Raw Event Format

Follow

The Threat Stack Cloud Security Platform (CSP) normalizes the structure of raw events received before batching them for export.

Agent 2.1

Threat Stack Agent 2.1 includes all of the raw event formats available in Agent 2.0, along with these additional formats.

Kubernetes Config Event Kubernetes Audit Link
Event Type Field Field Format Subfield Subfield Format Subfield Subfield Format Subfield Subfield Format Subfield Subfield Format
Kubernetes event array id string
    batchType* "kubernetesConfig"
    ingestTime long
    agent_id* string
    name string
    namespace string
    organizationId* string
    spec array role_bindings optional object targets optional array name string
    namespaces string
    type string
    roleName string
  roleType string
    role_policies optional array apiGroups optional array items string
    resourceNames optional array items string
    resources optional array items string
    verbs array items string
    timestamp* long
    type "ClusterRole"
"Role"
"ClusterRoleBindings"
"RoleBindings"
    uid string

*The field is searchable with Threat Stack Event Search.

Agent 2.0
Audit File Host Login ThreatIntel
Field Field Format Subfield Subfield Format Subfield Subfield Format
event array id string
batchType "audit"
ingestTime long
agent_id string
args array element string
arguments string
command* string
connection* struct addr string
dst_addr string
dst_port long
port long
src_addr string
src_port long
version long
containerId* string
containerImage* string
cwd* string
egid long
euid long
exe string
exit* string
fd* long
gid long
group string
loginuid long
organization_id string
path array element string
pid long
pod_name* string
pod_uid* string
ppid* long
session long
success* boolean
syscall string
timestamp long
tty* string
type string "accept"
"bind"
"connect"
"listen"
"start"
uid long
user string

* The value of "audit" > "type" determines whether or not this field displays.

Agent 1.9
Audit File Host Login ThreatIntel
Field Field Format Subfield Subfield Format Subfield Subfield Format
event array id string
batchType "audit"
ingestTime long
agent_id string
args array element string
arguments string
command* string
connection* struct addr string
dst_addr string
dst_port long
port long
src_addr string
src_port long
version long
containerId* string
containerImage* string
cwd* string
egid long
euid long
exe* string
exit* string
fd* long
gid long
group string
loginuid long
organization_id string
path array element string
pid long
pod_name* string
pod_uid* string
ppid* long
session long
success* boolean
syscall string
timestamp long
tty* string
type string "accept"
"access"
"adjtimex"
"bind"
"brk"
"chdir"
"chmod"
"chown"
"clock_gettime"
"clock_settime"
"close"
"connect"
"epoll_ctl"
"fchmod"
"fchown"
"fcntl"
"finit_module"
"flock"
"fstat"
"ftruncate"
"futex"
"getdents"
"getresgid"
"geteuid"
"getsockname"
"getsockopt"
"gettimeofday"
"init_module"
"inotify_add_watch"
"ioctl"
"ioprio_get"
"listen"
"lseek"
"lstat"
"mkdir"
"mmap"
"mount"
"mprotect"
"munmap"
"newfstatat"
"open"
"openat"
"pipe"
"poll"
"pselect6"
"pwrite64"
"read"
"readlink"
"readlinkat"
"recvfrom"
"recvmsg"
"rename"
"rmdir"
"select"
"sendmsg"
"sendmmsg"
"sendto"
"setrlimit"
"setsockopt"
"settimeofday"
"setxattr"
"shutdown"
"start"
"stat"
"umount2"
"unlink"
"unlinkat"
"unshare"
"utimes"
"wait4"
"write"
"writev"
uid long
user string

* The value of “audit” > “type” determines whether or not this field displays.

Related Articles

Data Portability

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.