AgentX Linux field mappings
Unix Sysmon
Event ID: 1
Unix Field
Logpoint Field
EventData_Domain
caller_domain
EventData_IntegrityLevel
integrity_level
EventData_ParentUser
parent_user
Event ID: 3
Unix Field
Logpoint Field
EventData_Initiated
is_initiated
Event ID: 4
Unix Field
Logpoint Field
EventData_SchemaVersion
schema_version
EventData_State
status
EventData_Version
version
Event ID: 16
Unix Field
LogPoint Field
EventData_Configuration
file
Event ID: 23
Unix Field
Logpoint Field
EventData_IsExecutable
is_executable
EventData_Archived
is_archived
Unix Sysmon Generic Taxonomy
Unix Field
Logpoint Field
agent_name
agentx_agent
agent_ip
agentx_agent_address
decoder_name
agentx_decoder
EventData_AccountName
user
EventData_CommandLine
command
EventData_Company
vendor
EventData_CreationUtcTime
creation_ts
EventData_CurrentDirectory
path
EventData_Description
description
EventData_DestinationHostname
destination_host
EventData_DestinationIp
destination_address
EventData_DestinationIsIpv6
is_destination_ipv6
EventData_DestinationPort
destination_port
EventData_DestinationPortName
service
EventData_EventType
event_type
EventData_FileVersion
file_version
EventData_Image
image
EventData_LogonGuid
logon_guid
EventData_LogonId
logon_id
EventData_OriginalFileName
file
EventData_ParentCommandLine
parent_command
EventData_ParentImage
parent_image
EventData_ParentProcessGuid
parent_process_guid
EventData_ParentProcessId
parent_process_id
EventData_ProcessGuid
process_guid
EventData_ProcessId
process_id
EventData_Product
application
EventData_Protocol
protocol
EventData_QueryName
query
EventData_QueryStatus
status
EventData_RuleName
rule
EventData_SourceHostname
source_host
EventData_SourceIp
source_address
EventData_SourceIsIpv6
is_source_ipv6
EventData_SourcePort
source_port
EventData_TargetFilename
target_file
EventData_TerminalSessionId
session_id
EventData_User
user
EventData_UtcTime
utc_ts
id
id
location
location
manager_name
agentx_manager
System_Channel
channel
System_Computer
host
System_EventID
event_id
System_EventRecordID
record_id
System_Keywords
keyword
System_Level
severity
System_Opcode
opcode_value
System_Execution_ProcessID
execution_process_id
System_Security_UserId
user_id
System_Provider_Guid
guid
System_Provider_Name
event_source
System_SeverityValue
log_level
System_TimeCreated_SystemTime
log_ts
System_Task
task_value
System_Execution_ThreadID
execution_thread_id
System_Version
version
timestamp
event_received_ts
AllowHardTerminate
allow_hard_terminate
AllowStartOnDemand
allow_start_on_demand
Arguments
argument
Author
author
ClassId
class_id
Command
command
Count
restart_failure_count
Data
data
DataOffset
data_offset
Date
date
DaysInterval
days_interval
Deadline
deadline
Delay
delay
Description
description
DisallowStartIfOnBatteries
disallow_start_if_on_batteries
DisallowStartOnRemoteAppSession
disallow_start_on_remote_app_session
Duration
duration
Enabled
enabled
Exclusive
exclusive
ExecutionTimeLimit
execution_time_limit
GroupId
group_id
Hidden
hidden
Interval
restart_failure_interval
LogonType
logon_type
MultipleInstancesPolicy
multiple_instance_policy
Period
period
Priority
priority
RandomDelay
random_delay
RestartOnIdle
restart_on_idle
RunLevel
run_level
RunOnlyIfIdle
run_only_if_idle
RunOnlyIfNetworkAvailable
run_only_if_network_available
