ElkeidData.xlsx

采集字段列表

DataType 1 2 10 35 42 43 49 59 60 62 82 86 101 112 157 165 200 231 356 601 602 603 604 605 606 607 608 609 610 611 700 701 702 703 1000 1001 1010 2010 2011 2459 4000 4001 5050 5051 5052 5053 5054 5055 5057 5058 6001 6002 6003
Source Driver Plugin(Gray means that only Driver Sandbox mode is supported default is off) Elkeid Agent Elkeid RASP Journal Watcher Collector Plugin ScannerClamav Plugin
Description Write Open Mprotect Nanosleep Connect Accept Bind Execve Exit Kill Rename Link Ptrace SetSid Prctl Mount tkill exit_group MemfdCreate DNS Query CreateFile LoadModule CommitCred unlink rmdir call_usermode ReadFile WriteFile USB Event PrivilegeEscalation ProcFileHook SyscallHook LkmHidden InterruptsHook Agent Heartbeat Plugin Heartbeat Agent Error Log Command Report Hook SSH Login Kerberos Auth Process Port User Cron Service Software Integrity Sudoers Dir Match Proc Match Scan Task
Field data_type data_type data_type data_type data_type data_type data_type data_type data_type data_type data_type data_type data_type data_type data_type data_type data_type data_type data_type data_type data_type data_type data_type data_type data_type data_type data_type data_type data_type data_type data_type data_type data_type data_type kernel_version name level data_type data_type data_type status authorized cmdline family username path name name software_name run_as_users types types types
uid uid uid uid uid uid uid uid uid uid uid uid uid uid uid uid uid uid uid uid uid uid uid uid uid exe uid uid uid uid module_name module_name module_name module_name arch pversion msg probe_version pid     probe_version types principal cwd protocol password username type sversion digest run_as_groups class class class
exe exe exe exe exe exe exe exe exe exe exe exe exe exe exe exe exe exe exe exe exe exe exe exe exe argv exe exe exe exe syscall_number interrupt_number platform rx_speed source name action     runtime invalid rawlog checksum state uid schedule command type origin_digest options name name name
pid pid pid pid pid pid pid pid pid pid pid pid pid pid pid pid pid pid pid pid pid pid pid pid pid wait pid pid pid pid platform_family tx_speed plugin commands reason     runtime_version user pid exe_hash sport gid command restart source digest_algotithm command exe exe exe
ppid ppid ppid ppid ppid ppid ppid ppid ppid ppid ppid ppid ppid ppid ppid ppid ppid ppid ppid ppid ppid ppid ppid ppid ppid ppid ppid ppid ppid platform_version rx_tps psign pid cmdline     message_type sip exe dport groupname checksum working_dir status exe username exe_size exe_size exe_size
pgid pgid pgid pgid pgid pgid pgid pgid pgid pgid pgid pgid pgid pgid pgid pgid pgid pgid pgid pgid pgid pgid pgid pgid pgid pgid pgid pgid pgid idc tx_tps pver state tracing_state     class_id sport pid sip info checksum vendor modify_time exe_hash exe_hash exe_hash
tgid tgid tgid tgid tgid tgid tgid tgid tgid tgid tgid tgid tgid tgid tgid tgid tgid tgid tgid tgid tgid tgid tgid tgid tgid tgid tgid tgid tgid region cpu runtime runtime     method_id rawlog comm dip home bus_name component_version software_version md5_hash md5_hash md5_hash
sid sid sid sid sid sid sid sid sid sid sid sid sid sid sid sid sid sid sid sid sid sid sid sid sid sid sid sid sid net_mode rss probe_message attach_start_time     pid extra state uid shell pid create_at create_at create_at
comm comm comm comm comm comm comm comm comm comm comm comm comm comm comm comm comm comm comm comm comm comm comm comm comm comm comm comm comm rx_speed read_speed attach_end_time     args pid ppid inode last_login_time pod_name modify_at modify_at modify_at
nodename nodename nodename nodename nodename nodename nodename nodename nodename nodename nodename nodename nodename nodename nodename nodename nodename nodename nodename nodename nodename nodename nodename nodename nodename nodename nodename nodename nodename tx_speed write_speed failed_time     stack_trace pgid username last_login_ip psm pid error
