CSM Threats event for Linux systems have the following JSON schema:
BACKEND_EVENT_JSON_SCHEMA
{"$id":"https://github.com/DataDog/datadog-agent/tree/main/pkg/security/serializers","$defs":{"AWSIMDSEvent":{"properties":{"is_imds_v2":{"type":"boolean","description":"is_imds_v2 reports if the IMDS event follows IMDSv1 or IMDSv2 conventions"},"security_credentials":{"$ref":"#/$defs/AWSSecurityCredentials","description":"SecurityCredentials holds the scrubbed data collected on the security credentials"}},"additionalProperties":false,"type":"object","required":["is_imds_v2"],"description":"AWSIMDSEventSerializer serializes an AWS IMDS event to JSON"},"AWSSecurityCredentials":{"properties":{"code":{"type":"string","description":"code is the IMDS server code response"},"type":{"type":"string","description":"type is the security credentials type"},"access_key_id":{"type":"string","description":"access_key_id is the unique access key ID of the credentials"},"last_updated":{"type":"string","description":"last_updated is the last time the credentials were updated"},"expiration":{"type":"string","description":"expiration is the expiration date of the credentials"}},"additionalProperties":false,"type":"object","required":["code","type","access_key_id","last_updated","expiration"],"description":"AWSSecurityCredentialsSerializer serializes the security credentials from an AWS IMDS request"},"AcceptEvent":{"properties":{"addr":{"$ref":"#/$defs/IPPortFamily","description":"Bound address (if any)"}},"additionalProperties":false,"type":"object","required":["addr"],"description":"AcceptEventSerializer serializes a bind event to JSON"},"AgentContext":{"properties":{"rule_id":{"type":"string"},"rule_version":{"type":"string"},"rule_actions":{"items":true,"type":"array"},"policy_name":{"type":"string"},"policy_version":{"type":"string"},"version":{"type":"string"},"os":{"type":"string"},"arch":{"type":"string"},"origin":{"type":"string"},"kernel_version":{"type":"string"},"distribution":{"type":"string"}},"additionalProperties":false,"type":"object","required":["rule_id"]},"BPFEvent":{"properties":{"cmd":{"type":"string","description":"BPF command"},"map":{"$ref":"#/$defs/BPFMap","description":"BPF map"},"program":{"$ref":"#/$defs/BPFProgram","description":"BPF program"}},"additionalProperties":false,"type":"object","required":["cmd"],"description":"BPFEventSerializer serializes a BPF event to JSON"},"BPFMap":{"properties":{"name":{"type":"string","description":"Name of the BPF map"},"map_type":{"type":"string","description":"Type of the BPF map"}},"additionalProperties":false,"type":"object","description":"BPFMapSerializer serializes a BPF map to JSON"},"BPFProgram":{"properties":{"name":{"type":"string","description":"Name of the BPF program"},"tag":{"type":"string","description":"Hash (sha1) of the BPF program"},"program_type":{"type":"string","description":"Type of the BPF program"},"attach_type":{"type":"string","description":"Attach type of the BPF program"},"helpers":{"items":{"type":"string"},"type":"array","description":"List of helpers used by the BPF program"}},"additionalProperties":false,"type":"object","description":"BPFProgramSerializer serializes a BPF map to JSON"},"BindEvent":{"properties":{"addr":{"$ref":"#/$defs/IPPortFamily","description":"Bound address (if any)"},"protocol":{"type":"string"}},"additionalProperties":false,"type":"object","required":["addr","protocol"],"description":"BindEventSerializer serializes a bind event to JSON"},"CGroupContext":{"properties":{"id":{"type":"string","description":"CGroup ID"},"manager":{"type":"string","description":"CGroup manager"}},"additionalProperties":false,"type":"object","description":"CGroupContextSerializer serializes a cgroup context to JSON"},"ConnectEvent":{"properties":{"addr":{"$ref":"#/$defs/IPPortFamily"},"protocol":{"type":"string"}},"additionalProperties":false,"type":"object","required":["addr","protocol"],"description":"ConnectEventSerializer serializes a connect event to JSON"},"ContainerContext":{"properties":{"id":{"type":"string","description":"Container ID"},"created_at":{"type":"string","format":"date-time","description":"Creation time of the container"},"variables":{"$ref":"#/$defs/Variables","description":"Variables values"}},"additionalProperties":false,"type":"object","description":"ContainerContextSerializer serializes a container context to JSON"},"DDContext":{"properties":{"span_id":{"type":"string","description":"Span ID used for APM correlation"},"trace_id":{"type":"string","description":"Trace ID used for APM correlation"}},"additionalProperties":false,"type":"object","description":"DDContextSerializer serializes a span context to JSON"},"DNSEvent":{"properties":{"id":{"type":"integer","description":"id is the unique identifier of the DNS request"},"question":{"$ref":"#/$defs/DNSQuestion","description":"question is a DNS question for the DNS request"}},"additionalProperties":false,"type":"object","required":["id","question"],"description":"DNSEventSerializer serializes a DNS event to JSON"},"DNSQuestion":{"properties":{"class":{"type":"string","description":"class is the class looked up by the DNS question"},"type":{"type":"string","description":"type is a two octet code which specifies the DNS question type"},"name":{"type":"string","description":"name is the queried domain name"},"size":{"type":"integer","description":"size is the total DNS request size in bytes"},"count":{"type":"integer","description":"count is the total count of questions in the DNS request"}},"additionalProperties":false,"type":"object","required":["class","type","name","size","count"],"description":"DNSQuestionSerializer serializes a DNS question to JSON"},"EventContext":{"properties":{"name":{"type":"string","description":"Event name"},"category":{"type":"string","description":"Event category"},"outcome":{"type":"string","description":"Event outcome"},"async":{"type":"boolean","description":"True if the event was asynchronous"},"matched_rules":{"items":{"$ref":"#/$defs/MatchedRule"},"type":"array","description":"The list of rules that the event matched (only valid in the context of an anomaly)"},"variables":{"$ref":"#/$defs/Variables","description":"Variables values"}},"additionalProperties":false,"type":"object","description":"EventContextSerializer serializes an event context to JSON"},"ExitEvent":{"properties":{"cause":{"type":"string","description":"Cause of the process termination (one of EXITED, SIGNALED, COREDUMPED)"},"code":{"type":"integer","description":"Exit code of the process or number of the signal that caused the process to terminate"}},"additionalProperties":false,"type":"object","required":["cause","code"],"description":"ExitEventSerializer serializes an exit event to JSON"},"File":{"properties":{"path":{"type":"string","description":"File path"},"name":{"type":"string","description":"File basename"},"path_resolution_error":{"type":"string","description":"Error message from path resolution"},"inode":{"type":"integer","description":"File inode number"},"mode":{"type":"integer","description":"File mode"},"in_upper_layer":{"type":"boolean","description":"Indicator of file OverlayFS layer"},"mount_id":{"type":"integer","description":"File mount ID"},"filesystem":{"type":"string","description":"File filesystem name"},"uid":{"type":"integer","description":"File User ID"},"gid":{"type":"integer","description":"File Group ID"},"user":{"type":"string","description":"File user"},"group":{"type":"string","description":"File group"},"attribute_name":{"type":"string","description":"File extended attribute name"},"attribute_namespace":{"type":"string","description":"File extended attribute namespace"},"flags":{"items":{"type":"string"},"type":"array","description":"File flags"},"access_time":{"type":"string","format":"date-time","description":"File access time"},"modification_time":{"type":"string","format":"date-time","description":"File modified time"},"change_time":{"type":"string","format":"date-time","description":"File change time"},"package_name":{"type":"string","description":"System package name"},"package_version":{"type":"string","description":"System package version"},"hashes":{"items":{"type":"string"},"type":"array","description":"List of cryptographic hashes of the file"},"hash_state":{"type":"string","description":"State of the hashes or reason why they weren't computed"},"mount_path":{"type":"string","description":"MountPath path of the mount"},"mount_source":{"type":"string","description":"MountSource source of the mount"},"mount_origin":{"type":"string","description":"MountOrigin origin of the mount"}},"additionalProperties":false,"type":"object","required":["uid","gid"],"description":"FileSerializer serializes a file to