Introduction

The LimaCharlie sensor is able to report a wide variety of telemetry in the form of events from the endpoint. Events can be captured and routed through the use of detection rules. The various categories of events and the format of the data they produce will be discussed in this unit.

There are some common elements to all events that are worth pointing out. These elements - which are outlined below - have been removed from the events examined throughout this unit so that we may focus on information that is unique to each.

  • routing/this is a UUID generated for every event in the sensor.
  • routing/parent is a reference to the parent event's routing/this, providing strong relationships (much more reliable than simple process IDs) between the events. This allows you to get the extremely powerful explorer view.
  • routing/event_time is the time (UTC) the sensor produced the event.
  • routing/hostname is the hostname of where the event came from.
  • routing/tags is the list of tags associated with the agent where the event came from.
  • routing/event_type is the type of event.