Raw Event Format

Follow

The Threat Stack Cloud Security Platform (CSP) normalizes the structure of raw events received before batching them for export.

Agent 2.0
Audit File Host Login ThreatIntel
Field Field Format Subfield Subfield Format Subfield Subfield Format
event array _id string
_insert_time long
_type "audit"
agent_id string
args array element string
arguments string
command* string
connection* struct addr string
dst_addr string
dst_port long
port long
src_addr string
src_port long
version long
containerId* string
containerImage* string
cwd* string
egid long
euid long
exe string
exit* string
fd* long
gid long
group string
loginuid long
organization_id string
path array element string
pid long
pod_name* string
pod_uid* string
ppid* long
session long
success* boolean
syscall string
timestamp long
tty* string
type string "accept"
"bind"
"connect"
"listen"
"start"
uid long
user string

* The value of "audit" > "type" determines whether or not this field displays.

Agent 1.9
Audit File Host Login ThreatIntel
Field Field Format Subfield Subfield Format Subfield Subfield Format
events array _id string
_insert_time long
_type "audit"
agent_id string
args array element string
arguments string
command* string
connection* struct addr string
dst_addr string
dst_port long
port long
src_addr string
src_port long
version long
containerId* string
containerImage* string
cwd* string
egid long
euid long
exe* string
exit* string
fd* long
gid long
group string
loginuid long
organization_id string
path array element string
pid long
pod_name* string
pod_uid* string
ppid* long
session long
success* boolean
syscall string
timestamp long
tty* string
type string "accept"
"access"
"adjtimex"
"bind"
"brk"
"chdir"
"chmod"
"chown"
"clock_gettime"
"clock_settime"
"close"
"connect"
"epoll_ctl"
"fchmod"
"fchown"
"fcntl"
"finit_module"
"flock"
"fstat"
"ftruncate"
"futex"
"getdents"
"getresgid"
"geteuid"
"getsockname"
"getsockopt"
"gettimeofday"
"init_module"
"inotify_add_watch"
"ioctl"
"ioprio_get"
"listen"
"lseek"
"lstat"
"mkdir"
"mmap"
"mount"
"mprotect"
"munmap"
"newfstatat"
"open"
"openat"
"pipe"
"poll"
"pselect6"
"pwrite64"
"read"
"readlink"
"readlinkat"
"recvfrom"
"recvmsg"
"rename"
"rmdir"
"select"
"sendmsg"
"sendmmsg"
"sendto"
"setrlimit"
"setsockopt"
"settimeofday"
"setxattr"
"shutdown"
"start"
"stat"
"umount2"
"unlink"
"unlinkat"
"unshare"
"utimes"
"wait4"
"write"
"writev"
uid long
user string

* The value of “audit” > “type” determines whether or not this field displays.

Related Articles

Data Portability

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.