JSON"},"FileEvent":{"properties":{"path":{"type":"string","description":"File path"},"name":{"type":"string","description":"File basename"},"path_resolution_error":{"type":"string","description":"Error message from path resolution"},"inode":{"type":"integer","description":"File inode number"},"mode":{"type":"integer","description":"File mode"},"in_upper_layer":{"type":"boolean","description":"Indicator of file OverlayFS layer"},"mount_id":{"type":"integer","description":"File mount ID"},"filesystem":{"type":"string","description":"File filesystem name"},"uid":{"type":"integer","description":"File User ID"},"gid":{"type":"integer","description":"File Group ID"},"user":{"type":"string","description":"File user"},"group":{"type":"string","description":"File group"},"attribute_name":{"type":"string","description":"File extended attribute name"},"attribute_namespace":{"type":"string","description":"File extended attribute namespace"},"flags":{"items":{"type":"string"},"type":"array","description":"File flags"},"access_time":{"type":"string","format":"date-time","description":"File access time"},"modification_time":{"type":"string","format":"date-time","description":"File modified time"},"change_time":{"type":"string","format":"date-time","description":"File change time"},"package_name":{"type":"string","description":"System package name"},"package_version":{"type":"string","description":"System package version"},"hashes":{"items":{"type":"string"},"type":"array","description":"List of cryptographic hashes of the file"},"hash_state":{"type":"string","description":"State of the hashes or reason why they weren't computed"},"mount_path":{"type":"string","description":"MountPath path of the mount"},"mount_source":{"type":"string","description":"MountSource source of the mount"},"mount_origin":{"type":"string","description":"MountOrigin origin of the mount"},"destination":{"$ref":"#/$defs/File","description":"Target file information"},"new_mount_id":{"type":"integer","description":"New Mount ID"},"device":{"type":"integer","description":"Device associated with the file"},"fstype":{"type":"string","description":"Filesystem type"}},"additionalProperties":false,"type":"object","required":["uid","gid"],"description":"FileEventSerializer serializes a file event to JSON"},"Flow":{"properties":{"l3_protocol":{"type":"string","description":"l3_protocol is the layer 3 protocol name"},"l4_protocol":{"type":"string","description":"l4_protocol is the layer 4 protocol name"},"source":{"$ref":"#/$defs/IPPort","description":"source is the emitter of the network event"},"destination":{"$ref":"#/$defs/IPPort","description":"destination is the receiver of the network event"},"ingress":{"$ref":"#/$defs/NetworkStats","description":"ingress holds the network statistics for ingress traffic"},"egress":{"$ref":"#/$defs/NetworkStats","description":"egress holds the network statistics for egress traffic"}},"additionalProperties":false,"type":"object","required":["l3_protocol","l4_protocol","source","destination"],"description":"FlowSerializer defines a new flow serializer"},"IMDSEvent":{"properties":{"type":{"type":"string","description":"type is the type of IMDS event"},"cloud_provider":{"type":"string","description":"cloud_provider is the intended cloud provider of the IMDS event"},"url":{"type":"string","description":"url is the url of the IMDS request"},"host":{"type":"string","description":"host is the host of the HTTP protocol"},"user_agent":{"type":"string","description":"user_agent is the user agent of the HTTP client"},"server":{"type":"string","description":"server is the server header of a response"},"aws":{"$ref":"#/$defs/AWSIMDSEvent","description":"AWS holds the AWS specific data parsed from the IMDS event"}},"additionalProperties":false,"type":"object","required":["type","cloud_provider"],"description":"IMDSEventSerializer serializes an IMDS event to JSON"},"IPPort":{"properties":{"ip":{"type":"string","description":"IP address"},"port":{"type":"integer","description":"Port number"}},"additionalProperties":false,"type":"object","required":["ip","port"],"description":"IPPortSerializer is used to serialize an IP and Port context to JSON"},"IPPortFamily":{"properties":{"family":{"type":"string","description":"Address family"},"ip":{"type":"string","description":"IP address"},"port":{"type":"integer","description":"Port number"}},"additionalProperties":false,"type":"object","required":["family","ip","port"],"description":"IPPortFamilySerializer is used to serialize an IP, port, and address family context to JSON"},"MMapEvent":{"properties":{"address":{"type":"string","description":"memory segment address"},"offset":{"type":"integer","description":"file offset"},"length":{"type":"integer","description":"memory segment length"},"protection":{"type":"string","description":"memory segment protection"},"flags":{"type":"string","description":"memory segment flags"}},"additionalProperties":false,"type":"object","required":["address","offset","length","protection","flags"],"description":"MMapEventSerializer serializes a mmap event to JSON"},"MProtectEvent":{"properties":{"vm_start":{"type":"string","description":"memory segment start address"},"vm_end":{"type":"string","description":"memory segment end address"},"vm_protection":{"type":"string","description":"initial memory segment protection"},"req_protection":{"type":"string","description":"new memory segment protection"}},"additionalProperties":false,"type":"object","required":["vm_start","vm_end","vm_protection","req_protection"],"description":"MProtectEventSerializer serializes a mmap event to JSON"},"MatchedRule":{"properties":{"id":{"type":"string","description":"ID of the rule"},"version":{"type":"string","description":"Version of the rule"},"tags":{"items":{"type":"string"},"type":"array","description":"Tags of the rule"},"policy_name":{"type":"string","description":"Name of the policy that introduced the rule"},"policy_version":{"type":"string","description":"Version of the policy that introduced the rule"}},"additionalProperties":false,"type":"object","description":"MatchedRuleSerializer serializes a rule"},"ModuleEvent":{"properties":{"name":{"type":"string","description":"module name"},"loaded_from_memory":{"type":"boolean","description":"indicates if a module was loaded from memory, as opposed to a file"},"argv":{"items":{"type":"string"},"type":"array"},"args_truncated":{"type":"boolean"}},"additionalProperties":false,"type":"object","required":["name"],"description":"ModuleEventSerializer serializes a module event to JSON"},"MountEvent":{"properties":{"mp":{"$ref":"#/$defs/File","description":"Mount point file information"},"root":{"$ref":"#/$defs/File","description":"Root file information"},"mount_id":{"type":"integer","description":"Mount ID of the new mount"},"parent_mount_id":{"type":"integer","description":"Mount ID of the parent mount"},"bind_src_mount_id":{"type":"integer","description":"Mount ID of the source of a bind mount"},"device":{"type":"integer","description":"Device associated with the file"},"fs_type":{"type":"string","description":"Filesystem type"},"mountpoint.path":{"type":"string","description":"Mount point path"},"source.path":{"type":"string","description":"Mount source path"},"mountpoint.path_error":{"type":"string","description":"Mount point path error"},"source.path_error":{"type":"string","description":"Mount source path error"}},"additionalProperties":false,"type":"object","required":["mount_id","parent_mount_id","bind_src_mount_id","device"],"description":"MountEventSerializer serializes a mount event to JSON"},"NetworkContext":{"properties":{"device":{"$ref":"#/$defs/NetworkDevice","description":"device is the network device on which the event was captured"},"l3_protocol":{"type":"string","description":"l3_protocol is the layer 3 protocol name"},"l4_protocol":{"type":"string","description":"l4_protocol is the layer 4 protocol name"},"source":{"$ref":"#/$defs/IPPort","description":"source is the emitter of the network event"},"destination":{"$ref":"#/$defs/IPPort","description":"destination is the receiver of the network event"},"size":{"type":"integer","description":"size is the size in bytes of the network event"},"network_direction":{"type":"string","description":"network_direction indicates if the packet was captured on ingress or egress"}},"additionalProperties":false,"type":"object","required":["l3_protocol","l4_protocol","source","destination","size","network_direction"],"description":"NetworkContextSerializer serializes the network context to JSON"},"NetworkDevice":{"properties":{"netns":{"type":"integer","description":"netns is the interface ifindex"},"ifindex":{"type":"integer","description":"ifindex is the network interface