Skip to content

/AWS1/CL_GDYRUNTIMECONTEXT

Additional information about the suspicious activity.

CONSTRUCTOR

IMPORTING

Optional arguments:

io_modifyingprocess TYPE REF TO /AWS1/CL_GDYPROCESSDETAILS /AWS1/CL_GDYPROCESSDETAILS

Information about the process that modified the current process. This is available for multiple finding types.

iv_modifiedat TYPE /AWS1/GDYTIMESTAMP /AWS1/GDYTIMESTAMP

The timestamp at which the process modified the current process. The timestamp is in UTC date string format.

iv_scriptpath TYPE /AWS1/GDYSTRING /AWS1/GDYSTRING

The path to the script that was executed.

iv_librarypath TYPE /AWS1/GDYSTRING /AWS1/GDYSTRING

The path to the new library that was loaded.

iv_ldpreloadvalue TYPE /AWS1/GDYSTRING /AWS1/GDYSTRING

The value of the LD_PRELOAD environment variable.

iv_socketpath TYPE /AWS1/GDYSTRING /AWS1/GDYSTRING

The path to the docket socket that was accessed.

iv_runcbinarypath TYPE /AWS1/GDYSTRING /AWS1/GDYSTRING

The path to the leveraged runc implementation.

iv_releaseagentpath TYPE /AWS1/GDYSTRING /AWS1/GDYSTRING

The path in the container that modified the release agent file.

iv_mountsource TYPE /AWS1/GDYSTRING /AWS1/GDYSTRING

The path on the host that is mounted by the container.

iv_mounttarget TYPE /AWS1/GDYSTRING /AWS1/GDYSTRING

The path in the container that is mapped to the host directory.

iv_filesystemtype TYPE /AWS1/GDYSTRING /AWS1/GDYSTRING

Represents the type of mounted fileSystem.

it_flags TYPE /AWS1/CL_GDYFLAGSLIST_W=>TT_FLAGSLIST TT_FLAGSLIST

Represents options that control the behavior of a runtime operation or action. For example, a filesystem mount operation may contain a read-only flag.

iv_modulename TYPE /AWS1/GDYSTRING /AWS1/GDYSTRING

The name of the module loaded into the kernel.

iv_modulefilepath TYPE /AWS1/GDYSTRING /AWS1/GDYSTRING

The path to the module loaded into the kernel.

iv_modulesha256 TYPE /AWS1/GDYSTRING /AWS1/GDYSTRING

The SHA256 hash of the module.

iv_shellhistoryfilepath TYPE /AWS1/GDYSTRING /AWS1/GDYSTRING

The path to the modified shell history file.

io_targetprocess TYPE REF TO /AWS1/CL_GDYPROCESSDETAILS /AWS1/CL_GDYPROCESSDETAILS

Information about the process that had its memory overwritten by the current process.

iv_addressfamily TYPE /AWS1/GDYSTRING /AWS1/GDYSTRING

Represents the communication protocol associated with the address. For example, the address family AF_INET is used for IP version of 4 protocol.

iv_ianaprotocolnumber TYPE /AWS1/GDYINTEGER /AWS1/GDYINTEGER

Specifies a particular protocol within the address family. Usually there is a single protocol in address families. For example, the address family AF_INET only has the IP protocol.

it_memoryregions TYPE /AWS1/CL_GDYMEMORYREGIONSLST_W=>TT_MEMORYREGIONSLIST TT_MEMORYREGIONSLIST

Specifies the Region of a process's address space such as stack and heap.

iv_toolname TYPE /AWS1/GDYSTRING /AWS1/GDYSTRING

Name of the potentially suspicious tool.

iv_toolcategory TYPE /AWS1/GDYSTRING /AWS1/GDYSTRING

Category that the tool belongs to. Some of the examples are Backdoor Tool, Pentest Tool, Network Scanner, and Network Sniffer.

