Datamodel Reference

Datamodel Reference

This is a reference guide for the Padas Datamodels, which can be used as a convention for easy integration with out-of-the-box PADAS rules as well as integrations with external systems.

The sections below provide detailed field information regarding these datamodels.

Endpoint Listening Port

Datamodel Name: EndpointListeningPort

Field Name	Data Type	Description	Example
dest	string	The endpoint on which the port is listening.	10.10.1.1
dest_port	string	Network port listening on the endpoint	80
process_guid	string	The globally unique identifier of the process assigned by the vendor_product.	{f81d4fae-7dec-11d0-a765-00a0c91e6bf6}
process_id	string	The numeric identifier of the process assigned by the operating system.	456
src	string	The "remote" system connected to the listening port (if applicable).	192.168.1.10
src_port	string	The "remote" port connected to the listening port (if applicable).	4567
state	string	The status of the listening port listening	established
transport	string	The network transport protocol associated with the listening port	tcp udp
user	string	The user account associated with the listening port.	LOCALSYSTEM

Endpoint Process

Datamodel Name: EndpointProcess

Field Name	Data Type	Description	Example
action	string	The action taken by the endpoint	access create terminate allowed blocked
access_level	string	Permissions level at which the target process is accessed.	0x40
call_trace	string	The stack trace showing the context of a process open/access call.	C:\Windows\SYSTEM32\ntdll.dll+a5594 C:\Windows\system32\KERNELBASE.dll+1e865
dest	string	The endpoint for which the process was spawned.	10.10.1.1
parent_process	string	All of the arguments passed to the parent process upon execution.	C:\path\example.exe /flag1
parent_process_exec	string	The executable name of the parent process	example.exe
parent_process_guid	string	The globally unique identifier of the parent process assigned by the vendor_product.	{f81d4fae-7dec-11d0-a765-00a0c91e6bf6}
parent_process_id	string	The numeric identifier of the parent process assigned by the operating system.	837
parent_process_path	string	The file path of the executable associated with this parent process.	C:\path\to\example.exe
process	string	All of the arguments passed to the process upon execution.	C:\path\example.exe /flag1
process_current_directory	string	The absolute path to the current working directory of the process.	c:\windows\system32\
process_exec	string	The executable name of the process	example.exe
process_guid	string	The globally unique identifier of the process assigned by the vendor_product.	{f81d4fae-7dec-11d0-a765-00a0c91e6bf6}
process_hash	string	The digests of the contents of the file located at processPath by using md5, sha1, etc.	5eb63bbbe01eeed093cb22bb8f5acdc3
process_id	string	The numeric identifier of the process assigned by the operating system.	837
process_integrity_level	string	The Windows integrity level associated with the process. MUST be one of: low, medium, high, or system.	medium
process_path	string	The file path of the executable associated with this process.	C:\path\to\example.exe
user	string	The user account that spawned the process.	LOCALUSER
user_id	string	The unique identifier of the user account which spawned the process. For Windows, this is the security identifier, sid	S-1-5-18

Endpoint Service

Datamodel Name: EndpointService

Field Name	Data Type	Description	Example
action	string	The action performed on the service.	create delete pause start stop
dest	string	The endpoint on which the service is installed.	10.10.1.1
name	string	The name of the service.	RpcSs
parent_process_id	string	The numeric identifier of the parent process assigned by the operating system.	837
process	string	All of the arguments passed to the process upon execution.	C:\path\example.exe /flag1
process_exec	string	The executable name of the process	example.exe
process_guid	string	The globally unique identifier of the process assigned by the vendor_product.	{f81d4fae-7dec-11d0-a765-00a0c91e6bf6}
process_hash	string	The digests of the contents of the file located at processPath by using md5, sha1, etc.	2aae6c35c94fcfb415dbe95f408b9ce91ee846ed
process_id	string	The numeric identifier of the process assigned by the operating system.	837
process_path	string	The file path of the executable associated with this process.	C:\path\to\example.exe
start_mode	string	The start mode for the service.	disabled manual auto
status	string	The status of the service.	started stopped warning critical
user	string	The user account that spawned the process.	LOCALUSER
user_id	string	The unique identifier of the user account which spawned the process. For Windows, this is the security identifier, sid	S-1-5-18

Endpoint File

Datamodel Name: EndpointFile

Field Name	Data Type	Description	Example
action	string	The action performed on the resource.	create delete modify read write
dest	string	The endpoint on which the filesystem activity takes place.	10.10.1.1
file_creation_time	string	The creation time of the file	05/14/2015 12:47:06
file_hash	string	The digests of the contents of the file located at filePath by using md5, sha1, etc.	2aae6c35c94fcfb415dbe95f408b9ce91ee846ed
file_group	string	The group owner of the file	admin
file_group_id	string	The group ID of the file	801
file_mode	string	The mode or permissions set of the file.	0644 (linux) or NTFS ACL
file_name	string	The name of the file.	MyWordDoc.docx
file_owner	string	The username of the owner of the file.	adam
file_owner_id	string	The user ID or SID of the owner of the file.	501
file_path	string	The full path to the file on the file system.	C:\users\fakeuser\documents\MyFile.docx
parent_process_id	string	The numeric identifier of the parent process assigned by the operating system.	837
process	string	All of the arguments passed to the process upon execution.	C:\path\example.exe /flag1
process_exec	string	The executable name of the process	example.exe
process_guid	string	The globally unique identifier of the process assigned by the vendor_product.	{f81d4fae-7dec-11d0-a765-00a0c91e6bf6}
process_id	string	The numeric identifier of the process assigned by the operating system.	837
process_path	string	The file path of the executable associated with this process.	C:\path\to\example.exe
user	string	The user account that spawned the process.	LOCALUSER
userId	string	The unique identifier of the user account which spawned the process. For Windows, this is the security identifier, sid	S-1-5-18

Endpoint Registry

Datamodel Name: EndpointRegistry

Field Name	Data Type	Description	Example
action	string	The action performed on the resource.	create delete modify read
dest	string	The endpoint on which the port is listening.	10.10.1.1
process	string	All of the arguments passed to the process upon execution.	C:\path\example.exe /flag1
process_guid	string	The globally unique identifier of the process assigned by the vendor_product.	{f81d4fae-7dec-11d0-a765-00a0c91e6bf6}
process_id	string	The numeric identifier of the process assigned by the operating system.	456
registry_hive	string	The logical group of keys, subkeys, and values in the registry.	HKEY_CURRENT_USER HKEY_LOCAL_MACHINE
registry_key	string	The registry key specified in the event. Similar to a folder in a traditional file system.	HKLM\SYSTEM\CurrentControlSet\services\RpcSs
registry_value_name	string	The descriptive name for the data being stored in the key.	InstalledVersion
registry_value_data	string	The contents of the value, typically a text string.	%SystemRoot%\system32\svchost.exe -k rpcss
registry_value_type	string	The type of data being stored in the value. Types include binary data, 32 bit numbers, strings, etc.	REG_SZ REG_MULTI_SZ REG_DWORD REG_BINARY REG_QWORD
status	string	The outcome of the registry action.	failure success
user	string	The user account associated with the listening port.	LOCALSYSTEM