sessionid sessionid sessionid sessionid sessionid sessionid sessionid sessionid sessionid sessionid sessionid sessionid sessionid sessionid sessionid sessionid sessionid sessionid sessionid sessionid sessionid sessionid sessionid sessionid sessionid sessionid sessionid sessionid sessionid cpu pid missing_time     rasp_timestamp sid pid weak_password ppid token
pns pns pns pns pns pns pns pns pns pns pns pns pns pns pns pns pns pns pns pns pns pns pns pns pns pns pns pns pns rss started_at try_attach_count cpu exe pgid {custom}
root_pns root_pns root_pns root_pns root_pns root_pns root_pns root_pns root_pns root_pns root_pns root_pns root_pns root_pns root_pns root_pns root_pns root_pns root_pns root_pns root_pns root_pns root_pns root_pns root_pns root_pns root_pns root_pns root_pns read_speed du attached_count start_at comm tgid
file flags mprotect_prot sec sa_family sa_family sa_family argv argv target_pid old_name old_name ptrace_request argv option pid_tree target_pid argv fd_name query file_path ko_file pid_tree file file file file product_info dpid write_speed fd_cnt nthreads cmdline argv
buf mode owner_pid nsec dip dip sip run_path ppid_argv sig new_name new_name target_pid ppid_argv new_name dev sig ppid_argv flags sa_family dip pid_tree old_uid argv argv sb_id sb_id manufacturer pid_tree pid vsize comm
argv file owner_file argv dport dport sport stdin pgid_argv argv sb_id sb_id addr pgid_argv argv file_path argv pgid_argv argv dip dport run_path res ppid_argv ppid_argv argv argv serial dcred fd_cnt rss sessionid
ppid_argv argv vm_file ppid_argv sip sip res stdout username ppid_argv argv argv data username ppid_argv fstype ppid_argv username ppid_argv dport sip argv argv pgid_argv pgid_argv ppid_argv ppid_argv action cred started_at umask uid
pgid_argv ppid_argv pid_tree pgid_argv sport sport argv dip pod_name pgid_argv ppid_argv ppid_argv pid_tree pod_name pgid_argv flag pgid_argv pod_name pgid_argv sip sport ppid_argv ppid_argv username username pgid_argv pgid_argv argv argv tx_tps tcpid pns
username pgid_argv argv username res res ppid_argv dport exe_hash username pgid_argv pgid_argv argv exe_hash username argv username exe_hash username sport sa_family pgid_argv pgid_argv pod_name pod_name username username ppid_argv ppid_argv rx_tps ruid
pod_name username ppid_argv pod_name argv argv pgid_argv sip pid_tree pod_name username username ppid_argv pid_tree pod_name ppid_argv pod_name pid_tree pod_name opcode socket_pid username username exe_hash exe_hash pod_name pod_name pgid_argv pgid_argv du euid
exe_hash pod_name pgid_argv exe_hash ppid_argv ppid_argv username sport exe_hash pod_name pod_name pgid_argv exe_hash pgid_argv exe_hash exe_hash rcode sb_id pod_name pod_name pid_tree pid_tree exe_hash exe_hash username username grs suid
pid_tree exe_hash username pid_tree pgid_argv pgid_argv pod_name sa_family pid_tree exe_hash exe_hash username pid_tree username pid_tree pid_tree argv argv exe_hash exe_hash pid_tree pid_tree pod_name pod_name nproc fsuid
pid_tree pod_name username username exe_hash pid_tree target_argv pid_tree pid_tree pod_name pod_name ppid_argv ppid_argv old_username exe_hash exe_hash load_1 rusername
exe_hash pod_name pod_name pid_tree tty exe_hash exe_hash pgid_argv pgid_argv pid_tree pid_tree load_5 eusername
exe_hash exe_hash socket_pid target_argv username username dpid_argv load_15 susername
pid_tree pid_tree ssh pod_name pod_name running_procs fsusername
ld_preload exe_hash exe_hash total_procs nspid
res pid_tree pid_tree boot_at nspgid
socket_argv socket_argv sys_cpu nssid
ppid_argv sys_mem dns
pgid_argv cns
username ins
pod_name mns
exe_hash nns
pns
tns
uns
utns

