RuntimeContext - Amazon GuardDuty

RuntimeContext

Additional information about the suspicious activity.

Contents

addressFamily

Represents the communication protocol associated with the address. For example, the address family AF_INET is used for IP version of 4 protocol.

Type: String

Required: No

commandLineExample

Example of the command line involved in the suspicious activity.

Type: String

Required: No

fileSystemType

Represents the type of mounted fileSystem.

Type: String

Required: No

flags

Represents options that control the behavior of a runtime operation or action. For example, a filesystem mount operation may contain a read-only flag.

Type: Array of strings

Required: No

ianaProtocolNumber

Specifies a particular protocol within the address family. Usually there is a single protocol in address families. For example, the address family AF_INET only has the IP protocol.

Type: Integer

Required: No

ldPreloadValue

The value of the LD_PRELOAD environment variable.

Type: String

Required: No

libraryPath

The path to the new library that was loaded.

Type: String

Required: No

memoryRegions

Specifies the Region of a process's address space such as stack and heap.

Type: Array of strings

Required: No

modifiedAt

The timestamp at which the process modified the current process. The timestamp is in UTC date string format.

Type: Timestamp

Required: No

modifyingProcess

Information about the process that modified the current process. This is available for multiple finding types.

Type: ProcessDetails object

Required: No

moduleFilePath

The path to the module loaded into the kernel.

Type: String

Required: No

moduleName

The name of the module loaded into the kernel.

Type: String

Required: No

moduleSha256

The SHA256 hash of the module.

Type: String

Required: No

mountSource

The path on the host that is mounted by the container.

Type: String

Required: No

mountTarget

The path in the container that is mapped to the host directory.

Type: String

Required: No

releaseAgentPath

The path in the container that modified the release agent file.

Type: String

Required: No

runcBinaryPath

The path to the leveraged runc implementation.

Type: String

Required: No

scriptPath

The path to the script that was executed.

Type: String

Required: No

serviceName

Name of the security service that has been potentially disabled.

Type: String

Required: No

shellHistoryFilePath

The path to the modified shell history file.

Type: String

Required: No

socketPath

The path to the docket socket that was accessed.

Type: String

Required: No

targetProcess

Information about the process that had its memory overwritten by the current process.

Type: ProcessDetails object

Required: No

threatFilePath

The suspicious file path for which the threat intelligence details were found.

Type: String

Required: No

toolCategory

Category that the tool belongs to. Some of the examples are Backdoor Tool, Pentest Tool, Network Scanner, and Network Sniffer.

Type: String

Required: No

toolName

Name of the potentially suspicious tool.

Type: String

Required: No

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: