{ "$schema" : "https://json-schema.org/draft/2020-12/schema", "$defs" : { "EnvironmentVariable" : { "type" : "object", "properties" : { "parent_val" : { "type" : [ "string", "null" ], "x-isAttributed" : false, "description" : "Environment variable parent value" }, "val" : { "type" : [ "string", "null" ], "x-isAttributed" : false, "description" : "Environment variable value" }, "var" : { "type" : "string", "x-isAttributed" : false, "description" : "Environment variable name" } }, "description" : "Environment variable" }, "Signature" : { "type" : "object", "properties" : { "issuer" : { "type" : "string", "x-isAttributed" : false, "description" : "Issuer of a signature" }, "subject" : { "type" : "string", "x-isAttributed" : false, "description" : "Subject of a signature" }, "thumbprint" : { "type" : "string", "x-isAttributed" : false, "description" : "Thumbprint of a signature" } }, "description" : "Environment variable" } }, "type" : "object", "properties" : { "hostname" : { "type" : "string", "x-isAttributed" : false, "format" : "hostname", "description" : "Hostname as reported by the agent" }, "dns_domain" : { "type" : "string", "x-isAttributed" : false, "format" : "hostname", "description" : "DNS domain as reported by the agent" }, "os_type" : { "type" : "string", "x-isAttributed" : false, "description" : "OS this process is running on" }, "r7_hostid" : { "type" : "string", "x-isAttributed" : true, "description" : "The host ID of the system he process was started on" }, "process" : { "type" : "object", "properties" : { "account_domain" : { "type" : "string", "x-isAttributed" : false, "description" : "AD domain of the user who started the process" }, "addr" : { "type" : "string", "x-isAttributed" : false, "description" : "Remote address that user is connecting from" }, "cmd_line" : { "type" : "string", "x-isAttributed" : false, "description" : "Command line invocation used to start process, including arguments" }, "egid" : { "type" : "string", "x-isAttributed" : false, "description" : "Effective group ID", "pattern" : "\\d+" }, "egid_name" : { "type" : "string", "x-isAttributed" : false, "description" : "Effective group name" }, "euid" : { "type" : "string", "x-isAttributed" : false, "description" : "Effective user ID", "pattern" : "\\d+" }, "euid_name" : { "type" : "string", "x-isAttributed" : false, "description" : "Effective username" }, "exe_file" : { "type" : "object", "properties" : { "author" : { "type" : "string", "x-isAttributed" : false, "description" : "Company who produced the executable as reported by the file metadata" }, "countersigning_chain" : { "type" : "array", "items" : { "$ref" : "#/$defs/Signature" }, "x-isAttributed" : false, "description" : "Contains the certificate chain for any countersignatures, which add an additional layer of validation by\nanother trusted party or authority. It verifies the authenticity of the countersignature" }, "created" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "Executable file creation date" }, "description" : { "type" : "string", "x-isAttributed" : false, "description" : "The description from the file metadata" }, "gid" : { "type" : "string", "x-isAttributed" : false, "description" : "Group ID of the executable file", "pattern" : "\\d+" }, "group" : { "type" : "string", "x-isAttributed" : false, "description" : "Group of the executable file" }, "hashes" : { "type" : "object", "properties" : { "imphash" : { "type" : "string", "x-isAttributed" : false, "description" : "Import hash" }, "md5" : { "type" : "string", "x-isAttributed" : false, "description" : "MD5 hash" }, "sha1" : { "type" : "string", "x-isAttributed" : false, "description" : "SHA1 hash" }, "sha256" : { "type" : "string", "x-isAttributed" : false, "description" : "SHA256 hash" } }, "description" : "Collection of different hashes of the process", "x-isAttributed" : false }, "internal_name" : { "type" : "string", "x-isAttributed" : false, "description" : "InternalName from the metadata" }, "last_accessed" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "Executable file last accessed date" }, "last_modified" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "Executable