ifindex"},"ifname":{"type":"string","description":"ifname is the network interface name"}},"additionalProperties":false,"type":"object","required":["netns","ifindex","ifname"],"description":"NetworkDeviceSerializer serializes the network device context to JSON"},"NetworkFlowMonitor":{"properties":{"device":{"$ref":"#/$defs/NetworkDevice","description":"device is the network device on which the event was captured"},"flows":{"items":{"$ref":"#/$defs/Flow"},"type":"array","description":"flows is the list of flows with network statistics that were captured"}},"additionalProperties":false,"type":"object","description":"NetworkFlowMonitorSerializer defines a network monitor event serializer"},"NetworkStats":{"properties":{"data_size":{"type":"integer","description":"data_size is the total count of bytes sent or received"},"packet_count":{"type":"integer","description":"packet_count is the total count of packets sent or received"}},"additionalProperties":false,"type":"object","description":"NetworkStatsSerializer defines a new network stats serializer"},"PTraceEvent":{"properties":{"request":{"type":"string","description":"ptrace request"},"address":{"type":"string","description":"address at which the ptrace request was executed"},"tracee":{"$ref":"#/$defs/ProcessContext","description":"process context of the tracee"}},"additionalProperties":false,"type":"object","required":["request","address"],"description":"PTraceEventSerializer serializes a mmap event to JSON"},"Process":{"properties":{"pid":{"type":"integer","description":"Process ID"},"ppid":{"type":"integer","description":"Parent Process ID"},"tid":{"type":"integer","description":"Thread ID"},"uid":{"type":"integer","description":"User ID"},"gid":{"type":"integer","description":"Group ID"},"user":{"type":"string","description":"User name"},"group":{"type":"string","description":"Group name"},"path_resolution_error":{"type":"string","description":"Description of an error in the path resolution"},"comm":{"type":"string","description":"Command name"},"tty":{"type":"string","description":"TTY associated with the process"},"fork_time":{"type":"string","format":"date-time","description":"Fork time of the process"},"exec_time":{"type":"string","format":"date-time","description":"Exec time of the process"},"exit_time":{"type":"string","format":"date-time","description":"Exit time of the process"},"credentials":{"$ref":"#/$defs/ProcessCredentials","description":"Credentials associated with the process"},"user_session":{"$ref":"#/$defs/UserSessionContext","description":"Context of the user session for this event"},"executable":{"$ref":"#/$defs/File","description":"File information of the executable"},"interpreter":{"$ref":"#/$defs/File","description":"File information of the interpreter"},"container":{"$ref":"#/$defs/ContainerContext","description":"Container context"},"argv0":{"type":"string","description":"First command line argument"},"args":{"items":{"type":"string"},"type":"array","description":"Command line arguments"},"args_truncated":{"type":"boolean","description":"Indicator of arguments truncation"},"envs":{"items":{"type":"string"},"type":"array","description":"Environment variables of the process"},"envs_truncated":{"type":"boolean","description":"Indicator of environments variable truncation"},"is_thread":{"type":"boolean","description":"Indicates whether the process is considered a thread (that is, a child process that hasn't executed another program)"},"is_kworker":{"type":"boolean","description":"Indicates whether the process is a kworker"},"is_exec_child":{"type":"boolean","description":"Indicates whether the process is an exec following another exec"},"source":{"type":"string","description":"Process source"},"syscalls":{"$ref":"#/$defs/SyscallsEvent","description":"List of syscalls captured to generate the event"},"aws_security_credentials":{"items":{"$ref":"#/$defs/AWSSecurityCredentials"},"type":"array","description":"List of AWS Security Credentials that the process had access to"}},"additionalProperties":false,"type":"object","required":["uid","gid"],"description":"ProcessSerializer serializes a process to JSON"},"ProcessContext":{"properties":{"pid":{"type":"integer","description":"Process ID"},"ppid":{"type":"integer","description":"Parent Process ID"},"tid":{"type":"integer","description":"Thread ID"},"uid":{"type":"integer","description":"User ID"},"gid":{"type":"integer","description":"Group ID"},"user":{"type":"string","description":"User name"},"group":{"type":"string","description":"Group name"},"path_resolution_error":{"type":"string","description":"Description of an error in the path resolution"},"comm":{"type":"string","description":"Command name"},"tty":{"type":"string","description":"TTY associated with the process"},"fork_time":{"type":"string","format":"date-time","description":"Fork time of the process"},"exec_time":{"type":"string","format":"date-time","description":"Exec time of the process"},"exit_time":{"type":"string","format":"date-time","description":"Exit time of the process"},"credentials":{"$ref":"#/$defs/ProcessCredentials","description":"Credentials associated with the process"},"user_session":{"$ref":"#/$defs/UserSessionContext","description":"Context of the user session for this event"},"executable":{"$ref":"#/$defs/File","description":"File information of the executable"},"interpreter":{"$ref":"#/$defs/File","description":"File information of the interpreter"},"container":{"$ref":"#/$defs/ContainerContext","description":"Container context"},"argv0":{"type":"string","description":"First command line argument"},"args":{"items":{"type":"string"},"type":"array","description":"Command line arguments"},"args_truncated":{"type":"boolean","description":"Indicator of arguments truncation"},"envs":{"items":{"type":"string"},"type":"array","description":"Environment variables of the process"},"envs_truncated":{"type":"boolean","description":"Indicator of environments variable truncation"},"is_thread":{"type":"boolean","description":"Indicates whether the process is considered a thread (that is, a child process that hasn't executed another program)"},"is_kworker":{"type":"boolean","description":"Indicates whether the process is a kworker"},"is_exec_child":{"type":"boolean","description":"Indicates whether the process is an exec following another exec"},"source":{"type":"string","description":"Process source"},"syscalls":{"$ref":"#/$defs/SyscallsEvent","description":"List of syscalls captured to generate the event"},"aws_security_credentials":{"items":{"$ref":"#/$defs/AWSSecurityCredentials"},"type":"array","description":"List of AWS Security Credentials that the process had access to"},"parent":{"$ref":"#/$defs/Process","description":"Parent process"},"ancestors":{"items":{"$ref":"#/$defs/Process"},"type":"array","description":"Ancestor processes"},"variables":{"$ref":"#/$defs/Variables","description":"Variables values"},"truncated_ancestors":{"type":"boolean","description":"True if the ancestors list was truncated because it was too big"}},"additionalProperties":false,"type":"object","required":["uid","gid"],"description":"ProcessContextSerializer serializes a process context to JSON"},"ProcessCredentials":{"properties":{"uid":{"type":"integer","description":"User ID"},"user":{"type":"string","description":"User name"},"gid":{"type":"integer","description":"Group ID"},"group":{"type":"string","description":"Group name"},"euid":{"type":"integer","description":"Effective User ID"},"euser":{"type":"string","description":"Effective User name"},"egid":{"type":"integer","description":"Effective Group ID"},"egroup":{"type":"string","description":"Effective Group name"},"fsuid":{"type":"integer","description":"Filesystem User ID"},"fsuser":{"type":"string","description":"Filesystem User name"},"fsgid":{"type":"integer","description":"Filesystem Group ID"},"fsgroup":{"type":"string","description":"Filesystem Group name"},"auid":{"type":"integer","description":"Login UID"},"cap_effective":{"items":{"type":"string"},"type":"array","description":"Effective Capability set"},"cap_permitted":{"items":{"type":"string"},"type":"array","description":"Permitted Capability set"},"destination":{"description":"Credentials after the operation"}},"additionalProperties":false,"type":"object","required":["uid","gid","euid","egid","fsuid","fsgid","auid","cap_effective","cap_permitted"],"description":"ProcessCredentialsSerializer serializes the process credentials to JSON"},"RawPacket":{"properties":{"device":{"$ref":"#/$defs/NetworkDevice","description":"device is the network device on which the event was captured"},"l3_protocol":{"type":"string","description":"l3_protocol is the layer 3 protocol name"},"l4_protocol":{"type":"string","description":"l4_protocol is the layer 4 