Schema
Table: audit_selinux
Represents SELinux information.
| Name | Datatype | Description |
|---|---|---|
| type | UTF8 | A string representing the SELinux event type name, such as MAC_POLICY_LOAD. |
| time | UINT_64 | The UNIX nanoseconds timestamp of the SELinux event. |
| message | UTF8 | The SELinux event's msg field. |
Table: audit_user_msg
When a user starts a terminal, netlink events trigger an audit_user_msg event. You can use audit_user_msg events to track SSH login attempts, sudo elevations, and users swapping to different system users. You can also track events inside containers.
| Name | Datatype | Description/Attributes |
|---|---|---|
| uid | int32 | The UID of the process triggering the event. |
| pid | int32 | The PID of the process triggering the event. |
| sophos_pid | string | A unique ID created using the PID of the process and a unique identifier. |
| type | int32 | The nlmsg_type value of the netlink event. |
| time | int32 | The Unix timestamp of the event. |
| message | string | The first For example, the message from the following
|
| path | string | The path of the process triggering the event. |
| address | string | The IPv4 or IPv6 address if the event is triggered over the network. You typically see this in SSH or container events. |
| terminal | string | The terminal ID of the created terminal. |
Example
{
"uid": 0,
"pid": 767417,
"sophos_pid": "767417:17273496908417400",
"type": 1105,
"time": 172734969,
"message": "op=PAM:session_open",
"path": "/usr/bin/sudo",
"address": "?",
"terminal": "/dev/pts/10"
}
Table: alerts
Represents alert information.
| Name | Datatype | Description/Attributes |
|---|---|---|
| unix_nano_timestamp | int64 | UnixNanoTimestamp is the Unix timestamp of when the Alert was generated. |
| alert_id | utf8 | AlertID is the UUID for the alert. |
| sensor_id | utf8 | SensorID is the unique identifier for Sophos Linux Sensor (SLS). |
| priority | utf8 | Priority is the Alert's priority. |
| process_uuid | utf8 | ProcessUUID is a unique ID that represents the unique process. |
| incident_id | utf8 | IncidentID is the ID of the overall incident. This will be present if the event is part of an incident. |
| policy_type | utf8 | PolicyType is the policy's type. |
| strategy_name | utf8 | StrategyName is the name of the strategy which triggered the alert. |
| audit_group_id | utf8 | AuditGroupID is the ID of the overall audit group event. This will be present if the event is part of an audit group event. |
| messages | list utf8 |
Table: sensor_metadata
Represents a single key/value pair of metadata for specific sensor.
| Name | Datatype | Description/Attributes |
|---|---|---|
| sensor_id | utf8 | SensorID is the unique identifier for SLS. |
| key | utf8 | |
| value | utf8 |
Table: sensors
Represents sensor information.
| Name | Datatype | Description/Attributes |
|---|---|---|
| unix_nano_timestamp | int64 | UnixNanoTimestamp is the Unix timestamp of when the process event was generated. |
| sensor_id | utf8 | SensorID is the unique identifier for SLS. |
| sensor_pid | int32 | SensorPid is the PID of the SLS process. |
| hostname | utf8 |
Table: lost_records
LostRecord metaevents log instances of potential data loss in SLS.
| Name | Datatype | Description/Attributes |
|---|---|---|
| unix_nano_timestamp | int64 | UnixNanoTimestamp is the Unix timestamp of when the lost record was generated. |
| event_type | int32 | EventType represents the lost record event type. |
| action_type | int32 | ActionType represents what action lost record event type. |
| reason | utf8 | Reason is the reason the lost record event was generated. |
| lost_count | int64 | LostCount represents the number of records which were lost. |
| event_type_name | utf8 | EventTypeName is the name for the event type that occurred. |
| action_type_name | utf8 | ActionTypeName is the name for the action type that occurred. |
| sensor_id | utf8 | SensorID is the unique identifier for SLS. |
Table: connections
Connections represent all network activity that contains a network address.