file last modification date" }, "orig_filename" : { "type" : "string", "x-isAttributed" : false, "description" : "The original filename from the file metadata" }, "owner" : { "type" : "string", "x-isAttributed" : false, "description" : "Owner of the executable file" }, "permissions" : { "type" : "string", "x-isAttributed" : false, "description" : "Permissions string of the executable file" }, "product_name" : { "type" : "string", "x-isAttributed" : false, "description" : "Product name of the executable as reported by the file metadata" }, "signing_chain" : { "type" : "array", "items" : { "$ref" : "#/$defs/Signature" }, "x-isAttributed" : false, "description" : "Represents the certificate chain starting from the signer's certificate and ending with the root certificate\nof a trusted certification authority. It ensures the signer’s certificate is valid and trusted" }, "signing_status" : { "type" : "string", "x-isAttributed" : false, "description" : "Status indicates if the signature is valid or not" }, "size" : { "type" : "string", "x-isAttributed" : false, "description" : "Executable file size", "pattern" : "\\d+" }, "uid" : { "type" : "string", "x-isAttributed" : false, "description" : "Owner ID of the executable file", "pattern" : "\\d+" }, "version" : { "type" : "string", "x-isAttributed" : false, "description" : "Build version of the file from file metadata" } }, "description" : "Information about the executable file", "x-isAttributed" : false }, "exe_path" : { "type" : "string", "x-isAttributed" : false, "description" : "Path to the executable" }, "fsgid" : { "type" : "string", "x-isAttributed" : false, "description" : "File system group ID", "pattern" : "\\d+" }, "fsuid" : { "type" : "string", "x-isAttributed" : false, "description" : "File system user ID", "pattern" : "\\d+" }, "gid" : { "type" : "string", "x-isAttributed" : false, "description" : "Group ID", "pattern" : "\\d+" }, "group" : { "type" : "string", "x-isAttributed" : false, "description" : "Group name" }, "hash_reputation" : { "type" : "object", "properties" : { "classification" : { "type" : "object", "properties" : { "family_name" : { "type" : "string", "x-isAttributed" : false, "description" : "The family of malicious hashes this belongs to" }, "platform" : { "type" : "string", "x-isAttributed" : false, "description" : "The platform that the hash executes on" }, "type" : { "type" : "string", "x-isAttributed" : false, "description" : "The type of threat" } }, "description" : "The classification describing why the hash is malicious", "x-isAttributed" : false }, "engine_count" : { "type" : "string", "x-isAttributed" : false, "description" : "The number of scan engines that evaluated the hash", "pattern" : "\\d+" }, "engine_match" : { "type" : "string", "x-isAttributed" : false, "description" : "The number of scan engines that marked the hash as malicious", "pattern" : "\\d+" }, "engine_percent" : { "type" : "string", "x-isAttributed" : false, "description" : "The percentage of scan engines that marked the hash as malicious", "pattern" : "\\d+" }, "first_analyzed_time" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "The first time the hash was analyzed" }, "reliability" : { "type" : "string", "enum" : [ "Low", "Medium", "High", "Very High" ], "x-isAttributed" : false, "description" : "The reliability of the above designation" }, "reputation" : { "type" : "string", "enum" : [ "Unknown", "Known", "Suspicious", "Malicious" ], "x-isAttributed" : false, "description" : "The top level reputation value" }, "threat_level" : { "type" : "string", "enum" : [ "None", "Low", "Moderate", "Major", "Severe", "Critical" ], "x-isAttributed" : false, "description" : "The threat level of the hash" } }, "description" : "The hash reputation of the process", "x-isAttributed" : false }, "img_path" : { "type" : "string", "x-isAttributed" : false, "description" : "Path to the image" }, "name" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of this process" }, "pid" : { "type" : "string", "x-isAttributed" : false, "description" : "System Process ID", "pattern" : "\\d+" }, "port" : { "type" : "string", "x-isAttributed" : false, "description" : "Port