoll_ctl"
"fchmod"
"fchown"
"fcntl"
"finit_module"
"flock"
"fstat"
"ftruncate"
"futex"
"getdents"
"getresgid"
"geteuid"
"getsockname"
"getsockopt"
"gettimeofday"
"init_module"
"inotify_add_watch"
"ioctl"
"ioprio_get"
"listen"
"lseek"
"lstat"
"mkdir"
"mmap"
"mount"
"mprotect"
"munmap"
"newfstatat"
"open"
"openat"
"pipe"
"poll"
"pselect6"
"pwrite64"
"read"
"readlink"
"readlinkat"
"recvfrom"
"recvmsg"
"rename"
"rmdir"
"select"
"sendmsg"
"sendmmsg"
"sendto"
"setrlimit"
"setsockopt"
"settimeofday"
"setxattr"
"shutdown"
"start"
"stat"
"umount2"
"unlink"
"unlinkat"
"unshare"
"utimes"
"wait4"
"write"
"writev"
uid long
user string

* The value of “audit” > “type” determines whether or not this field displays.

Related Articles

Data Portability

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.