iv_servicename TYPE /AWS1/GDYSTRING /AWS1/GDYSTRING

Name of the security service that has been potentially disabled.

iv_commandlineexample TYPE /AWS1/GDYSTRING /AWS1/GDYSTRING

Example of the command line involved in the suspicious activity.

iv_threatfilepath TYPE /AWS1/GDYSTRING /AWS1/GDYSTRING

The suspicious file path for which the threat intelligence details were found.

iv_fileoperation TYPE /AWS1/GDYSTRING /AWS1/GDYSTRING

Represents the type of file operation that triggered the finding, such as Write, Delete, Rename, Link, or Symlink.

iv_filepath TYPE /AWS1/GDYSTRING /AWS1/GDYSTRING

The path of the sensitive file that was modified. Modification includes write, delete, rename, link, or symlink operations. This field is indexed for filtering.

it_relatedfilepaths TYPE /AWS1/CL_GDYRLTDFILEPATHSLST_W=>TT_RELATEDFILEPATHSLIST TT_RELATEDFILEPATHSLIST

All file paths modified by the same process that triggered the finding, up to a maximum of 25 paths.

Queryable Attributes

ModifyingProcess

Information about the process that modified the current process. This is available for multiple finding types.

Accessible with the following methods

Method Description
GET_MODIFYINGPROCESS() Getter for MODIFYINGPROCESS

ModifiedAt

The timestamp at which the process modified the current process. The timestamp is in UTC date string format.

Accessible with the following methods

Method Description
GET_MODIFIEDAT() Getter for MODIFIEDAT, with configurable default
ASK_MODIFIEDAT() Getter for MODIFIEDAT w/ exceptions if field has no value
HAS_MODIFIEDAT() Determine if MODIFIEDAT has a value

ScriptPath

The path to the script that was executed.

Accessible with the following methods

Method Description
GET_SCRIPTPATH() Getter for SCRIPTPATH, with configurable default
ASK_SCRIPTPATH() Getter for SCRIPTPATH w/ exceptions if field has no value
HAS_SCRIPTPATH() Determine if SCRIPTPATH has a value

LibraryPath

The path to the new library that was loaded.

Accessible with the following methods

Method Description
GET_LIBRARYPATH() Getter for LIBRARYPATH, with configurable default
ASK_LIBRARYPATH() Getter for LIBRARYPATH w/ exceptions if field has no value
HAS_LIBRARYPATH() Determine if LIBRARYPATH has a value

LdPreloadValue

The value of the LD_PRELOAD environment variable.

Accessible with the following methods

Method Description
GET_LDPRELOADVALUE() Getter for LDPRELOADVALUE, with configurable default
ASK_LDPRELOADVALUE() Getter for LDPRELOADVALUE w/ exceptions if field has no valu
HAS_LDPRELOADVALUE() Determine if LDPRELOADVALUE has a value

SocketPath

The path to the docket socket that was accessed.

Accessible with the following methods

Method Description
GET_SOCKETPATH() Getter for SOCKETPATH, with configurable default
ASK_SOCKETPATH() Getter for SOCKETPATH w/ exceptions if field has no value
HAS_SOCKETPATH() Determine if SOCKETPATH has a value

RuncBinaryPath

The path to the leveraged runc implementation.

Accessible with the following methods

Method Description
GET_RUNCBINARYPATH() Getter for RUNCBINARYPATH, with configurable default
ASK_RUNCBINARYPATH() Getter for RUNCBINARYPATH w/ exceptions if field has no valu
HAS_RUNCBINARYPATH() Determine if RUNCBINARYPATH has a value

ReleaseAgentPath

The path in the container that modified the release agent file.

Accessible with the following methods

Method Description
GET_RELEASEAGENTPATH() Getter for RELEASEAGENTPATH, with configurable default
ASK_RELEASEAGENTPATH() Getter for RELEASEAGENTPATH w/ exceptions if field has no va
HAS_RELEASEAGENTPATH() Determine if RELEASEAGENTPATH has a value

MountSource

The path on the host that is mounted by the container.