protocol name"},"source":{"$ref":"#/$defs/IPPort","description":"source is the emitter of the network event"},"destination":{"$ref":"#/$defs/IPPort","description":"destination is the receiver of the network event"},"size":{"type":"integer","description":"size is the size in bytes of the network event"},"network_direction":{"type":"string","description":"network_direction indicates if the packet was captured on ingress or egress"},"tls":{"$ref":"#/$defs/TLSContext"}},"additionalProperties":false,"type":"object","required":["l3_protocol","l4_protocol","source","destination","size","network_direction"],"description":"RawPacketSerializer defines a raw packet serializer"},"SELinuxBoolChange":{"properties":{"name":{"type":"string","description":"SELinux boolean name"},"state":{"type":"string","description":"SELinux boolean state ('on' or 'off')"}},"additionalProperties":false,"type":"object","description":"SELinuxBoolChangeSerializer serializes a SELinux boolean change to JSON"},"SELinuxBoolCommit":{"properties":{"state":{"type":"boolean","description":"SELinux boolean commit operation"}},"additionalProperties":false,"type":"object","description":"SELinuxBoolCommitSerializer serializes a SELinux boolean commit to JSON"},"SELinuxEnforceStatus":{"properties":{"status":{"type":"string","description":"SELinux enforcement status (one of 'enforcing', 'permissive' or 'disabled')"}},"additionalProperties":false,"type":"object","description":"SELinuxEnforceStatusSerializer serializes a SELinux enforcement status change to JSON"},"SELinuxEvent":{"properties":{"bool":{"$ref":"#/$defs/SELinuxBoolChange","description":"SELinux boolean operation"},"enforce":{"$ref":"#/$defs/SELinuxEnforceStatus","description":"SELinux enforcement change"},"bool_commit":{"$ref":"#/$defs/SELinuxBoolCommit","description":"SELinux boolean commit"}},"additionalProperties":false,"type":"object","description":"SELinuxEventSerializer serializes a SELinux context to JSON"},"SecurityProfileContext":{"properties":{"name":{"type":"string","description":"Name of the security profile"},"version":{"type":"string","description":"Version of the profile in use"},"tags":{"items":{"type":"string"},"type":"array","description":"List of tags associated to this profile"},"event_in_profile":{"type":"boolean","description":"True if the corresponding event is part of this profile"},"event_type_state":{"type":"string","description":"State of the event type in this profile"}},"additionalProperties":false,"type":"object","required":["name","version","tags","event_in_profile","event_type_state"],"description":"SecurityProfileContextSerializer serializes the security profile context in an event"},"SignalEvent":{"properties":{"type":{"type":"string","description":"signal type"},"pid":{"type":"integer","description":"signal target pid"},"target":{"$ref":"#/$defs/ProcessContext","description":"process context of the signal target"}},"additionalProperties":false,"type":"object","required":["type","pid"],"description":"SignalEventSerializer serializes a signal event to JSON"},"SpliceEvent":{"properties":{"pipe_entry_flag":{"type":"string","description":"Entry flag of the fd_out pipe passed to the splice syscall"},"pipe_exit_flag":{"type":"string","description":"Exit flag of the fd_out pipe passed to the splice syscall"}},"additionalProperties":false,"type":"object","required":["pipe_entry_flag","pipe_exit_flag"],"description":"SpliceEventSerializer serializes a splice event to JSON"},"Syscall":{"properties":{"name":{"type":"string","description":"Name of the syscall"},"id":{"type":"integer","description":"ID of the syscall in the host architecture"}},"additionalProperties":false,"type":"object","required":["name","id"],"description":"SyscallSerializer serializes a syscall"},"SyscallArgs":{"properties":{"path":{"type":"string","description":"Path argument"},"flags":{"type":"integer","description":"Flags argument"},"mode":{"type":"integer","description":"Mode argument"},"uid":{"type":"integer","description":"UID argument"},"gid":{"type":"integer","description":"GID argument"},"dirfd":{"type":"integer","description":"Directory file descriptor argument"},"destination_path":{"type":"string","description":"Destination path argument"},"fs_type":{"type":"string","description":"File system type argument"}},"additionalProperties":false,"type":"object","description":"SyscallArgsSerializer args serializer"},"SyscallContext":{"properties":{"chmod":{"$ref":"#/$defs/SyscallArgs"},"chown":{"$ref":"#/$defs/SyscallArgs"},"chdir":{"$ref":"#/$defs/SyscallArgs"},"exec":{"$ref":"#/$defs/SyscallArgs"},"open":{"$ref":"#/$defs/SyscallArgs"},"unlink":{"$ref":"#/$defs/SyscallArgs"},"link":{"$ref":"#/$defs/SyscallArgs"},"rename":{"$ref":"#/$defs/SyscallArgs"},"utimes":{"$ref":"#/$defs/SyscallArgs"},"mount":{"$ref":"#/$defs/SyscallArgs"},"mkdir":{"$ref":"#/$defs/SyscallArgs"},"rmdir":{"$ref":"#/$defs/SyscallArgs"}},"additionalProperties":false,"type":"object","description":"SyscallContextSerializer serializes syscall context"},"SyscallsEvent":{"items":{"$ref":"#/$defs/Syscall"},"type":"array","description":"SyscallsEventSerializer serializes the syscalls from a syscalls event"},"TLSContext":{"properties":{"version":{"type":"string"}},"additionalProperties":false,"type":"object","description":"TLSContextSerializer defines a tls context serializer"},"UserContext":{"properties":{"id":{"type":"string","description":"User name"},"group":{"type":"string","description":"Group name"}},"additionalProperties":false,"type":"object","description":"UserContextSerializer serializes a user context to JSON"},"UserSessionContext":{"properties":{"id":{"type":"string","description":"Unique identifier of the user session on the host"},"session_type":{"type":"string","description":"Type of the user session"},"k8s_username":{"type":"string","description":"Username of the Kubernetes \"kubectl exec\" session"},"k8s_uid":{"type":"string","description":"UID of the Kubernetes \"kubectl exec\" session"},"k8s_groups":{"items":{"type":"string"},"type":"array","description":"Groups of the Kubernetes \"kubectl exec\" session"},"k8s_extra":{"additionalProperties":{"items":{"type":"string"},"type":"array"},"type":"object","description":"Extra of the Kubernetes \"kubectl exec\" session"}},"additionalProperties":false,"type":"object","description":"UserSessionContextSerializer serializes the user session context to JSON"},"Variables":{"type":"object","description":"Variables serializes the variable values"}},"properties":{"agent":{"$ref":"#/$defs/AgentContext"},"title":{"type":"string"},"evt":{"$ref":"#/$defs/EventContext"},"date":{"type":"string","format":"date-time"},"file":{"$ref":"#/$defs/FileEvent"},"exit":{"$ref":"#/$defs/ExitEvent"},"process":{"$ref":"#/$defs/ProcessContext"},"container":{"$ref":"#/$defs/ContainerContext"},"network":{"$ref":"#/$defs/NetworkContext"},"dd":{"$ref":"#/$defs/DDContext"},"security_profile":{"$ref":"#/$defs/SecurityProfileContext"},"cgroup":{"$ref":"#/$defs/CGroupContext"},"selinux":{"$ref":"#/$defs/SELinuxEvent"},"bpf":{"$ref":"#/$defs/BPFEvent"},"mmap":{"$ref":"#/$defs/MMapEvent"},"mprotect":{"$ref":"#/$defs/MProtectEvent"},"ptrace":{"$ref":"#/$defs/PTraceEvent"},"module":{"$ref":"#/$defs/ModuleEvent"},"signal":{"$ref":"#/$defs/SignalEvent"},"splice":{"$ref":"#/$defs/SpliceEvent"},"dns":{"$ref":"#/$defs/DNSEvent"},"imds":{"$ref":"#/$defs/IMDSEvent"},"accept":{"$ref":"#/$defs/AcceptEvent"},"bind":{"$ref":"#/$defs/BindEvent"},"connect":{"$ref":"#/$defs/ConnectEvent"},"mount":{"$ref":"#/$defs/MountEvent"},"syscalls":{"$ref":"#/$defs/SyscallsEvent"},"usr":{"$ref":"#/$defs/UserContext"},"syscall":{"$ref":"#/$defs/SyscallContext"},"packet":{"$ref":"#/$defs/RawPacket"},"network_flow_monitor":{"$ref":"#/$defs/NetworkFlowMonitor"}},"additionalProperties":false,"type":"object","required":["agent","title"]}
{"properties":{"is_imds_v2":{"type":"boolean","description":"is_imds_v2 reports if the IMDS event follows IMDSv1 or IMDSv2 conventions"},"security_credentials":{"$ref":"#/$defs/AWSSecurityCredentials","description":"SecurityCredentials holds the scrubbed data collected on the security credentials"}},"additionalProperties":false,"type":"object","required":["is_imds_v2"],"description":"AWSIMDSEventSerializer serializes an AWS IMDS event to JSON"}
Field
Description
is_imds_v2
is_imds_v2 reports if the IMDS event follows IMDSv1 or IMDSv2 conventions
security_credentials
SecurityCredentials holds the scrubbed data collected on the security credentials