SecurityDescriptor
sd
Source
source
StartBoundary
start_ts
StartWhenAvailable
start_when_available
StateChange
state_change
StateName
state_name
StopAtDurationEnd
stop_at_duration_end
StopIfGoingOnBatteries
stop_if_going_on_batteries
StopOnIdleEnd
stop_on_idle_end
URI
url
UseUnifiedSchedulingEngine
use_unified_scheduling_engine
UserId
user_id
Version
version
WaitTimeout
wait_timeout
WakeToRun
wake_to_run
access_list
access_list
action
action
description
description
integrity_label
integrity_label
logon_category
logon_category
message
message
object
object
right
right
rule_description
rule_description
rule_firedtimes
rule_trigger_count
rule_frequency
rule_frequency
rule_gdpr
gdpr
rule_gpg13
gpg13
rule_groups
rule_group
rule_hipaa
hipaa
rule_id
rule_trigger_id
rule_level
rule_level
rule_mail
rule_mail
rule_mitre_id
attack_id
rule_mitre_tactic
attack_category
rule_mitre_technique
attack_tag
rule_nist_800_53
nist_800_53
rule_pci_dss
pci_dss
rule_tsc
tsc
Unix Audit Log Taxonomy
Unix Field
Logpoint Field
ARCH
processor_architecture
AUID
audit_user
EGID
effective_group
EUID
effective_user
FSGID
file_system_group
FSUID
file_system_user
GID
group
OGID
owner_group
PPID
parent_process
SAUID
sender_audit_user
SGID
set_group
SPID
sent_process
SUID
set_user
SYSCALL
system_call
UID
user
a0
argument0
a1
argument1
a10
argument10
a11
argument11
a12
argument12
a13
argument13
a14
argument14
a15
argument15
a16
argument16
a17
argument17
a18
argument18
a19
argument19
a2
argument2
a20
argument20
a3
argument3
a4
argument4
a5
argument5
a6
argument6
a7
argument7
a8
argument8
a9
argument9
acct
user
addr
source_address
agent_id
agentx_agent_id
agent_ip
agentx_agent_address
agent_name
agentx_agent
algo
algorithm
arch
processor_architecture
argc
argument_count
auid
audit_user_id
cap_fi
inherited_file_system_privilege
cap_fp
permitted_file_system_privilege
cap_pe
effective_process_privilege
cap_pi
inherited_process_privilege
cap_pp
permitted_process_privilege
capability
privilege
cgroup
path
cmd
command
comm
command
cwd
path
decoder_name
agentx_decoder
dev
device_id
devmajor
major_device_id
devminor
minor_device_id
egid
effective_group_id
euid
effective_user_id
exe
path
exit
status_code
family
address_type
fd
file_descriptor
filetype
file_type
flags
flag
fsgid
file_system_group_id
fsuid
file_system_user_id
fver
version
gid
group_id
hostname
hostname
icmptype
icmp_type
ino
inode
inode
inode
inode_gid
inode_group_id
inode_uid
inode_user_id
items
item_count
key
key
ksize
key_size
laddr
destination_address
list
list_id
log_type
log_level
lport
destination_port
manager_name
agentx_manager
message_id
message_id
mode
permission
msgtype
message_type
name
path
name
path
nametype
path_type
new auid
audit_user_id
new ses
session_id
new-disk
disk
new-mem
virtual_memory_size
new-net
hardware_address
new-vcpu
virtual_cpu_count
new_gid
group_id
new_pe
pe
new_pi
pi
new_pp
pp
oauid
user
obj
object
obj_gid
object_group_id
obj_lev_high
object_level_high
obj_lev_low
object_level_low
obj_role
role
obj_uid
object_id
obj_user
user
ocomm
command
ogid
owner_group_id
ogid
owner_group_id
old auid
old_audit_user_id
old ses
old_session_id
old-disk
old_disk
old-mem
old_memory
old-net
old_hardware_address
old-vcpu
old_cpu_count
old_prom
old_flag
op
action
opid
target_process_id
oses
