Datamodel Reference
Datamodel Reference
This is a reference guide for the Padas Datamodels, which can be used as a convention for easy integration with out-of-the-box PADAS rules as well as integrations with external systems.
The sections below provide detailed field information regarding these datamodels.
Endpoint Listening Port
Datamodel Name: EndpointListeningPort
| Field Name | Data Type | Description | Example |
|---|---|---|---|
dest |
string | The endpoint on which the port is listening. | 10.10.1.1 |
dest_port |
string | Network port listening on the endpoint | 80 |
process_guid |
string | The globally unique identifier of the process assigned by the vendor_product. | {f81d4fae-7dec-11d0-a765-00a0c91e6bf6} |
process_id |
string | The numeric identifier of the process assigned by the operating system. | 456 |
src |
string | The "remote" system connected to the listening port (if applicable). | 192.168.1.10 |
src_port |
string | The "remote" port connected to the listening port (if applicable). | 4567 |
state |
string | The status of the listening port listening | established |
transport |
string | The network transport protocol associated with the listening port | tcpudp |
user |
string | The user account associated with the listening port. | LOCALSYSTEM |
Endpoint Process
Datamodel Name: EndpointProcess
| Field Name | Data Type | Description | Example |
|---|---|---|---|
action |
string | The action taken by the endpoint | accesscreateterminateallowedblocked |
access_level |
string | Permissions level at which the target process is accessed. | 0x40 |
call_trace |
string | The stack trace showing the context of a process open/access call. | C:\Windows\SYSTEM32\ntdll.dll+a5594C:\Windows\system32\KERNELBASE.dll+1e865 |
dest |
string | The endpoint for which the process was spawned. | 10.10.1.1 |
parent_process |
string | All of the arguments passed to the parent process upon execution. | C:\path\example.exe /flag1 |
parent_process_exec |
string | The executable name of the parent process | example.exe |
parent_process_guid |
string | The globally unique identifier of the parent process assigned by the vendor_product. | {f81d4fae-7dec-11d0-a765-00a0c91e6bf6} |
parent_process_id |
string | The numeric identifier of the parent process assigned by the operating system. | 837 |
parent_process_path |
string | The file path of the executable associated with this parent process. | C:\path\to\example.exe |
process |
string | All of the arguments passed to the process upon execution. | C:\path\example.exe /flag1 |
process_current_directory |
string | The absolute path to the current working directory of the process. | c:\windows\system32\ |
process_exec |
string | The executable name of the process | example.exe |
process_guid |
string | The globally unique identifier of the process assigned by the vendor_product. | {f81d4fae-7dec-11d0-a765-00a0c91e6bf6} |
process_hash |
string | The digests of the contents of the file located at processPath by using md5, sha1, etc. | 5eb63bbbe01eeed093cb22bb8f5acdc3 |
process_id |
string | The numeric identifier of the process assigned by the operating system. | 837 |
process_integrity_level |
string | The Windows integrity level associated with the process. MUST be one of: low, medium, high, or system. |
medium |
process_path |
string | The file path of the executable associated with this process. | C:\path\to\example.exe |
user |
string | The user account that spawned the process. | LOCALUSER |
user_id |
string | The unique identifier of the user account which spawned the process. For Windows, this is the security identifier, sid |
S-1-5-18 |
Endpoint Service
Datamodel Name: EndpointService
| Field Name | Data Type | Description | Example |
|---|---|---|---|
action |
string | The action performed on the service. | createdeletepausestartstop |
dest |
string | The endpoint on which the service is installed. | 10.10.1.1 |
name |
string | The name of the service. | RpcSs |
parent_process_id |
string | The numeric identifier of the parent process assigned by the operating system. | 837 |
process |
string | All of the arguments passed to the process upon execution. | C:\path\example.exe /flag1 |
process_exec |
string | The executable name of the process | example.exe |
process_guid |