| Name | Datatype | Description/Attributes |
|---|---|---|
| unix_nano_timestamp | int64 | UnixNanoTimestamp is the Unix timestamp of when the event occurred. |
| process_uuid | utf8 | ProcessUUID is a unique ID that represents the unique process. |
| process_pid | int32 | ProcessPid is the process pid which created the event. |
| monotime_nanos | int64 | MonotimeNanos is the monotimenanos time that the event occurred. |
| dst_addr | utf8 | DstAddr is the destination address for the event. |
| dst_port | int32 | DstPort is the destination port for the event. |
| incident_id | utf8 | IncidentID is the ID of the overall incident. This will be present if the event is part of an incident. |
| success | bool | Success is the whether the connection attempt was successful. |
| audit_group_id | utf8 | AuditGroupID is the ID of the overall audit group event. This will be present if the event is part of an audit group event. |
Table: process_events
Process Metaevents representing a process action such as exec or fork.
| Name | Datatype | Description/Attributes |
|---|---|---|
| unix_nano_timestamp | int64 | UnixNanoTimestamp is the Unix timestamp of when the process event was generated. |
| event_type | int32 | EventType represents the process event type. Fork(0): the process was created by a fork event; Exec(1): the process was created by an exec event; Exit(2): the process exited; Baseline(3): the process event was created during the start of SLS. |
| process_uuid | utf8 | ProcessUUID is a unique ID that represents the unique process. |
| sensor_id | utf8 | SensorID is the unique identifier for SLS. |
| pid | int32 | PID is the process pid. |
| container_id | utf8 | ContainerID is the unique identifier for a running container instance. |
| parent_process_uuid | utf8 | ParentProcessUUID is a unique ID that represents the unique process of the parent process. |
| parent_pid | int32 | PID is the process pid of the parent process. |
| gid | int32 | Gid is the group ID associated with the task/thread. |
| group | utf8 | GroupName is the group name for the group ID of the task/thread. |
| uid | int32 | UID is the user ID associated with the task/thread. |
| username | utf8 | Username is the username for the user ID of the task/thread. |
| euid | int32 | Euid is the effective user ID for the task/thread. |
| effective_username | utf8 | EuidName is the effective username for the user ID of the task/thread. |
| fsuid | int32 | FsUID is the filesystem user ID associated with the task/thread. |
| fs_username | utf8 | FsUsername is the filesystem username for the FsUID of the task/thread. |
| fsgid | int32 | FsGid is the group ID associated with the task/thread. |
| fs_group | utf8 | FsGroupName is the filesystem username for the FsGID of the task/thread. |
| login_uid | int32 | LoginUID is the user ID assigned to the user during login associated with the task/thread. |
| login_username | utf8 | LoginUsername is the username for the loginuid of the task/thread. |
| login_gid | int32 | LoginGID is the group ID assigned to the user during login associated with the task/thread. |
| login_group | utf8 | LoginGroup is the group for the loginuid of the task/thread. |
| path | utf8 | Path is the path of the process. |
| arguments | list utf8 | Arguments are the arguments that were used when creating the process. |
| incident_id | utf8 | IncidentID is the ID of the overall incident. This will be present if the event is part of an incident. |
| child_pid | int32 | ChildPID is the PID of the child process created on fork. |
| child_process_uuid | utf8 | ChildProcessUUID is a unique ID of a child process created on fork. |
| egid | int32 | Egid is the effective group ID for the task/thread. |
| effective_group | utf8 | EgidName is the effective group name for the group ID of the task/thread. |
| tid | int32 | TID the process' ID in kernel-land. |
| return_value | int32 | ReturnValue is the return value on exec |
| event_type_name | utf8 | EventTypeName is the name for the event type that occurred. Fork(0): the process was created by a fork event; Exec(1): the process was created by an exec event; Exit(2): the process exited; Baseline(3): the process event was created during the start of SLS |
| audit_group_id | int32 | AuditGroupID is the ID of the overall audit group event. This will be present if the event is part of an audit group event. |
Table: file_events
FileOperation is a metaevent describing a specific file operation.