{"properties":{"code":{"type":"string","description":"code is the IMDS server code response"},"type":{"type":"string","description":"type is the security credentials type"},"access_key_id":{"type":"string","description":"access_key_id is the unique access key ID of the credentials"},"last_updated":{"type":"string","description":"last_updated is the last time the credentials were updated"},"expiration":{"type":"string","description":"expiration is the expiration date of the credentials"}},"additionalProperties":false,"type":"object","required":["code","type","access_key_id","last_updated","expiration"],"description":"AWSSecurityCredentialsSerializer serializes the security credentials from an AWS IMDS request"}
Field
Description
code
code is the IMDS server code response
type
type is the security credentials type
access_key_id
access_key_id is the unique access key ID of the credentials
last_updated
last_updated is the last time the credentials were updated
expiration
expiration is the expiration date of the credentials
{"properties":{"addr":{"$ref":"#/$defs/IPPortFamily","description":"Bound address (if any)"}},"additionalProperties":false,"type":"object","required":["addr"],"description":"AcceptEventSerializer serializes a bind event to JSON"}
{"properties":{"cmd":{"type":"string","description":"BPF command"},"map":{"$ref":"#/$defs/BPFMap","description":"BPF map"},"program":{"$ref":"#/$defs/BPFProgram","description":"BPF program"}},"additionalProperties":false,"type":"object","required":["cmd"],"description":"BPFEventSerializer serializes a BPF event to JSON"}
{"properties":{"name":{"type":"string","description":"Name of the BPF map"},"map_type":{"type":"string","description":"Type of the BPF map"}},"additionalProperties":false,"type":"object","description":"BPFMapSerializer serializes a BPF map to JSON"}
{"properties":{"name":{"type":"string","description":"Name of the BPF program"},"tag":{"type":"string","description":"Hash (sha1) of the BPF program"},"program_type":{"type":"string","description":"Type of the BPF program"},"attach_type":{"type":"string","description":"Attach type of the BPF program"},"helpers":{"items":{"type":"string"},"type":"array","description":"List of helpers used by the BPF program"}},"additionalProperties":false,"type":"object","description":"BPFProgramSerializer serializes a BPF map to JSON"}
{"properties":{"addr":{"$ref":"#/$defs/IPPortFamily","description":"Bound address (if any)"},"protocol":{"type":"string"}},"additionalProperties":false,"type":"object","required":["addr","protocol"],"description":"BindEventSerializer serializes a bind event to JSON"}
{"properties":{"id":{"type":"string","description":"CGroup ID"},"manager":{"type":"string","description":"CGroup manager"}},"additionalProperties":false,"type":"object","description":"CGroupContextSerializer serializes a cgroup context to JSON"}
{"properties":{"addr":{"$ref":"#/$defs/IPPortFamily"},"protocol":{"type":"string"}},"additionalProperties":false,"type":"object","required":["addr","protocol"],"description":"ConnectEventSerializer serializes a connect event to JSON"}
{"properties":{"id":{"type":"string","description":"Container ID"},"created_at":{"type":"string","format":"date-time","description":"Creation time of the container"},"variables":{"$ref":"#/$defs/Variables","description":"Variables values"}},"additionalProperties":false,"type":"object","description":"ContainerContextSerializer serializes a container context to JSON"}
{"properties":{"span_id":{"type":"string","description":"Span ID used for APM correlation"},"trace_id":{"type":"string","description":"Trace ID used for APM correlation"}},"additionalProperties":false,"type":"object","description":"DDContextSerializer serializes a span context to JSON"}
{"properties":{"id":{"type":"integer","description":"id is the unique identifier of the DNS request"},"question":{"$ref":"#/$defs/DNSQuestion","description":"question is a DNS question for the DNS request"}},"additionalProperties":false,"type":"object","required":["id","question"],"description":"DNSEventSerializer serializes a DNS event to JSON"}
{"properties":{"class":{"type":"string","description":"class is the class looked up by the DNS question"},"type":{"type":"string","description":"type is a two octet code which specifies the DNS question type"},"name":{"type":"string","description":"name is the queried domain name"},"size":{"type":"integer","description":"size is the total DNS request size in bytes"},"count":{"type":"integer","description":"count is the total count of questions in the DNS request"}},"additionalProperties":false,"type":"object","required":["class","type","name","size","count"],"description":"DNSQuestionSerializer serializes a DNS question to JSON"}
Field
Description
class
class is the class looked up by the DNS question
type
type is a two octet code which specifies the DNS question type
name
name is the queried domain name
size
size is the total DNS request size in bytes
count
count is the total count of questions in the DNS request
{"properties":{"name":{"type":"string","description":"Event name"},"category":{"type":"string","description":"Event category"},"outcome":{"type":"string","description":"Event outcome"},"async":{"type":"boolean","description":"True if the event was asynchronous"},"matched_rules":{"items":{"$ref":"#/$defs/MatchedRule"},"type":"array","description":"The list of rules that the event matched (only valid in the context of an anomaly)"},"variables":{"$ref":"#/$defs/Variables","description":"Variables values"}},"additionalProperties":false,"type":"object","description":"EventContextSerializer serializes an event context to JSON"}
Field
Description
name
Event name
category
Event category
outcome
Event outcome
async
True if the event was asynchronous
matched_rules
The list of rules that the event matched (only valid in the context of an anomaly)
{"properties":{"cause":{"type":"string","description":"Cause of the process termination (one of EXITED, SIGNALED, COREDUMPED)"},"code":{"type":"integer","description":"Exit code of the process or number of the signal that caused the process to terminate"}},"additionalProperties":false,"type":"object","required":["cause","code"],"description":"ExitEventSerializer serializes an exit event to JSON"}
Field
Description
cause
Cause of the process termination (one of EXITED, SIGNALED, COREDUMPED)
code
Exit code of the process or number of the signal that caused the process to terminate
{"properties":{"path":{"type":"string","description":"File path"},"name":{"type":"string","description":"File basename"},"path_resolution_error":{"type":"string","description":"Error message from path resolution"},"inode":{"type":"integer","description":"File inode number"},"mode":{"type":"integer","description":"File mode"},"in_upper_layer":{"type":"boolean","description":"Indicator of file OverlayFS layer"},"mount_id":{"type":"integer","description":"File mount ID"},"filesystem":{"type":"string","description":"File filesystem name"},"uid":{"type":"integer","description":"File User ID"},"gid":{"type":"integer","description":"File Group ID"},"user":{"type":"string","description":"File user"},"group":{"type":"string","description":"File group"},"attribute_name":{"type":"string","description":"File extended attribute name"},"attribute_namespace":{"type":"string","description":"File extended attribute namespace"},"flags":{"items":{"type":"string"},"type":"array","description":"File flags"},"access_time":{"type":"string","format":"date-time","description":"File access time"},"modification_time":{"type":"string","format":"date-time","description":"File modified time"},"change_time":{"type":"string","format":"date-time","description":"File change time"},"package_name":{"type":"string","description":"System package name"},"package_version":{"type":"string","description":"System package version"},"hashes":{"items":{"type":"string"},"type":"array","description":"List of cryptographic hashes of the file"},"hash_state":{"type":"string","description":"State of the hashes or reason why they weren't computed"},"mount_path":{"type":"string","description":"MountPath path of the mount"},"mount_source":{"type":"string","description":"MountSource source of the mount"},"mount_origin":{"type":"string","description":"MountOrigin origin of the mount"}},"additionalProperties":false,"type":"object","required":["uid","gid"],"description":"FileSerializer serializes a file to JSON"}
Field
Description
path
File path
name
File basename
path_resolution_error
Error message from path resolution
inode
File inode number
mode
File mode
in_upper_layer
Indicator of file OverlayFS layer
mount_id
File mount ID
filesystem
File filesystem name
uid
File User ID
gid
File Group ID
user
File user
group
File group
attribute_name
File extended attribute name
attribute_namespace
File extended attribute namespace
flags
File flags
access_time
File access time
modification_time
File modified time
change_time
File change time
package_name
System package name
package_version
System package version
hashes
List of cryptographic hashes of the file
hash_state
State of the hashes or reason why they weren’t computed
{"properties":{"path":{"type":"string","description":"File path"},"name":{"type":"string","description":"File basename"},"path_resolution_error":{"type":"string","description":"Error message from path resolution"},"inode":{"type":"integer","description":"File inode number"},"mode":{"type":"integer","description":"File mode"},"in_upper_layer":{"type":"boolean","description":"Indicator of file OverlayFS layer"},"mount_id":{"type":"integer","description":"File mount ID"},"filesystem":{"type":"string","description":"File filesystem name"},"uid":{"type":"integer","description":"File User ID"},"gid":{"type":"integer","description":"File Group ID"},"user":{"type":"string","description":"File user"},"group":{"type":"string","description":"File group"},"attribute_name":{"type":"string","description":"File extended attribute name"},"attribute_namespace":{"type":"string","description":"File extended attribute namespace"},"flags":{"items":{"type":"string"},"type":"array","description":"File flags"},"access_time":{"type":"string","format":"date-time","description":"File access time"},"modification_time":{"type":"string","format":"date-time","description":"File modified time"},"change_time":{"type":"string","format":"date-time","description":"File change time"},"package_name":{"type":"string","description":"System package name"},"package_version":{"type":"string","description":"System package version"},"hashes":{"items":{"type":"string"},"type":"array","description":"List of cryptographic hashes of the file"},"hash_state":{"type":"string","description":"State of the hashes or reason why they weren't computed"},"mount_path":{"type":"string","description":"MountPath path of the mount"},"mount_source":{"type":"string","description":"MountSource source of the mount"},"mount_origin":{"type":"string","description":"MountOrigin origin of the mount"},"destination":{"$ref":"#/$defs/File","description":"Target file information"},"new_mount_id":{"type":"integer","description":"New Mount ID"},"device":{"type":"integer","description":"Device associated with the file"},"fstype":{"type":"string","description":"Filesystem type"}},"additionalProperties":false,"type":"object","required":["uid","gid"],"description":"FileEventSerializer serializes a file event to JSON"}
Field
Description
path
File path
name
File basename
path_resolution_error
Error message from path resolution
inode
File inode number
mode
File mode
in_upper_layer
Indicator of file OverlayFS layer
mount_id
File mount ID
filesystem
File filesystem name
uid
File User ID
gid
File Group ID
user
File user
group
File group
attribute_name
File extended attribute name
attribute_namespace
File extended attribute namespace
flags
File flags
access_time
File access time
modification_time
File modified time
change_time
File change time
package_name
System package name
package_version
System package version
hashes
List of cryptographic hashes of the file
hash_state
State of the hashes or reason why they weren’t computed
{"properties":{"l3_protocol":{"type":"string","description":"l3_protocol is the layer 3 protocol name"},"l4_protocol":{"type":"string","description":"l4_protocol is the layer 4 protocol name"},"source":{"$ref":"#/$defs/IPPort","description":"source is the emitter of the network event"},"destination":{"$ref":"#/$defs/IPPort","description":"destination is the receiver of the network event"},"ingress":{"$ref":"#/$defs/NetworkStats","description":"ingress holds the network statistics for ingress traffic"},"egress":{"$ref":"#/$defs/NetworkStats","description":"egress holds the network statistics for egress traffic"}},"additionalProperties":false,"type":"object","required":["l3_protocol","l4_protocol","source","destination"],"description":"FlowSerializer defines a new flow serializer"}
Field
Description
l3_protocol
l3_protocol is the layer 3 protocol name
l4_protocol
l4_protocol is the layer 4 protocol name
source
source is the emitter of the network event
destination
destination is the receiver of the network event
ingress
ingress holds the network statistics for ingress traffic
egress
egress holds the network statistics for egress traffic
{"properties":{"type":{"type":"string","description":"type is the type of IMDS event"},"cloud_provider":{"type":"string","description":"cloud_provider is the intended cloud provider of the IMDS event"},"url":{"type":"string","description":"url is the url of the IMDS request"},"host":{"type":"string","description":"host is the host of the HTTP protocol"},"user_agent":{"type":"string","description":"user_agent is the user agent of the HTTP client"},"server":{"type":"string","description":"server is the server header of a response"},"aws":{"$ref":"#/$defs/AWSIMDSEvent","description":"AWS holds the AWS specific data parsed from the IMDS event"}},"additionalProperties":false,"type":"object","required":["type","cloud_provider"],"description":"IMDSEventSerializer serializes an IMDS event to JSON"}
Field
Description
type
type is the type of IMDS event
cloud_provider
cloud_provider is the intended cloud provider of the IMDS event
url
url is the url of the IMDS request
host
host is the host of the HTTP protocol
user_agent
user_agent is the user agent of the HTTP client
server
server is the server header of a response
aws
AWS holds the AWS specific data parsed from the IMDS event
{"properties":{"ip":{"type":"string","description":"IP address"},"port":{"type":"integer","description":"Port number"}},"additionalProperties":false,"type":"object","required":["ip","port"],"description":"IPPortSerializer is used to serialize an IP and Port context to JSON"}
{"properties":{"family":{"type":"string","description":"Address family"},"ip":{"type":"string","description":"IP address"},"port":{"type":"integer","description":"Port number"}},"additionalProperties":false,"type":"object","required":["family","ip","port"],"description":"IPPortFamilySerializer is used to serialize an IP, port, and address family context to JSON"}
{"properties":{"id":{"type":"string","description":"ID of the rule"},"version":{"type":"string","description":"Version of the rule"},"tags":{"items":{"type":"string"},"type":"array","description":"Tags of the rule"},"policy_name":{"type":"string","description":"Name of the policy that introduced the rule"},"policy_version":{"type":"string","description":"Version of the policy that introduced the rule"}},"additionalProperties":false,"type":"object","description":"MatchedRuleSerializer serializes a rule"}
{"properties":{"name":{"type":"string","description":"module name"},"loaded_from_memory":{"type":"boolean","description":"indicates if a module was loaded from memory, as opposed to a file"},"argv":{"items":{"type":"string"},"type":"array"},"args_truncated":{"type":"boolean"}},"additionalProperties":false,"type":"object","required":["name"],"description":"ModuleEventSerializer serializes a module event to JSON"}
Field
Description
name
module name
loaded_from_memory
indicates if a module was loaded from memory, as opposed to a file
{"properties":{"mp":{"$ref":"#/$defs/File","description":"Mount point file information"},"root":{"$ref":"#/$defs/File","description":"Root file information"},"mount_id":{"type":"integer","description":"Mount ID of the new mount"},"parent_mount_id":{"type":"integer","description":"Mount ID of the parent mount"},"bind_src_mount_id":{"type":"integer","description":"Mount ID of the source of a bind mount"},"device":{"type":"integer","description":"Device associated with the file"},"fs_type":{"type":"string","description":"Filesystem type"},"mountpoint.path":{"type":"string","description":"Mount point path"},"source.path":{"type":"string","description":"Mount source path"},"mountpoint.path_error":{"type":"string","description":"Mount point path error"},"source.path_error":{"type":"string","description":"Mount source path error"}},"additionalProperties":false,"type":"object","required":["mount_id","parent_mount_id","bind_src_mount_id","device"],"description":"MountEventSerializer serializes a mount event to JSON"}
{"properties":{"device":{"$ref":"#/$defs/NetworkDevice","description":"device is the network device on which the event was captured"},"l3_protocol":{"type":"string","description":"l3_protocol is the layer 3 protocol name"},"l4_protocol":{"type":"string","description":"l4_protocol is the layer 4 protocol name"},"source":{"$ref":"#/$defs/IPPort","description":"source is the emitter of the network event"},"destination":{"$ref":"#/$defs/IPPort","description":"destination is the receiver of the network event"},"size":{"type":"integer","description":"size is the size in bytes of the network event"},"network_direction":{"type":"string","description":"network_direction indicates if the packet was captured on ingress or egress"}},"additionalProperties":false,"type":"object","required":["l3_protocol","l4_protocol","source","destination","size","network_direction"],"description":"NetworkContextSerializer serializes the network context to JSON"}
