System Event Schema

[randomuserid]

This is the existing field schema for the streaming events:

Process Logs

Field	Description	Notes
timestamp	Log entry timestamp	Timestamp when the process entry was logged (YYYY-MM-DD HH:MM:SS format)
hostname	System hostname	Name of the system where the process entry was detected
username	Process owner	Owner of the process
event	Process event type	Type of process event (e.g., process, created, terminated)
pid	Process ID	Process ID of the process
name	Process name	Name of the process
ppid	Parent process ID	Process ID of the parent process
parent	Parent process name	Name of the parent process
sid	Security Identifier	Security Identifier of the user or system associated with the process

Network Logs

Field	Description	Notes
timestamp	Log entry timestamp	Timestamp when the network entry was logged (YYYY-MM-DD HH:MM:SS format)
hostname	System hostname	Name of the system where the network entry was detected
username	Connection owner	Owner of the network connection
event	Network event type	Type of network event (e.g., connection, disconnection)
process	Process name	Name of the process associated with the network connection
pid	Process ID	Process ID of the process associated with the network connection
sourceip	Source IP address	Source IP address of the network connection
sourceport	Source port	Source port of the network connection
destip	Destination IP address	Destination IP address of the network connection
destport	Destination port	Destination port of the network connection
status	Connection status	Status of the network connection
sid	Security Identifier	Security Identifier of the user or system associated with the network connection

User Detection Logs

Field	Description	Notes
timestamp	Log entry timestamp	Timestamp when the user detection entry was logged (YYYY-MM-DD HH:MM:SS format)
hostname	System hostname	Name of the system where the user detection entry was detected
event	Event type	Type of user detection event (e.g., user detected)
username	Username	Username of the detected user
sourceip	Source IP address	Source IP address of the user detection
sid	Security Identifier	Security Identifier of the user or system associated with the user detection

[randomuserid]

Process events can be normalized like this in alignment with [Sigma] (https://github.com/SigmaHQ/sigma-specification/blob/main/appendix/sigma-taxonomy-appendix.md#category-folder) and Sysmon

process events:	FIELD2	FIELD3	FIELD4	FIELD5	FIELD6	FIELD7	FIELD8	FIELD9	FIELD10	FIELD11	FIELD12
existing	timestamp	hostname	username	event	pid	name	ppid	parent	exe	cmdline	sid
new	timestamp	hostname	user	category	processid	process	parentprocessid	parentimage	image	commandline	sid

network events like this:

network events	FIELD2	FIELD3	FIELD4	FIELD5	FIELD6	FIELD7	FIELD8	FIELD9	FIELD10	FIELD11	FIELD12	FIELD13
existing	timestamp	hostname	username	event	pid	process	sourceip	sourceport	destip	destport	status	sid
new	timestamp	hostname	user	category	processid	process	sourceip	sourceport	destinationip	destinationport	status	sid

and user events like this:

user events	FIELD2	FIELD3	FIELD4	FIELD5	FIELD6	FIELD7
existing	timestamp	hostname	username	event	sourceip	sid
new	timestamp	hostname	user	category	sourceip	sid

category values can be populated with these values for alignment:

process_existing
process_creation
process_termination
network_existing
network_connection
network_termination

The user component creates two event types, existing user and new user detected. I think these can remain as they are because there is no direct analogue Sysmon event to align them with.

[alankoshy]

user is a reserved word in PostgreSQL. Need to find an alternative.
https://www.postgresql.org/docs/current/sql-keywords-appendix.html