| Name | Datatype | Description/Attributes |
|---|---|---|
| unix_nano_timestamp | int64 | UnixNanoTimestamp is the Unix timestamp of when the file operation event was generated. |
| sensor_id | utf8 | SensorID is the unique identifier for SLS. |
| process_uuid | utf8 | ProcessUUID is a unique ID that represents the unique process. |
| pid | int32 | PID is the process pid. |
| container_id | utf8 | ContainerID is the unique identifier for a running container instance. |
| path | utf8 | Path is the path where the file operation occurred. |
| source_path | utf8 | SourcePath is the source file path that was linked or moved into the file path. |
| event_type | int32 | EventType represents the file event type. Create(1): the file was created; Link(2): the file was linked; Modify(3): the file was modified; Delete(4): the file was deleted; Rename(5): the file was renamed; Symlink(6): the file was symlinked; |
| incident_id | utf8 | IncidentID is the ID of the overall incident. This will be present if the event is part of an incident. |
| event_type_name | int32 | EventTypeName is the name for the event type that occurred. Create(1): the file was created; Link(2): the file was linked; Modify(3): the file was modified; Delete(4): the file was deleted; Rename(5): the file was renamed; Symlink(6): the file was symlinked; |
| audit_group_id | int32 | AuditGroupID is the ID of the overall audit group event. This will be present if the event is part of an audit group event. |
Table: shell_commands
| Name | Datatype | Description/Attributes |
|---|---|---|
| unix_nano_timestamp | int64 | UnixNanoTimestamp is the unixnano timestamp of the event. |
| program_filename | utf8 | ProgramFilename is the file name of the program associated with the event. |
| program_arguments | file utf8 | ProgramArguments are the program's arguments. |
| process_uuid | utf8 | ProcessUUID is a unique ID that represents the unique process. |
| process_pid | int32 | ProcessPid is the process pid which created the event. |
| shell_process_uuid | utf8 | ShellProcessUUID is a unique ID that represents the unique process of the shell. |
| shell_process_pid | int32 | ShellProcessPid is the process pid for the shell that created the event. |
| exec_event_id | utf8 | ExecEventID is the ID given to the exec event. |
| monotime_nanos | int64 | MonotimeNanos is the monotimenanos time that the event occurred. |
| container_id | utf8 | ContainerID is the unique identifier for a running container instance. |
| sensor_id | utf8 | SensorID is the unique identifier for SLS. |
| uid | int32 | Uid is the user ID associated with the task/thread. |
| username | utf8 | Username is the username for the user ID of the task/thread. |
| gid | int32 | Gid is the group ID associated with the task/thread. |
| group | utf8 | Group is the group name for the group ID of the task/thread. |
| euid | int32 | Euid is the effective user ID for the task/thread. |
| effective_username | utf8 | EffectiveUsername is the effective username for the user ID of the task/thread. |
| egid | int32 | Egid is the effective group ID for the task/thread. |
| effective_group | utf8 | EffectiveGroup is the effective group name for the group ID of the task/thread. |
| suid | int32 | Suid is the saved user ID associated with the task/thread. |
| saved_username | utf8 | SavedUsername is the saved username for the saved user ID of the task/thread. |
| sgid | int32 | Sgid is the saved group ID for the task/thread. |
| saved_group | utf8 | SavedGroupname is the saved group name for the saved group ID of the task/thread. |
| fsuid | int32 | Fsuid is the filesystem user ID associated with the task/thread. |
| file_system_username | utf8 | FileSystemUsername is the filesystem username for the FsUID of the task/thread. |
| fsgid | int32 | Fsgid is the group ID associated with the task/thread. |
| file_system_group | utf8 | FileSystemGroup is the filesystem username for the FsGID of the task/thread. |
| incident_id | utf8 | IncidentID is the ID of the overall incident. This will be present if the event is part of an incident. |
| audit_group_id | utf8 | AuditGroupID is the ID of the overall audit group event. This will be present if the event is part of an audit group event. |
Table: command_line_events
| Name | Datatype | Description/Attributes |
|---|---|---|
| unix_nano_timestamp | int64 | UnixNanoTimestamp is the Unix timestamp of when the command line event was generated. |