the process used", "pattern" : "\\d+" }, "ppid" : { "type" : "string", "x-isAttributed" : false, "description" : "Parent system process ID", "pattern" : "\\d+" }, "r7_id" : { "type" : "string", "x-isAttributed" : false, "description" : "Agent-generated ID unique to a process start" }, "rgid" : { "type" : "string", "x-isAttributed" : false, "description" : "Effective group ID", "pattern" : "\\d+" }, "rgid_name" : { "type" : "string", "x-isAttributed" : false, "description" : "Real group name" }, "ruid" : { "type" : "string", "x-isAttributed" : false, "description" : "Real user ID", "pattern" : "\\d+" }, "ruid_name" : { "type" : "string", "x-isAttributed" : false, "description" : "Real username" }, "rule_name" : { "type" : "string", "x-isAttributed" : false, "description" : "The name of the applied rule" }, "session" : { "type" : "string", "x-isAttributed" : false, "description" : "Login session ID which launched the process", "pattern" : "\\d+" }, "sgid" : { "type" : "string", "x-isAttributed" : false, "description" : "Saved group ID", "pattern" : "\\d+" }, "start_time" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "Time that this process started" }, "suid" : { "type" : "string", "x-isAttributed" : false, "description" : "Saved user ID", "pattern" : "\\d+" }, "uid" : { "type" : "string", "x-isAttributed" : false, "description" : "User ID", "pattern" : "\\d+" }, "username" : { "type" : "string", "x-isAttributed" : false, "description" : "Local user who started the process" }, "working_dir" : { "type" : "string", "x-isAttributed" : false, "description" : "Path to executable, only sent if different from exe_path" } }, "description" : "Information about an OS process", "x-isAttributed" : false }, "parent_process" : { "type" : "object", "properties" : { "account_domain" : { "type" : "string", "x-isAttributed" : false, "description" : "AD domain of the user who started the process" }, "addr" : { "type" : "string", "x-isAttributed" : false, "description" : "Remote address that user is connecting from" }, "cmd_line" : { "type" : "string", "x-isAttributed" : false, "description" : "Command line invocation used to start process, including arguments" }, "egid" : { "type" : "string", "x-isAttributed" : false, "description" : "Effective group ID", "pattern" : "\\d+" }, "egid_name" : { "type" : "string", "x-isAttributed" : false, "description" : "Effective group name" }, "euid" : { "type" : "string", "x-isAttributed" : false, "description" : "Effective user ID", "pattern" : "\\d+" }, "euid_name" : { "type" : "string", "x-isAttributed" : false, "description" : "Effective username" }, "exe_file" : { "type" : "object", "properties" : { "author" : { "type" : "string", "x-isAttributed" : false, "description" : "Company who produced the executable as reported by the file metadata" }, "countersigning_chain" : { "type" : "array", "items" : { "$ref" : "#/$defs/Signature" }, "x-isAttributed" : false, "description" : "Contains the certificate chain for any countersignatures, which add an additional layer of validation by\nanother trusted party or authority. It verifies the authenticity of the countersignature" }, "created" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "Executable file creation date" }, "description" : { "type" : "string", "x-isAttributed" : false, "description" : "The description from the file metadata" }, "gid" : { "type" : "string", "x-isAttributed" : false, "description" : "Group ID of the executable file", "pattern" : "\\d+" }, "group" : { "type" : "string", "x-isAttributed" : false, "description" : "Group of the executable file" }, "hashes" : { "type" : "object", "properties" : { "imphash" : { "type" : "string", "x-isAttributed" : false, "description" : "Import hash" }, "md5" : { "type" : "string", "x-isAttributed" : false, "description" : "MD5 hash" }, "sha1" : { "type" : "string", "x-isAttributed" : false, "description" : "SHA1 hash" }, "sha256" : { "type" : "string", "x-isAttributed" : false, "description" : "SHA256 hash" } }, "description" : "Collection of different hashes of the process", "x-isAttributed" : false }, "internal_name" : { "type" : "string", "x-isAttributed" : false, "description" : "InternalName