Raw Event Format

The Threat Stack Cloud Security Platform (CSP) normalizes the structure of raw events received before batching them for export.

Linux Agent

Linux Agent Raw Event Format
Audit CloudTrailFile Kubernetes AuditKubernetes Config EventLinux HostLoginThreatIntel
Field Field Format Subfield Subfield Format
agentId string
organizationId string
ingestTime long
eventId string
eventTime long
tags "audit"
tsEventType string
args array element string
args string
auid string
command* string
connection* struct addr string
dst_addr string
dst_port long
port long
src_addr string
src_port long
version long
containerId* string
containerImage* string
containerLabels* string
cwd* string
egid long
euid long
exe string
exit* string
exitStatus* string
fd* long
gid long
group string
header* string
isAgent2* boolean
loginuid long
path array element string
pid long
podName* string
podUid* string
ppid long
session long
success* boolean
syscall string
tty* string
type string "accept"
"bind"
"connect"
"listen"
"start"
uid long
user string
auser string

* The value of "tags" determines whether or not this field displays for the event.

Field Field Format
agentId string
organizationId string
ingestTime long
eventId string
eventTime long
tags "cloudtrail"
tsEventType string
eventVersion string
userIdentity string
eventSource string
eventSourceType* string
eventName* string
accountId* string
arn* string
awsRegion string
userAgent string
bucketName* string
error* string
errorCode* string
errorMessage* string
requestParameters* array[object]
responseElements* array[object]
additionalEventData* string
requestId* string
eventType* string
apiVersion* string
arnRole* string
accessKey* string
cidrIp* string
consoleLogin* string
managementEvent* boolean
mfaused* boolean
readOnly* boolean
resourceName* string
resourceType* string
resources* array[string]
recipientAccountId* string
serviceEventDetails* string
sharedEventId* string
subnetId* string
iamInstanceProfileArn* string
iamInstanceProfileId* string
ip* string
imageId* string
keyId* string
sourceIpAddress* string
permission* string
profileId* string
policyArn* string
feed* string
user* string
userType* string
vpcEndpoint* string

* The value of "tags" determines whether or not this field displays for the event.

Field Field Format Subfield Subfield Format Subfield Subfield Format Subfield Subfield Format
agentId string
organizationId* string
ingestTime long
eventId string
eventTime long
tags "container"
"docker"
tsEventType string
name string
namespace string
spec array role_bindings optional object targets optional array name string
namespaces string
type string
roleName string
roleType string
role_policies optional array apiGroups optional array items string
resourceNames optional array items string
resources optional array items string
verbs array items string
type "ClusterRole"
"Role"
"ClusterRoleBindings"
"RoleBindings"
uid string

* The value of "tags" determines whether or not this field displays for the event.

Windows Agent Raw Event Format
Field Field Format
agentId string
organizationId string
ingestTime long
eventId string
eventTime long
tags "windows"
tsEventType string
access* string
allowedDelegates* string
auditCategory* string
auditGuid* string
auditPolicyChanges* string
auditSubcategory* string
authPackage* string
code* long
command* string
company* string
correlation* string
currentDirectory* string
description* string
displayname* string
dnsHost* string
driver* string
dstHost* string
dstIp* string
dstIpv6* string
dstPort* string
dstPortName* string
domain* string
elevated* string
exe* string
executionPid* int
executionTid* int
expiration* string
fileversion* string
guid* string
hash* string
homeDirectory* string
homePath* string
impersonation* string
integrity* string
integrityName* string
integritySid* string
keyLength* int
linkedLogonId* long
lmPackageName* string
logonHours* string
logonProcess* string
logonType* string
logonTitle* string
logout* long
newRegKey* string
newState* string
newTime* long
newUac* string
newUserName* string
newValue* string
netConnInitiated* boolean
notificationPackage* string
oldTime* long
oldUac* string
parentCommand* string
parentGuid* string
parentName* string
passwordLastSet* string
pid* int
pipeName* string
ppid* int
primaryGroupId* string
principalName* string
privileges* string
product* string
profilePath* string
protocol* string
recordNumber* int
restrictedAdmin* string
regEvent* string
samAccount* string
scriptPath* string
securityPackage* string
serviceAccount* string
serviceFile* string
serviceName* string
serviceStart* int
serviceType* string
session* long
sidHistory* string
signature* string
signatureValidity* string
signed* string
specialGroups* string
spn* string
srcHost* string
srcIp* string
srcIpv6* boolean
srcPort* int
srcPortName* string
startAddr* string
startFunc* string
startModule* string
status* string
statusString* string
subtype* string
summary* string
targetDevice* string
targetDomain* string
targetExe* string
targetFile* string
targetGroup* string
targetGroupId* string
targetGuid* string
targetOutboundDomain* string
targetOutboundUser* string
targetPid* int
targetRegKey* string
targetUid* string
targetUser* string
targetServer* string
targetServerInfo* string
targetSession* string
threadId* string
tokenElevationType* string
trace* string
transmittedServices* string
tty* string
type* string
uac* string
uid* int
user* string
userParameters* string
virtual* string
winEventId* int
wmiConsumer* string
wmiConsumerType* string
wmiEvent* string
wmiFilter* string
wmiName* string
wmiNamespace* string
wmiOperation* string
wmiQuery* string
workstation* string
sid* string

* The value of "tags" determines whether or not this field displays for the event.

Related Articles

Data Portability

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request