| data | utf8 | Data is the raw data that is contained in the command line event. |
| monotime_nanos | int64 | MonotimeNanos is the monotimenanos time that the command line event occurred. |
| process_uuid | utf8 | ProcessUUID is a unique ID that represent the unique process. |
| process_pid | int32 | ProcessPid is the process pid which created the event. |
| cli_process_uuid | utf8 | CLIProcessUUID is a unique ID that represent the unique process of the cli process. |
| cli_process_pid | int32 | CLIProcessPid is process pid of the cli process. |
| cli_source | utf8 | CLISource is where the information about commands is gathered from. PROCESS: the command information was obtained using the process that was executed from the shell; READLINE: the command information was obtained using readline; |
| container_id | utf8 | ContainerID is the unique identifier for a running container instance. |
| sensor_id | utf8 | SensorID is the unique identifier for SLS. |
| uid | int32 | Uid is the user ID associated with the task/thread. |
| username | utf8 | Username is the username for the user ID of the task/thread. |
| gid | int32 | Gid is the group ID associated with the task/thread. |
| group | utf8 | Group is the group name for the group ID of the task/thread. |
| euid | int32 | Euid is the effective user ID for the task/thread. |
| effective_username | utf8 | EffectiveUsername is the effective username for the user ID of the task/thread. |
| egid | int32 | Egid is the effective group ID for the task/thread. |
| effective_group | utf8 | EffectiveGroup is the effective group name for the group ID of the task/thread. |
| suid | int32 | Suid is the saved user ID associated with the task/thread. |
| saved_username | utf8 | SavedUsername is the saved username for the saved user ID of the task/thread. |
| sgid | int32 | Sgid is the saved group ID for the task/thread. |
| saved_group | utf8 | SavedGroupname is the saved group name for the saved group ID of the task/thread. |
| fsuid | int32 | Fsuid is the filesystem user ID associated with the task/thread. |
| file_system_username | utf8 | FileSystemUsername is the filesystem username for the FsUID of the task/thread. |
| fsgid | int32 | Fsgid is the group ID associated with the task/thread. |
| file_system_group | utf8 | FileSystemGroup is the filesystem username for the FsGID of the task/thread. |
| incident_id | utf8 | IncidentID is the ID of the overall incident. This will be present if the command line event is part of an incident. |
| audit_group_id | utf8 | AuditGroupID is the ID of the overall audit group event. This will be present if the event is part of an audit group event. |
Table: container_events
Container is a MetaEvent that represents all container eventscreate, running, exited, destroyed. It's used in investigations.
| Name | Datatype | Description/Attributes |
|---|---|---|
| unix_nano_timestamp | int64 | UnixNanoTimestamp is the unixnano timestamp for when the container event occurred. |
| container_id | utf8 | ContainerID is the unique identifier for a running container instance. |
| incident_id | utf8 | IncidentID is the ID of the overall incident. This will be present if the container event is part of an incident. |
| sensor_id | utf8 | SensorID is the unique identifier for SLS. |
| process_uuid | utf8 | ProcessUUID is a unique ID that represent the unique process. |
| event_type | int32 | EventType represents the container event type. Unknown(0): an unknown container action occurred; Created(1): a container was created; Started(2): a container was started; Exited(3): a container was exited; Destroyed(4): a container was destroyed. |
| container_name | utf8 | ContainerName is the name assigned to the container. |
| image_id | utf8 | ImageID is the unique image ID that the container was built from. |
| image_name | utf8 | ImageName is the name of the image that the container was built from. |
| pod_name | utf8 | PodName is the name of the Kubernetes pod if applicable. |
| namespace | utf8 | Namespace is the Kubernetes namespace for the pod if applicable. |
| event_type_name | utf8 | EventTypeName is the name for the event type that occurred. Unknown(0): an unknown container action occurred; Created(1): a container was created; Started(2): a container was started; Exited(3): a container was exited; Destroyed(4): a container was destroyed |
| audit_group_id | utf8 | AuditGroupID is the ID of the overall audit group event. This will be present if the event is part of an audit group event. |