数据类型分类

File create
read/write
mem_createfd
rename
link
open
unlink
rmdir
Network connect
bind
dns_query
accept
Process execve
call_usermode
prctl
setsid
ptrace
exit/exit_group
kill
Authority commit_cred
mprotect
Kernel load_module
Rootkit proc_file_hook
syscall_hook
lkm_hidden
interrupts_hook
Assets process list
port listeing list
linux user list
crontab list
deb list
rpm list
pypi list
apt conf
yum conf
sshd conf
linux service list
LogWatcher ssh login
kerberos auth

字段对应中文描述

字段名类型中文名
agent_idstringAgentID
attack_id_list[]stringATT&CK的ID
commandstringCron命令行
pathstringCron文件位置
userstringCron执行用户
querystringDNS查询
ptrace_requeststringPtrace 请求
sshstringSSH登陆信息
optionstring操作类型
handle_userstring处理人
handle_timeint处理时间
statusstring处理状态
flagsstring创建参数
typesstring登陆类型
userstring登陆用户名
external_connsstring对外连接
create_timeint发生时间
levelstring风险级别
alarm_namestring风险类型
descstring风险说明
ppidstring父进程ID
ppid_argvstring父进程命令行
node_list[]string告警节点
rule_namestring告警名
update_timeint更新时间
file_pathstring挂载目录
flagsstring挂载选项
top_rule_chainstring规则链
sipstring监听IP
sportstring监听端口
timestampstring检测时间
suggeststring解决建议
pidstring进程ID
pid_setstring进程ID集合
exestring进程二进制文件
top_chainstring进程链
commstring进程名
argvstring进程命令行
stdoutstirng进程输出
stdinstirng进程输入
pid_treestring进程树信息
uidstring进程所属用户(用户ID)
usernamestring进程所属用户(用户名)
pgidstring进程组ID
pgid_argvstring进程组命令行
static_filestring静态文件
connect_infostring连接信息
ssh_infostring连接信息
target_pidstring目标进程ID
target_argvstring目标进程命令行
fd_namestring内存文件名
ko_filestring内核模块
module_namestring内核模块名
in_ip_list[]string内网IP列表
container_imagestring容器镜像
container_namestring容器名
devstring设备
dockerstring是否处于容器环境
data_type_strstring数据类型
data_typestring数据类型标识
data_type_strstring数据描述
old_uidstring提权前用户ID
old_usernamestring提权前用户名
socket_pidstring外联进程ID
socket_argvstring外联进程命令行
out_ip_list[]string外网IP列表
create_atstring文件创建时间
typesstring文件类型
file_pathstring文件路径
fstypestring文件系统类型
modify_atstring文件修改时间
md5_hashstring文件指纹
syscall_numberstring系统调用ID
dpidstring先祖进程ID
dcredstring先祖进程权限序列
credstring先祖进程权限序列
sshstring相关SSH登陆信息
new_namestring新进程名
new_namestring新文件
namestring样本家族
classstring样本类型
argvstring用户态执行命令
old_namestring原始文件
ld_preloadstring运行时链接
waitstring执行等待
run_pathstring执行目录
interrupt_numberstring中断ID
osstring主机操作系统类型
hostnamestring主机名