from the metadata" }, "last_accessed" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "Executable file last accessed date" }, "last_modified" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "Executable file last modification date" }, "orig_filename" : { "type" : "string", "x-isAttributed" : false, "description" : "The original filename from the file metadata" }, "owner" : { "type" : "string", "x-isAttributed" : false, "description" : "Owner of the executable file" }, "permissions" : { "type" : "string", "x-isAttributed" : false, "description" : "Permissions string of the executable file" }, "product_name" : { "type" : "string", "x-isAttributed" : false, "description" : "Product name of the executable as reported by the file metadata" }, "signing_chain" : { "type" : "array", "items" : { "$ref" : "#/$defs/Signature" }, "x-isAttributed" : false, "description" : "Represents the certificate chain starting from the signer's certificate and ending with the root certificate\nof a trusted certification authority. It ensures the signer’s certificate is valid and trusted" }, "signing_status" : { "type" : "string", "x-isAttributed" : false, "description" : "Status indicates if the signature is valid or not" }, "size" : { "type" : "string", "x-isAttributed" : false, "description" : "Executable file size", "pattern" : "\\d+" }, "uid" : { "type" : "string", "x-isAttributed" : false, "description" : "Owner ID of the executable file", "pattern" : "\\d+" }, "version" : { "type" : "string", "x-isAttributed" : false, "description" : "Build version of the file from file metadata" } }, "description" : "Information about the executable file", "x-isAttributed" : false }, "exe_path" : { "type" : "string", "x-isAttributed" : false, "description" : "Path to the executable" }, "fsgid" : { "type" : "string", "x-isAttributed" : false, "description" : "File system group ID", "pattern" : "\\d+" }, "fsuid" : { "type" : "string", "x-isAttributed" : false, "description" : "File system user ID", "pattern" : "\\d+" }, "gid" : { "type" : "string", "x-isAttributed" : false, "description" : "Group ID", "pattern" : "\\d+" }, "group" : { "type" : "string", "x-isAttributed" : false, "description" : "Group name" }, "hash_reputation" : { "type" : "object", "properties" : { "classification" : { "type" : "object", "properties" : { "family_name" : { "type" : "string", "x-isAttributed" : false, "description" : "The family of malicious hashes this belongs to" }, "platform" : { "type" : "string", "x-isAttributed" : false, "description" : "The platform that the hash executes on" }, "type" : { "type" : "string", "x-isAttributed" : false, "description" : "The type of threat" } }, "description" : "The classification describing why the hash is malicious", "x-isAttributed" : false }, "engine_count" : { "type" : "string", "x-isAttributed" : false, "description" : "The number of scan engines that evaluated the hash", "pattern" : "\\d+" }, "engine_match" : { "type" : "string", "x-isAttributed" : false, "description" : "The number of scan engines that marked the hash as malicious", "pattern" : "\\d+" }, "engine_percent" : { "type" : "string", "x-isAttributed" : false, "description" : "The percentage of scan engines that marked the hash as malicious", "pattern" : "\\d+" }, "first_analyzed_time" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "The first time the hash was analyzed" }, "reliability" : { "type" : "string", "enum" : [ "Low", "Medium", "High", "Very High" ], "x-isAttributed" : false, "description" : "The reliability of the above designation" }, "reputation" : { "type" : "string", "enum" : [ "Unknown", "Known", "Suspicious", "Malicious" ], "x-isAttributed" : false, "description" : "The top level reputation value" }, "threat_level" : { "type" : "string", "enum" : [ "None", "Low", "Moderate", "Major", "Severe", "Critical" ], "x-isAttributed" : false, "description" : "The threat level of the hash" } }, "description" : "The hash reputation of the process", "x-isAttributed" : false }, "img_path" : { "type" : "string", "x-isAttributed" : false, "description" : "Path to the image" }, "name" : { "type" : "string", "x-isAttributed" : false, "description" : "Name