Field
Description
device
device is the network device on which the event was captured
l3_protocol
l3_protocol is the layer 3 protocol name
l4_protocol
l4_protocol is the layer 4 protocol name
source
source is the emitter of the network event
destination
destination is the receiver of the network event
size
size is the size in bytes of the network event
network_direction
network_direction indicates if the packet was captured on ingress or egress
{"properties":{"netns":{"type":"integer","description":"netns is the interface ifindex"},"ifindex":{"type":"integer","description":"ifindex is the network interface ifindex"},"ifname":{"type":"string","description":"ifname is the network interface name"}},"additionalProperties":false,"type":"object","required":["netns","ifindex","ifname"],"description":"NetworkDeviceSerializer serializes the network device context to JSON"}
{"properties":{"device":{"$ref":"#/$defs/NetworkDevice","description":"device is the network device on which the event was captured"},"flows":{"items":{"$ref":"#/$defs/Flow"},"type":"array","description":"flows is the list of flows with network statistics that were captured"}},"additionalProperties":false,"type":"object","description":"NetworkFlowMonitorSerializer defines a network monitor event serializer"}
Field
Description
device
device is the network device on which the event was captured
flows
flows is the list of flows with network statistics that were captured
{"properties":{"data_size":{"type":"integer","description":"data_size is the total count of bytes sent or received"},"packet_count":{"type":"integer","description":"packet_count is the total count of packets sent or received"}},"additionalProperties":false,"type":"object","description":"NetworkStatsSerializer defines a new network stats serializer"}
Field
Description
data_size
data_size is the total count of bytes sent or received
packet_count
packet_count is the total count of packets sent or received
{"properties":{"request":{"type":"string","description":"ptrace request"},"address":{"type":"string","description":"address at which the ptrace request was executed"},"tracee":{"$ref":"#/$defs/ProcessContext","description":"process context of the tracee"}},"additionalProperties":false,"type":"object","required":["request","address"],"description":"PTraceEventSerializer serializes a mmap event to JSON"}
{"properties":{"pid":{"type":"integer","description":"Process ID"},"ppid":{"type":"integer","description":"Parent Process ID"},"tid":{"type":"integer","description":"Thread ID"},"uid":{"type":"integer","description":"User ID"},"gid":{"type":"integer","description":"Group ID"},"user":{"type":"string","description":"User name"},"group":{"type":"string","description":"Group name"},"path_resolution_error":{"type":"string","description":"Description of an error in the path resolution"},"comm":{"type":"string","description":"Command name"},"tty":{"type":"string","description":"TTY associated with the process"},"fork_time":{"type":"string","format":"date-time","description":"Fork time of the process"},"exec_time":{"type":"string","format":"date-time","description":"Exec time of the process"},"exit_time":{"type":"string","format":"date-time","description":"Exit time of the process"},"credentials":{"$ref":"#/$defs/ProcessCredentials","description":"Credentials associated with the process"},"user_session":{"$ref":"#/$defs/UserSessionContext","description":"Context of the user session for this event"},"executable":{"$ref":"#/$defs/File","description":"File information of the executable"},"interpreter":{"$ref":"#/$defs/File","description":"File information of the interpreter"},"container":{"$ref":"#/$defs/ContainerContext","description":"Container context"},"argv0":{"type":"string","description":"First command line argument"},"args":{"items":{"type":"string"},"type":"array","description":"Command line arguments"},"args_truncated":{"type":"boolean","description":"Indicator of arguments truncation"},"envs":{"items":{"type":"string"},"type":"array","description":"Environment variables of the process"},"envs_truncated":{"type":"boolean","description":"Indicator of environments variable truncation"},"is_thread":{"type":"boolean","description":"Indicates whether the process is considered a thread (that is, a child process that hasn't executed another program)"},"is_kworker":{"type":"boolean","description":"Indicates whether the process is a kworker"},"is_exec_child":{"type":"boolean","description":"Indicates whether the process is an exec following another exec"},"source":{"type":"string","description":"Process source"},"syscalls":{"$ref":"#/$defs/SyscallsEvent","description":"List of syscalls captured to generate the event"},"aws_security_credentials":{"items":{"$ref":"#/$defs/AWSSecurityCredentials"},"type":"array","description":"List of AWS Security Credentials that the process had access to"}},"additionalProperties":false,"type":"object","required":["uid","gid"],"description":"ProcessSerializer serializes a process to JSON"}
Field
Description
pid
Process ID
ppid
Parent Process ID
tid
Thread ID
uid
User ID
gid
Group ID
user
User name
group
Group name
path_resolution_error
Description of an error in the path resolution
comm
Command name
tty
TTY associated with the process
fork_time
Fork time of the process
exec_time
Exec time of the process
exit_time
Exit time of the process
credentials
Credentials associated with the process
user_session
Context of the user session for this event
executable
File information of the executable
interpreter
File information of the interpreter
container
Container context
argv0
First command line argument
args
Command line arguments
args_truncated
Indicator of arguments truncation
envs
Environment variables of the process
envs_truncated
Indicator of environments variable truncation
is_thread
Indicates whether the process is considered a thread (that is, a child process that hasn’t executed another program)
is_kworker
Indicates whether the process is a kworker
is_exec_child
Indicates whether the process is an exec following another exec
source
Process source
syscalls
List of syscalls captured to generate the event
aws_security_credentials
List of AWS Security Credentials that the process had access to
{"properties":{"pid":{"type":"integer","description":"Process ID"},"ppid":{"type":"integer","description":"Parent Process ID"},"tid":{"type":"integer","description":"Thread ID"},"uid":{"type":"integer","description":"User ID"},"gid":{"type":"integer","description":"Group ID"},"user":{"type":"string","description":"User name"},"group":{"type":"string","description":"Group name"},"path_resolution_error":{"type":"string","description":"Description of an error in the path resolution"},"comm":{"type":"string","description":"Command name"},"tty":{"type":"string","description":"TTY associated with the process"},"fork_time":{"type":"string","format":"date-time","description":"Fork time of the process"},"exec_time":{"type":"string","format":"date-time","description":"Exec time of the process"},"exit_time":{"type":"string","format":"date-time","description":"Exit time of the process"},"credentials":{"$ref":"#/$defs/ProcessCredentials","description":"Credentials associated with the process"},"user_session":{"$ref":"#/$defs/UserSessionContext","description":"Context of the user session for this event"},"executable":{"$ref":"#/$defs/File","description":"File information of the executable"},"interpreter":{"$ref":"#/$defs/File","description":"File information of the interpreter"},"container":{"$ref":"#/$defs/ContainerContext","description":"Container context"},"argv0":{"type":"string","description":"First command line argument"},"args":{"items":{"type":"string"},"type":"array","description":"Command line arguments"},"args_truncated":{"type":"boolean","description":"Indicator of arguments truncation"},"envs":{"items":{"type":"string"},"type":"array","description":"Environment variables of the process"},"envs_truncated":{"type":"boolean","description":"Indicator of environments variable truncation"},"is_thread":{"type":"boolean","description":"Indicates whether the process is considered a thread (that is, a child process that hasn't executed another program)"},"is_kworker":{"type":"boolean","description":"Indicates whether the process is a kworker"},"is_exec_child":{"type":"boolean","description":"Indicates whether the process is an exec following another exec"},"source":{"type":"string","description":"Process source"},"syscalls":{"$ref":"#/$defs/SyscallsEvent","description":"List of syscalls captured to generate the event"},"aws_security_credentials":{"items":{"$ref":"#/$defs/AWSSecurityCredentials"},"type":"array","description":"List of AWS Security Credentials that the process had access to"},"parent":{"$ref":"#/$defs/Process","description":"Parent process"},"ancestors":{"items":{"$ref":"#/$defs/Process"},"type":"array","description":"Ancestor processes"},"variables":{"$ref":"#/$defs/Variables","description":"Variables values"},"truncated_ancestors":{"type":"boolean","description":"True if the ancestors list was truncated because it was too big"}},"additionalProperties":false,"type":"object","required":["uid","gid"],"description":"ProcessContextSerializer serializes a process context to JSON"}
