Datamodel Reference
Datamodel Reference
This is a reference guide for the Padas Datamodels, which can be used as a convention for easy integration with out-of-the-box PADAS rules as well as integrations with external systems.
The sections below provide detailed field information regarding these datamodels.
Endpoint Listening Port
Datamodel Name: endpointListeningPort
| Field Name | Data Type | Description | Example |
|---|---|---|---|
dest |
string | The endpoint on which the port is listening. | 10.10.1.1 |
destPort |
string | Network port listening on the endpoint | 80 |
processGuid |
string | The globally unique identifier of the process assigned by the vendor_product. | {f81d4fae-7dec-11d0-a765-00a0c91e6bf6} |
processId |
string | The numeric identifier of the process assigned by the operating system. | 456 |
src |
string | The "remote" system connected to the listening port (if applicable). | 192.168.1.10 |
srcPort |
string | The "remote" port connected to the listening port (if applicable). | 4567 |
state |
string | The status of the listening port | listening |
transport |
string | The network transport protocol associated with the listening port | tcp |
user |
string | The user account associated with the listening port. | |
Endpoint Process
Datamodel Name: endpointProcess
| Field Name | Data Type | Description | Example |
|---|---|---|---|
action |
string | The action taken by the endpoint | access |
accessLevel |
string | Permissions level at which the target process is accessed. | 0x40 |
callTrace |
string | The stack trace showing the context of a process open/access call. | C:\Windows\SYSTEM32\ntdll.dll+a5594|C:\Windows\system32\KERNELBASE.dll+1e865 |
dest |
string | The endpoint for which the process was spawned. | 10.10.1.1 |
parentProcess |
string | All of the arguments passed to the parent process upon execution. | C:\path\example.exe /flag1 |
parentProcessExec |
string | The executable name of the parent process | example.exe |
parentProcessGuid |
string | The globally unique identifier of the parent process assigned by the vendor_product. | {f81d4fae-7dec-11d0-a765-00a0c91e6bf6} |
parentProcessId |
string | The numeric identifier of the parent process assigned by the operating system. | 837 |
parentProcessPath |
string | The file path of the executable associated with this parent process. | C:\path\to\example.exe |
process |
string | All of the arguments passed to the process upon execution. | C:\path\example.exe /flag1 |
processCurrentDirectory |
string | The absolute path to the current working directory of the process. | c:\windows\system32\ |
processExec |
string | The executable name of the process | example.exe |
processGuid |
string | The globally unique identifier of the process assigned by the vendor_product. | {f81d4fae-7dec-11d0-a765-00a0c91e6bf6} |
processHash |
string | The digests of the contents of the file located at processPath by using md5, sha1, etc. |
5eb63bbbe01eeed093cb22bb8f5acdc3 |
processId |
string | The numeric identifier of the process assigned by the operating system. | 837 |
processIntegrityLevel |
string | The Windows integrity level associated with the process. MUST be one of: low, medium, high, or system. |
medium |
processPath |
string | The file path of the executable associated with this process. | C:\path\to\example.exe |
user |
string | The user account that spawned the process. | LOCALUSER |
userId |
string | The unique identifier of the user account which spawned the process. For Windows, this is the security identifier, sid |
S-1-5-18 |
Endpoint Service
Datamodel Name: endpointService
| Field Name | Data Type | Description | Example |
|---|---|---|---|
action |
string | The action performed on the service. | create |
dest |
string | The endpoint on which the service is installed. | 10.10.1.1 |
name |
string | The name of the service. | RpcSs |
parentProcessId |
string | The numeric identifier of the parent process assigned by the operating system. | 837 |
process |
string | All of the arguments passed to the process upon execution. | C:\path\example.exe /flag1 |
processExec |
string | The executable name of the process | example.exe |
processGuid |
string | The globally unique identifier of the process assigned by the vendor_product. | {f81d4fae-7dec-11d0-a765-00a0c91e6bf6} |
processHash |
string | The digests of the contents of the file located at processPath by using md5, sha1, etc. |
5eb63bbbe01eeed093cb22bb8f5acdc3 |
processId |
string | The numeric identifier of the process assigned by the operating system. | 837 |
processPath |
string | The file path of the executable associated with this process. | C:\path\to\example.exe |
startMode |
string | The start mode for the service. | disabled |
status |
string | The status of the service. | started |
user |
string | The user account that spawned the process. | LOCALUSER |
userId |
string | The unique identifier of the user account which spawned the process. For Windows, this is the security identifier, sid |
S-1-5-18 |
Endpoint File
Datamodel Name: endpointFile
| Field Name | Data Type | Description | Example |
|---|---|---|---|
action |
string | The action performed on the resource. | create |
dest |
string | The endpoint on which the filesystem activity takes place. | 10.10.1.1 |
fileCreationTime |
string | The creation time of the file | 05/14/2015 12:47:06 |
fileHash |
string | The digests of the contents of the file located at filePath by using md5, sha1, etc. |
5eb63bbbe01eeed093cb22bb8f5acdc3 |
fileGroup |
string | The group owner of the file | admin |
fileGroupId |
string | The group ID of the file | 801 |
fileMode |
string | The mode or permissions set of the file. | 0644 (linux) or NTFS ACL |
fileName |
string | The name of the file. | MyWordDoc.docx |
fileOwner |
string | The username of the owner of the file. | adam |
fileOwnerId |
string | The user ID or SID of the owner of the file. | 501 |
filePath |
string | The full path to the file on the file system. | C:\users\fakeuser\documents\MyFile.docx |
parentProcessId |
string | The numeric identifier of the parent process assigned by the operating system. | 837 |
process |
string | All of the arguments passed to the process upon execution. | C:\path\example.exe /flag1 |
processExec |
string | The executable name of the process | example.exe |
processGuid |
string | The globally unique identifier of the process assigned by the vendor_product. | {f81d4fae-7dec-11d0-a765-00a0c91e6bf6} |
processId |
string | The numeric identifier of the process assigned by the operating system. | 837 |
processPath |
string | The file path of the executable associated with this process. | C:\path\to\example.exe |
user |
string | The user account that spawned the process. | LOCALUSER |
userId |
string | The unique identifier of the user account which spawned the process. For Windows, this is the security identifier, sid |
S-1-5-18 |
Endpoint Registry
Datamodel Name: endpointRegistry
| Field Name | Data Type | Description | Example |
|---|---|---|---|
action |
string | The action performed on the resource. | create |
dest |
string | The endpoint on which the port is listening. | 10.10.1.1 |
process |
string | All of the arguments passed to the process upon execution. | C:\path\example.exe /flag1 |
processGuid |
string | The globally unique identifier of the process assigned by the vendor_product. | {f81d4fae-7dec-11d0-a765-00a0c91e6bf6} |
processId |
string | The numeric identifier of the process assigned by the operating system. | 456 |
registryHive |
string | The logical group of keys, subkeys, and values in the registry. | HKEY_CURRENT_USER |
registryKey |
string | The registry key specified in the event. Similar to a folder in a traditional file system. | HKLM\SYSTEM\CurrentControlSet\services\RpcSs |
registryValueName |
string | The descriptive name for the data being stored in the key. | InstalledVersion |
registryValueData |
string | The contents of the value, typically a text string. | %SystemRoot%\system32\svchost.exe -k rpcss |
registryValueType |
string | The type of data being stored in the value. Types include binary data, 32 bit numbers, strings, etc. | REG_SZ |
status |
string | The outcome of the registry action. | failure |
user |
string | The user account associated with the listening port. | |