string | The globally unique identifier of the process assigned by the vendor_product. | {f81d4fae-7dec-11d0-a765-00a0c91e6bf6} |
process_hash |
string | The digests of the contents of the file located at processPath by using md5, sha1, etc. | 2aae6c35c94fcfb415dbe95f408b9ce91ee846ed |
process_id |
string | The numeric identifier of the process assigned by the operating system. | 837 |
process_path |
string | The file path of the executable associated with this process. | C:\path\to\example.exe |
start_mode |
string | The start mode for the service. | disabledmanualauto |
status |
string | The status of the service. | startedstoppedwarningcritical |
user |
string | The user account that spawned the process. | LOCALUSER |
user_id |
string | The unique identifier of the user account which spawned the process. For Windows, this is the security identifier, sid |
S-1-5-18 |
Endpoint File
Datamodel Name: EndpointFile
| Field Name | Data Type | Description | Example |
|---|---|---|---|
action |
string | The action performed on the resource. | createdeletemodifyreadwrite |
dest |
string | The endpoint on which the filesystem activity takes place. | 10.10.1.1 |
file_creation_time |
string | The creation time of the file | 05/14/2015 12:47:06 |
file_hash |
string | The digests of the contents of the file located at filePath by using md5, sha1, etc. | 2aae6c35c94fcfb415dbe95f408b9ce91ee846ed |
file_group |
string | The group owner of the file | admin |
file_group_id |
string | The group ID of the file | 801 |
file_mode |
string | The mode or permissions set of the file. | 0644 (linux) or NTFS ACL |
file_name |
string | The name of the file. | MyWordDoc.docx |
file_owner |
string | The username of the owner of the file. | adam |
file_owner_id |
string | The user ID or SID of the owner of the file. | 501 |
file_path |
string | The full path to the file on the file system. | C:\users\fakeuser\documents\MyFile.docx |
parent_process_id |
string | The numeric identifier of the parent process assigned by the operating system. | 837 |
process |
string | All of the arguments passed to the process upon execution. | C:\path\example.exe /flag1 |
process_exec |
string | The executable name of the process | example.exe |
process_guid |
string | The globally unique identifier of the process assigned by the vendor_product. | {f81d4fae-7dec-11d0-a765-00a0c91e6bf6} |
process_id |
string | The numeric identifier of the process assigned by the operating system. | 837 |
process_path |
string | The file path of the executable associated with this process. | C:\path\to\example.exe |
user |
string | The user account that spawned the process. | LOCALUSER |
userId |
string | The unique identifier of the user account which spawned the process. For Windows, this is the security identifier, sid |
S-1-5-18 |
Endpoint Registry
Datamodel Name: EndpointRegistry
| Field Name | Data Type | Description | Example |
|---|---|---|---|
action |
string | The action performed on the resource. | createdeletemodifyread |
dest |
string | The endpoint on which the port is listening. | 10.10.1.1 |
process |
string | All of the arguments passed to the process upon execution. | C:\path\example.exe /flag1 |
process_guid |
string | The globally unique identifier of the process assigned by the vendor_product. | {f81d4fae-7dec-11d0-a765-00a0c91e6bf6} |
process_id |
string | The numeric identifier of the process assigned by the operating system. | 456 |
registry_hive |
string | The logical group of keys, subkeys, and values in the registry. | HKEY_CURRENT_USERHKEY_LOCAL_MACHINE |
registry_key |
string | The registry key specified in the event. Similar to a folder in a traditional file system. | HKLM\SYSTEM\CurrentControlSet\services\RpcSs |
registry_value_name |
string | The descriptive name for the data being stored in the key. | InstalledVersion |
registry_value_data |
string | The contents of the value, typically a text string. | %SystemRoot%\system32\svchost.exe -k rpcss |
registry_value_type |
string | The type of data being stored in the value. Types include binary data, 32 bit numbers, strings, etc. | REG_SZREG_MULTI_SZREG_DWORDREG_BINARYREG_QWORD |
status |
string | The outcome of the registry action. | failuresuccess |
user |
string | The user account associated with the listening port. | LOCALSYSTEM |