Field
Description
pid
Process ID
ppid
Parent Process ID
tid
Thread ID
uid
User ID
gid
Group ID
user
User name
group
Group name
path_resolution_error
Description of an error in the path resolution
comm
Command name
tty
TTY associated with the process
fork_time
Fork time of the process
exec_time
Exec time of the process
exit_time
Exit time of the process
credentials
Credentials associated with the process
user_session
Context of the user session for this event
executable
File information of the executable
interpreter
File information of the interpreter
container
Container context
argv0
First command line argument
args
Command line arguments
args_truncated
Indicator of arguments truncation
envs
Environment variables of the process
envs_truncated
Indicator of environments variable truncation
is_thread
Indicates whether the process is considered a thread (that is, a child process that hasn’t executed another program)
is_kworker
Indicates whether the process is a kworker
is_exec_child
Indicates whether the process is an exec following another exec
source
Process source
syscalls
List of syscalls captured to generate the event
aws_security_credentials
List of AWS Security Credentials that the process had access to
parent
Parent process
ancestors
Ancestor processes
variables
Variables values
truncated_ancestors
True if the ancestors list was truncated because it was too big
{"properties":{"uid":{"type":"integer","description":"User ID"},"user":{"type":"string","description":"User name"},"gid":{"type":"integer","description":"Group ID"},"group":{"type":"string","description":"Group name"},"euid":{"type":"integer","description":"Effective User ID"},"euser":{"type":"string","description":"Effective User name"},"egid":{"type":"integer","description":"Effective Group ID"},"egroup":{"type":"string","description":"Effective Group name"},"fsuid":{"type":"integer","description":"Filesystem User ID"},"fsuser":{"type":"string","description":"Filesystem User name"},"fsgid":{"type":"integer","description":"Filesystem Group ID"},"fsgroup":{"type":"string","description":"Filesystem Group name"},"auid":{"type":"integer","description":"Login UID"},"cap_effective":{"items":{"type":"string"},"type":"array","description":"Effective Capability set"},"cap_permitted":{"items":{"type":"string"},"type":"array","description":"Permitted Capability set"},"destination":{"description":"Credentials after the operation"}},"additionalProperties":false,"type":"object","required":["uid","gid","euid","egid","fsuid","fsgid","auid","cap_effective","cap_permitted"],"description":"ProcessCredentialsSerializer serializes the process credentials to JSON"}
{"properties":{"device":{"$ref":"#/$defs/NetworkDevice","description":"device is the network device on which the event was captured"},"l3_protocol":{"type":"string","description":"l3_protocol is the layer 3 protocol name"},"l4_protocol":{"type":"string","description":"l4_protocol is the layer 4 protocol name"},"source":{"$ref":"#/$defs/IPPort","description":"source is the emitter of the network event"},"destination":{"$ref":"#/$defs/IPPort","description":"destination is the receiver of the network event"},"size":{"type":"integer","description":"size is the size in bytes of the network event"},"network_direction":{"type":"string","description":"network_direction indicates if the packet was captured on ingress or egress"},"tls":{"$ref":"#/$defs/TLSContext"}},"additionalProperties":false,"type":"object","required":["l3_protocol","l4_protocol","source","destination","size","network_direction"],"description":"RawPacketSerializer defines a raw packet serializer"}
Field
Description
device
device is the network device on which the event was captured
l3_protocol
l3_protocol is the layer 3 protocol name
l4_protocol
l4_protocol is the layer 4 protocol name
source
source is the emitter of the network event
destination
destination is the receiver of the network event
size
size is the size in bytes of the network event
network_direction
network_direction indicates if the packet was captured on ingress or egress
{"properties":{"name":{"type":"string","description":"SELinux boolean name"},"state":{"type":"string","description":"SELinux boolean state ('on' or 'off')"}},"additionalProperties":false,"type":"object","description":"SELinuxBoolChangeSerializer serializes a SELinux boolean change to JSON"}
{"properties":{"status":{"type":"string","description":"SELinux enforcement status (one of 'enforcing', 'permissive' or 'disabled')"}},"additionalProperties":false,"type":"object","description":"SELinuxEnforceStatusSerializer serializes a SELinux enforcement status change to JSON"}
Field
Description
status
SELinux enforcement status (one of ’enforcing’, ‘permissive’ or ‘disabled’)
{"properties":{"name":{"type":"string","description":"Name of the security profile"},"version":{"type":"string","description":"Version of the profile in use"},"tags":{"items":{"type":"string"},"type":"array","description":"List of tags associated to this profile"},"event_in_profile":{"type":"boolean","description":"True if the corresponding event is part of this profile"},"event_type_state":{"type":"string","description":"State of the event type in this profile"}},"additionalProperties":false,"type":"object","required":["name","version","tags","event_in_profile","event_type_state"],"description":"SecurityProfileContextSerializer serializes the security profile context in an event"}
Field
Description
name
Name of the security profile
version
Version of the profile in use
tags
List of tags associated to this profile
event_in_profile
True if the corresponding event is part of this profile
{"properties":{"type":{"type":"string","description":"signal type"},"pid":{"type":"integer","description":"signal target pid"},"target":{"$ref":"#/$defs/ProcessContext","description":"process context of the signal target"}},"additionalProperties":false,"type":"object","required":["type","pid"],"description":"SignalEventSerializer serializes a signal event to JSON"}
{"properties":{"pipe_entry_flag":{"type":"string","description":"Entry flag of the fd_out pipe passed to the splice syscall"},"pipe_exit_flag":{"type":"string","description":"Exit flag of the fd_out pipe passed to the splice syscall"}},"additionalProperties":false,"type":"object","required":["pipe_entry_flag","pipe_exit_flag"],"description":"SpliceEventSerializer serializes a splice event to JSON"}
Field
Description
pipe_entry_flag
Entry flag of the fd_out pipe passed to the splice syscall
pipe_exit_flag
Exit flag of the fd_out pipe passed to the splice syscall
{"properties":{"name":{"type":"string","description":"Name of the syscall"},"id":{"type":"integer","description":"ID of the syscall in the host architecture"}},"additionalProperties":false,"type":"object","required":["name","id"],"description":"SyscallSerializer serializes a syscall"}
{"properties":{"id":{"type":"string","description":"User name"},"group":{"type":"string","description":"Group name"}},"additionalProperties":false,"type":"object","description":"UserContextSerializer serializes a user context to JSON"}
{"properties":{"id":{"type":"string","description":"Unique identifier of the user session on the host"},"session_type":{"type":"string","description":"Type of the user session"},"k8s_username":{"type":"string","description":"Username of the Kubernetes \"kubectl exec\" session"},"k8s_uid":{"type":"string","description":"UID of the Kubernetes \"kubectl exec\" session"},"k8s_groups":{"items":{"type":"string"},"type":"array","description":"Groups of the Kubernetes \"kubectl exec\" session"},"k8s_extra":{"additionalProperties":{"items":{"type":"string"},"type":"array"},"type":"object","description":"Extra of the Kubernetes \"kubectl exec\" session"}},"additionalProperties":false,"type":"object","description":"UserSessionContextSerializer serializes the user session context to JSON"}