Accessible with the following methods

Method Description
GET_MOUNTSOURCE() Getter for MOUNTSOURCE, with configurable default
ASK_MOUNTSOURCE() Getter for MOUNTSOURCE w/ exceptions if field has no value
HAS_MOUNTSOURCE() Determine if MOUNTSOURCE has a value

MountTarget

The path in the container that is mapped to the host directory.

Accessible with the following methods

Method Description
GET_MOUNTTARGET() Getter for MOUNTTARGET, with configurable default
ASK_MOUNTTARGET() Getter for MOUNTTARGET w/ exceptions if field has no value
HAS_MOUNTTARGET() Determine if MOUNTTARGET has a value

FileSystemType

Represents the type of mounted fileSystem.

Accessible with the following methods

Method Description
GET_FILESYSTEMTYPE() Getter for FILESYSTEMTYPE, with configurable default
ASK_FILESYSTEMTYPE() Getter for FILESYSTEMTYPE w/ exceptions if field has no valu
HAS_FILESYSTEMTYPE() Determine if FILESYSTEMTYPE has a value

Flags

Represents options that control the behavior of a runtime operation or action. For example, a filesystem mount operation may contain a read-only flag.

Accessible with the following methods

Method Description
GET_FLAGS() Getter for FLAGS, with configurable default
ASK_FLAGS() Getter for FLAGS w/ exceptions if field has no value
HAS_FLAGS() Determine if FLAGS has a value

ModuleName

The name of the module loaded into the kernel.

Accessible with the following methods

Method Description
GET_MODULENAME() Getter for MODULENAME, with configurable default
ASK_MODULENAME() Getter for MODULENAME w/ exceptions if field has no value
HAS_MODULENAME() Determine if MODULENAME has a value

ModuleFilePath

The path to the module loaded into the kernel.

Accessible with the following methods

Method Description
GET_MODULEFILEPATH() Getter for MODULEFILEPATH, with configurable default
ASK_MODULEFILEPATH() Getter for MODULEFILEPATH w/ exceptions if field has no valu
HAS_MODULEFILEPATH() Determine if MODULEFILEPATH has a value

ModuleSha256

The SHA256 hash of the module.

Accessible with the following methods

Method Description
GET_MODULESHA256() Getter for MODULESHA256, with configurable default
ASK_MODULESHA256() Getter for MODULESHA256 w/ exceptions if field has no value
HAS_MODULESHA256() Determine if MODULESHA256 has a value

ShellHistoryFilePath

The path to the modified shell history file.

Accessible with the following methods

Method Description
GET_SHELLHISTORYFILEPATH() Getter for SHELLHISTORYFILEPATH, with configurable default
ASK_SHELLHISTORYFILEPATH() Getter for SHELLHISTORYFILEPATH w/ exceptions if field has n
HAS_SHELLHISTORYFILEPATH() Determine if SHELLHISTORYFILEPATH has a value

TargetProcess

Information about the process that had its memory overwritten by the current process.

Accessible with the following methods

Method Description
GET_TARGETPROCESS() Getter for TARGETPROCESS

AddressFamily

Represents the communication protocol associated with the address. For example, the address family AF_INET is used for IP version of 4 protocol.

Accessible with the following methods

Method Description
GET_ADDRESSFAMILY() Getter for ADDRESSFAMILY, with configurable default
ASK_ADDRESSFAMILY() Getter for ADDRESSFAMILY w/ exceptions if field has no value
HAS_ADDRESSFAMILY() Determine if ADDRESSFAMILY has a value

IanaProtocolNumber

Specifies a particular protocol within the address family. Usually there is a single protocol in address families. For example, the address family AF_INET only has the IP protocol.