target_session_id
ouid
user_id
path
path
perm
permission
pid
process_id
ppid
parent_process_id
prom
flag
proto
protocol
rdev
recorded_device_id
record_id
record_id
res
status
result
status
rport
source_port
rule_description
rule_description
rule_firedtimes
rule_trigger_count
rule_frequency
rule_frequency
rule_gdpr
gdpr
rule_gpg13
gpg13
rule_groups
rule_group
rule_hipaa
hipaa
rule_id
rule_trigger_id
rule_level
rule_level
rule_mail
rule_mail
rule_mitre_id
attack_id
rule_mitre_tactic
attack_category
rule_mitre_technique
attack_tag
rule_nist_800_53
nist_800_53
rule_pci_dss
pci_dss
rule_tsc
tsc
saddr
socket_address
sauid
sender_audit_user_id
scontext
source_context
ses
session_id
sgid
set_group_id
sig
signal_count
size
datasize
spid
sent_process_id
subj
subject
subj_clr
subject_clearance
subj_role
role
subj_sen
sensitivity
subj_user
user
subject
context subject
success
is_success
suid
set_user_id
syscall
system_call_id
tclass
target_class
tcontext
target_context
terminal
terminal
timestamp
event_received_ts
tty
terminal_type
type
event_type
uid
user_id
user pid
process_id
vm
virtual_machine
File Integrity Monitoring
Unix Field
Logpoint Field
Author
author
Command
command
Data
data
Description
description
Duration
duration
Priority
priority
URI
url
UserId
user_id
agent_id
agentx_agent_id
agent_ip
agentx_agent_address
agent_name
agentx_agent
decoder_name
agentx_decoder
manager_name
agentx_manager
rule_firedtimes
rule_trigger_count
rule_gdpr
gdpr
rule_gpg13
gpg13
rule_groups
rule_group
rule_hipaa
hipaa
rule_id
rule_trigger_id
rule_mitre_id
attack_id
rule_mitre_tactic
attack_category
rule_mitre_technique
attack_tag
rule_nist_800_53
nist_800_53
rule_pci_dss
pci_dss
rule_tsc
tsc
syscheck_arch
architecture
syscheck_attrs_after
attribute
syscheck_audit_process_id
process_id
syscheck_audit_process_name
process
syscheck_audit_user_id
user_id
syscheck_audit_user_name
user
syscheck_changed_attributes
changed_attribute
syscheck_diff
changed_content
syscheck_entry_type
registry_entry_type
syscheck_event
action
syscheck_gid_after
group_id
syscheck_gname_after
group
syscheck_inode_after
inode
syscheck_md5_after
hash
syscheck_md5_before
old_hash
syscheck_mode
mode
syscheck_mtime_after
modification_ts
syscheck_mtime_before
old_modification_ts
syscheck_path
path
syscheck_perm_after
permission
syscheck_sha1_after
hash_sha1
syscheck_sha1_before
old_hash_sha1
syscheck_sha256_after
hash_sha256
syscheck_sha256_before
old_hash_sha256
syscheck_size_after
datasize
syscheck_size_before
old_datasize
syscheck_uid_after
uid
syscheck_uname_after
owner
syscheck_value_name
registry_value_name
syscheck_value_type
registry_value_type
syscheck_win_perm_after
permission
syscheck_win_perm_before
old_permission
timestamp
event_received_ts
data_parameters_program
program
data_parameters_keys
parameter_key
data_origin_name
origin
data_version
version
data_command
command
hostname
host
log_type
log_level
rule_description
rule_description
rule_frequency
rule_frequency
rule_level
rule_level
rule_mail
rule_mail
Security Configuration Assessment
Unix Field
Logpoint Field
Author
author
Command
command
Data
data
Description
description
Duration
duration
Priority
priority
URI
url
UserId
user_id
agent_id
agentx_agent_id
agent_ip
agentx_agent_address
agent_name
agentx_agent
check_compliance_gpg_13
check_compliance_gpg13
check_references
check_reference
check_rules
check_rule
data_sca_check_compliance_cis_csc
check_compliance_cis_csc
data_sca_check_compliance_hipaa
check_compliance_hipaa
data_sca_check_compliance_nist_800_53
check_compliance_nist_800_53
data_sca_check_compliance_pci_dss
check_compliance_pci_dss
data_sca_check_compliance_tsc
check_compliance_tsc
data_sca_check_description
check_description
data_sca_check_file
check_file
data_sca_check_id
check_id
data_sca_check_rationale
check_rationale
data_sca_check_reason
check_reason
data_sca_check_references
check_reference
data_sca_check_registry
check_registry
data_sca_check_remediation
check_remediation
data_sca_check_result
check_result
data_sca_check_status
check_status
data_sca_check_title
check_title
data_sca_description
policy_description
data_sca_failed
fail_count
data_sca_file
policy_file
data_sca_invalid
invalid_count
data_sca_passed
pass_count
data_sca_policy
policy
data_sca_policy_id
policy_id
data_sca_scan_id
scan_id
data_sca_score
scan_score
data_sca_total_checks
total_count
data_sca_type
scan_type
decoder_name
agentx_decoder
description
policy_description
end_time
end_ts
failed
fail_count
file
policy_file
invalid
invalid_count
manager_name
agentx_manager
name
policy
passed
pass_count
policies
policy_id
references
policy_reference
rule_cis
cis
rule_cis_csc
cis_csc
rule_firedtimes
rule_trigger_count
rule_gdpr
gdpr
rule_gdpr_IV
gdpr_iv
rule_gpg13
gpg13
rule_gpg_13
gpg13
rule_groups
rule_group
rule_hipaa
hipaa
rule_id
rule_trigger_id
rule_mitre_id
attack_id
rule_mitre_tactic
attack_category
rule_mitre_technique
attack_tag
rule_nist_800_53
nist_800_53
rule_pci_dss
pci_dss
rule_tsc
tsc
score
scan_score
start_time
start_ts
timestamp
event_received_ts
total_checks
total_count
type
scan_type
Unix Generic Log Taxonomy
Unix Field
Logpoint Field
agent_id
agentx_agent_id
agent_ip
agentx_agent_address
agent_name
agentx_agent
decoder_name
agentx_decoder
hostname
host
log_type
log_level
manager_name
agentx_manager
rule_description
rule_description
rule_firedtimes
rule_trigger_count
rule_frequency
rule_frequency
rule_gdpr
gdpr
rule_gpg13
gpg13
rule_groups
rule_group
rule_hipaa
hipaa
rule_id
rule_trigger_id
rule_level
rule_level
rule_mail
rule_mail
rule_mitre_id
attack_id
rule_mitre_tactic
attack_category
rule_mitre_technique
attack_tag
rule_nist_800_53
nist_800_53
rule_pci_dss
pci_dss
rule_tsc
tsc
timestamp
event_received_ts
Active Response Taxonomy
Unix Field
Logpoint Field
agent_id
agentx_agent_id
agent_ip
agentx_agent_address
agent_labels_os_name
agentx_agent_os
agent_name
agentx_agent
data_parameters_program
program
data_parameters_keys
parameter_key
data_origin_module
origin_module
data_origin_name
origin
data_version
version
data_command
command
decoder_name
agentx_decoder
manager_name
agentx_manager
hostname
host
log_type
log_level
rule_description
rule_description
rule_firedtimes
rule_trigger_count
rule_frequency
rule_frequency
rule_gdpr
gdpr
rule_gpg13
gpg13
rule_groups
rule_group
rule_hipaa
hipaa
rule_id
rule_trigger_id
rule_level
rule_level
rule_mail
rule_mail
rule_mitre_id
attack_id
rule_mitre_tactic
attack_category
rule_mitre_technique
attack_tag
rule_nist_800_53
nist_800_53
rule_pci_dss
pci_dss
rule_tsc
tsc
timestamp
event_received_ts
Last updated
Was this helpful?