of this process" }, "pid" : { "type" : "string", "x-isAttributed" : false, "description" : "System Process ID", "pattern" : "\\d+" }, "port" : { "type" : "string", "x-isAttributed" : false, "description" : "Port the process used", "pattern" : "\\d+" }, "ppid" : { "type" : "string", "x-isAttributed" : false, "description" : "Parent system process ID", "pattern" : "\\d+" }, "r7_id" : { "type" : "string", "x-isAttributed" : false, "description" : "Agent-generated ID unique to a process start" }, "rgid" : { "type" : "string", "x-isAttributed" : false, "description" : "Effective group ID", "pattern" : "\\d+" }, "rgid_name" : { "type" : "string", "x-isAttributed" : false, "description" : "Real group name" }, "ruid" : { "type" : "string", "x-isAttributed" : false, "description" : "Real user ID", "pattern" : "\\d+" }, "ruid_name" : { "type" : "string", "x-isAttributed" : false, "description" : "Real username" }, "rule_name" : { "type" : "string", "x-isAttributed" : false, "description" : "The name of the applied rule" }, "session" : { "type" : "string", "x-isAttributed" : false, "description" : "Login session ID which launched the process", "pattern" : "\\d+" }, "sgid" : { "type" : "string", "x-isAttributed" : false, "description" : "Saved group ID", "pattern" : "\\d+" }, "start_time" : { "type" : "string", "format" : "date-time", "x-isAttributed" : false, "description" : "Time that this process started" }, "suid" : { "type" : "string", "x-isAttributed" : false, "description" : "Saved user ID", "pattern" : "\\d+" }, "uid" : { "type" : "string", "x-isAttributed" : false, "description" : "User ID", "pattern" : "\\d+" }, "username" : { "type" : "string", "x-isAttributed" : false, "description" : "Local user who started the process" }, "working_dir" : { "type" : "string", "x-isAttributed" : false, "description" : "Path to executable, only sent if different from exe_path" } }, "description" : "Information about a parent OS process", "x-isAttributed" : false }, "env_vars" : { "type" : "array", "items" : { "$ref" : "#/$defs/EnvironmentVariable" }, "x-isAttributed" : false, "description" : "Environment variables that are available to the process" }, "duplicated_events" : { "type" : "string", "x-isAttributed" : false, "description" : "Number of similar events merged into this single rollup event by the agent", "pattern" : "\\d+" }, "endpoint_id" : { "type" : "string", "x-isAttributed" : false, "description" : "The ID of the vendor managing the endpoint agent for the asset" }, "endpoint_vendor" : { "type" : "string", "x-isAttributed" : false, "description" : "The vendor managing the endpoint agent for the asset" }, "r7_context" : { "type" : "object", "properties" : { "asset" : { "type" : "object", "properties" : { "name" : { "type" : "string", "x-isAttributed" : false, "description" : "The name of the r7context resource" }, "rrn" : { "type" : "string", "x-isAttributed" : false, "description" : "The RRN (Rapid7 Resource Name) of the r7context resource", "pattern" : "rrn(_[^\\s:]+)?:[^\\s:]+:[^\\s:]*:[^\\s:]*(:[^\\s:]+)+" }, "type" : { "type" : "string", "x-isAttributed" : false, "description" : "The type of r7context field", "const" : "asset" } }, "required" : [ "name", "rrn", "type" ], "x-isAttributed" : true } }, "x-isAttributed" : true, "description" : "R7_context includes attributed information related to the entry, with references to Rapid7-specific RRNs" }, "entry_id" : { "type" : "string", "x-isAttributed" : false, "description" : "Unique Entry ID assigned to each document or log entry" }, "custom_data" : { "type" : "object", "x-isAttributed" : false, "description" : "JSON string produced by applying one or more user-defined custom parsers to the original data" }, "source_data" : { "type" : "string", "x-isAttributed" : false, "description" : "The unparsed, original log line as received from the collector" }, "source_json" : { "type" : "object", "x-isAttributed" : false, "description" : "The data that was received or collected by our collector or endpoint agent, formatted as JSON" } }, "required" : [ "hostname", "process" ], "description" : "Starting a new process" }