Accessible with the following methods

Method Description
GET_IANAPROTOCOLNUMBER() Getter for IANAPROTOCOLNUMBER, with configurable default
ASK_IANAPROTOCOLNUMBER() Getter for IANAPROTOCOLNUMBER w/ exceptions if field has no
HAS_IANAPROTOCOLNUMBER() Determine if IANAPROTOCOLNUMBER has a value

MemoryRegions

Specifies the Region of a process's address space such as stack and heap.

Accessible with the following methods

Method Description
GET_MEMORYREGIONS() Getter for MEMORYREGIONS, with configurable default
ASK_MEMORYREGIONS() Getter for MEMORYREGIONS w/ exceptions if field has no value
HAS_MEMORYREGIONS() Determine if MEMORYREGIONS has a value

ToolName

Name of the potentially suspicious tool.

Accessible with the following methods

Method Description
GET_TOOLNAME() Getter for TOOLNAME, with configurable default
ASK_TOOLNAME() Getter for TOOLNAME w/ exceptions if field has no value
HAS_TOOLNAME() Determine if TOOLNAME has a value

ToolCategory

Category that the tool belongs to. Some of the examples are Backdoor Tool, Pentest Tool, Network Scanner, and Network Sniffer.

Accessible with the following methods

Method Description
GET_TOOLCATEGORY() Getter for TOOLCATEGORY, with configurable default
ASK_TOOLCATEGORY() Getter for TOOLCATEGORY w/ exceptions if field has no value
HAS_TOOLCATEGORY() Determine if TOOLCATEGORY has a value

ServiceName

Name of the security service that has been potentially disabled.

Accessible with the following methods

Method Description
GET_SERVICENAME() Getter for SERVICENAME, with configurable default
ASK_SERVICENAME() Getter for SERVICENAME w/ exceptions if field has no value
HAS_SERVICENAME() Determine if SERVICENAME has a value

CommandLineExample

Example of the command line involved in the suspicious activity.

Accessible with the following methods

Method Description
GET_COMMANDLINEEXAMPLE() Getter for COMMANDLINEEXAMPLE, with configurable default
ASK_COMMANDLINEEXAMPLE() Getter for COMMANDLINEEXAMPLE w/ exceptions if field has no
HAS_COMMANDLINEEXAMPLE() Determine if COMMANDLINEEXAMPLE has a value

ThreatFilePath

The suspicious file path for which the threat intelligence details were found.

Accessible with the following methods

Method Description
GET_THREATFILEPATH() Getter for THREATFILEPATH, with configurable default
ASK_THREATFILEPATH() Getter for THREATFILEPATH w/ exceptions if field has no valu
HAS_THREATFILEPATH() Determine if THREATFILEPATH has a value

FileOperation

Represents the type of file operation that triggered the finding, such as Write, Delete, Rename, Link, or Symlink.

Accessible with the following methods

Method Description
GET_FILEOPERATION() Getter for FILEOPERATION, with configurable default
ASK_FILEOPERATION() Getter for FILEOPERATION w/ exceptions if field has no value
HAS_FILEOPERATION() Determine if FILEOPERATION has a value

FilePath

The path of the sensitive file that was modified. Modification includes write, delete, rename, link, or symlink operations. This field is indexed for filtering.

Accessible with the following methods

Method Description
GET_FILEPATH() Getter for FILEPATH, with configurable default
ASK_FILEPATH() Getter for FILEPATH w/ exceptions if field has no value
HAS_FILEPATH() Determine if FILEPATH has a value

RelatedFilePaths

All file paths modified by the same process that triggered the finding, up to a maximum of 25 paths.

Accessible with the following methods

Method Description
GET_RELATEDFILEPATHS() Getter for RELATEDFILEPATHS, with configurable default
ASK_RELATEDFILEPATHS() Getter for RELATEDFILEPATHS w/ exceptions if field has no va
HAS_RELATEDFILEPATHS() Determine if RELATEDFILEPATHS has a value